RE: MySQL connection over SSL possible?
Sorry for my extremely belated reply (been on vacation so deliberately stayed away from email.. :) ) Yes, connecting to a different port using mysql command line tools did work. Used the exact same settings for host and port etc. so ... I should get the source tree checked out at some stage so I can start having a closer look at the latest code to poke at the SSL bits... It's something I'd like to use myself in the future, opposed to any stunnel or ssh port tricks. Such tricks will just trip any such installation when it's time to replace the database host... I'd rather just have it all in the configuration file and be done with it. //anders -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] g] On Behalf Of [EMAIL PROTECTED] Sent: 12 June 2008 18:18 To: FreeRadius users mailing list Subject: Re: MySQL connection over SSL possible? Hi, When I tried setting the port number to something different I used port = port number .. That yielded cannot connect to server using socket error when running radiusd in debug mode. So, there's two things to take away from that experience. whoah. one missing step. did you test this setup was actually operational with a simple bit of mysql client action on the FreeRADIUS box... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
quote From: you Sender: freeradius-users-bounces... Reply-To: [EMAIL PROTECTED] To: freeradius-users@ /quote Yes? That is still for one recipient. Reply-To is where replies to my mail would go. That's set by the MLM (Mailing List Manager) not by my mail client. //anders 2008/6/11 Alan DeKok [EMAIL PROTECTED]: Anders Holm wrote: Hitting Reply All in most MUAs would do this. The list should be smart enough to only forward on one copy per recipient ... It's not. We get 2 copies of every mail you send to the list. ALL mails I receive for this list has the list in *both* TO and CC headers Must be a local mailer thing. I see: From: you Sender: freeradius-users-bounces... Reply-To: [EMAIL PROTECTED] To: freeradius-users@ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
This is getting off-topic, but... Anders Holm wrote: quote From: you Sender: freeradius-users-bounces... Reply-To: [EMAIL PROTECTED] To: freeradius-users@ /quote Yes? That is still for one recipient. Reply-To is where replies to my mail would go. That's set by the MLM (Mailing List Manager) not by my mail client. (1) You said you see the list address in to and cc. There is no cc in the default headers. (2) If your mailer is replying to *both* to and reply-to, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
1/ Indeed I did. I did see that in the original mail I replied to. Where that was added is a good question, but I saw it in the mail that was replied to .. I'm saying that this is the way the mail was crafted, as I received it, before replying to it. 2/ Indeed it would be, if it did. Has anyone seen this on any more mails after I responded to the initial request to ask me to stop sending dupes? Yes, this is getting quite off topic .. :) //anders 2008/6/12 Alan DeKok [EMAIL PROTECTED]: This is getting off-topic, but... Anders Holm wrote: quote From: you Sender: freeradius-users-bounces... Reply-To: [EMAIL PROTECTED] To: freeradius-users@ /quote Yes? That is still for one recipient. Reply-To is where replies to my mail would go. That's set by the MLM (Mailing List Manager) not by my mail client. (1) You said you see the list address in to and cc. There is no cc in the default headers. (2) If your mailer is replying to *both* to and reply-to, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Am 12.06.2008 um 14:42 schrieb Anders Holm: 1/ Indeed I did. I did see that in the original mail I replied to. Where that was added is a good question, but I saw it in the mail that was replied to .. I'm saying that this is the way the mail was crafted, as I received it, before replying to it. 2/ Indeed it would be, if it did. Has anyone seen this on any more mails after I responded to the initial request to ask me to stop sending dupes? For me it has worked since then. I have seen only one of each of your messages. Have a nice day! Yes, this is getting quite off topic .. :) //anders 2008/6/12 Alan DeKok [EMAIL PROTECTED]: This is getting off-topic, but... Anders Holm wrote: quote From: you Sender: freeradius-users-bounces... Reply-To: [EMAIL PROTECTED] To: freeradius-users@ /quote Yes? That is still for one recipient. Reply-To is where replies to my mail would go. That's set by the MLM (Mailing List Manager) not by my mail client. (1) You said you see the list address in to and cc. There is no cc in the default headers. (2) If your mailer is replying to *both* to and reply-to, it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
2008/6/12 Nicolas Goutte [EMAIL PROTECTED]: [snip] For me it has worked since then. I have seen only one of each of your messages. Have a nice day! Excellent! One problem solved, and on to the next one. To get back on topic a tad then so, and to describe my experience with the SSL side of things ... I've managed to get stunnel working happily. A few things of note there though .. A/ It wasn't possible to set port numbers for some reson for the SQL connection. Default port was the only way to get it working. B/ Due to A, what I then did was to create virtual interfaces on the loopback interface, as many needed as there are backend SQL servers. C/ Setup stunnel in client mode on the radius box. Forward each virtual interface:3306 to db_host:pick a good port D/ Setup stunnel on db_host in server mode. Forward all_interfaces:your good port to localhost:3306 E/ Change sql.conf to point each sql server to the respective virtual interface... When I tried setting the port number to something different I used port = port number .. That yielded cannot connect to server using socket error when running radiusd in debug mode. So, there's two things to take away from that experience. 1/ SSL would be a great option to add to the MySQL shim. 2/ Ability to change port numbers of the MySQL server. Someone may need it, for some interesting reason. I hope this helps others with similar requirements! If I find the time I'll see if I can brush up enough of my C knowledge to create a patch or two for these things, but no promises. Incidentally, I'm also heading off on vacation for a bit, so it won't be tomorrow.. :) //anders - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Hi, When I tried setting the port number to something different I used port = port number .. That yielded cannot connect to server using socket error when running radiusd in debug mode. So, there's two things to take away from that experience. whoah. one missing step. did you test this setup was actually operational with a simple bit of mysql client action on the FreeRADIUS box... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Indeed, stunnel is one way to go, another might be SSH tunnels, or as another poster mentioned IPSec tunnels. Yes, data integrity and security of the data is vital, along the whole path from backend storage to end device, so this is just one piece of that puzzle ... What I'll do short term is to look at ways to create a secure tunnel, and if time permitting see if I can manage to create a patch that someone that has better coding skills then me would then need to sanitize.. :) I can see a few new options coming out from such a patch ssl = yes options to point to various SSL certificate files I haven't checked, but from memory I'm not even sure it's possible to specify a port number for the database, need to check that too .. Questions, questions, and so little time .. :) //anders - Original Message - From: A L M Buxey [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, June 9, 2008 6:19:30 PM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: MySQL connection over SSL possible? Hi, No. Driver is sql_mysql.c file in src/modules/rlm_sql/drivers/rlm_sql_mysql/ folder of your distribution. You will need to edit the source file and recompile to have freeradius mysql client ask for a SSL connection. hmm, i could see a future with sql.conf containing ssl = yes and each SQL driver, if supported, using SSL method to connect. would probably also need certs etc in the config for this to happen. for another option, without editing code, use eg stunnel to connect to the remote SQL server and then tell FreeRADIUS to use the local end port of the stunnel session. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
There are other options. Yes, I've come up with a few. Would you have others as well? Suggestions are welcome in all cases .. //anders - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, June 9, 2008 5:57:48 PM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: MySQL connection over SSL possible? Anders Holm wrote: So, that's a yes .. :) Yes. rlm_sql_mysql is the driver, and I'd rather not have my own version running, but would love to see that rolled in, if possible. My only problem with creating a patch and send it in is more that I am not a coder really. I'd be more likely to create more problems then I'd solve .. ;) There are other options. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Please try to avoid to send emails to the list as TO *and* as CC. (I (and probably not only me) get your messages always twice.) Have a nice day! Am 11.06.2008 um 11:31 schrieb Anders Holm: There are other options. Yes, I've come up with a few. Would you have others as well? Suggestions are welcome in all cases .. //anders - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius- [EMAIL PROTECTED] Sent: Monday, June 9, 2008 5:57:48 PM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: MySQL connection over SSL possible? Anders Holm wrote: So, that's a yes .. :) Yes. rlm_sql_mysql is the driver, and I'd rather not have my own version running, but would love to see that rolled in, if possible. My only problem with creating a patch and send it in is more that I am not a coder really. I'd be more likely to create more problems then I'd solve .. ;) There are other options. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Hitting Reply All in most MUAs would do this. The list should be smart enough to only forward on one copy per recipient ... ALL mails I receive for this list has the list in *both* TO and CC headers //anders - Original Message - From: Nicolas Goutte [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, June 11, 2008 11:15:38 AM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: MySQL connection over SSL possible? Please try to avoid to send emails to the list as TO *and* as CC. (I (and probably not only me) get your messages always twice.) Have a nice day! Am 11.06.2008 um 11:31 schrieb Anders Holm: There are other options. Yes, I've come up with a few. Would you have others as well? Suggestions are welcome in all cases .. //anders - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius- [EMAIL PROTECTED] Sent: Monday, June 9, 2008 5:57:48 PM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: MySQL connection over SSL possible? Anders Holm wrote: So, that's a yes .. :) Yes. rlm_sql_mysql is the driver, and I'd rather not have my own version running, but would love to see that rolled in, if possible. My only problem with creating a patch and send it in is more that I am not a coder really. I'd be more likely to create more problems then I'd solve .. ;) There are other options. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Anders Holm wrote: Hitting Reply All in most MUAs would do this. The list should be smart enough to only forward on one copy per recipient ... It's not. We get 2 copies of every mail you send to the list. ALL mails I receive for this list has the list in *both* TO and CC headers Must be a local mailer thing. I see: From: you Sender: freeradius-users-bounces... Reply-To: [EMAIL PROTECTED] To: freeradius-users@ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
You will probably need to adapt the driver with mysql_ssl_set(): http://dev.mysql.com/doc/refman/5.0/en/mysql-ssl-set.html Ivan Kalik Kalik Informatika ISP Dana 9/6/2008, Anders Holm [EMAIL PROTECTED] piše: Hi folks. I'm wondering, would it be possible to encrypt the connection to the backend data store (it being MySQL) using SSL? MySQL would have support for this, but I sppear to not find any documentation for Freeradius on how to set that side up for it .. Any pointers appreciated .. //anders - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Where $driver has a value of rlm_sql_mysql? //anders - Original Message - From: Ivan Kalik [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Monday, June 9, 2008 2:51:09 PM GMT +00:00 GMT Britain, Ireland, Portugal Subject: Re: MySQL connection over SSL possible? You will probably need to adapt the driver with mysql_ssl_set(): http://dev.mysql.com/doc/refman/5.0/en/mysql-ssl-set.html Ivan Kalik Kalik Informatika ISP Dana 9/6/2008, Anders Holm [EMAIL PROTECTED] piše: Hi folks. I'm wondering, would it be possible to encrypt the connection to the backend data store (it being MySQL) using SSL? MySQL would have support for this, but I sppear to not find any documentation for Freeradius on how to set that side up for it .. Any pointers appreciated .. //anders - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Hello, I assume that data integrity and secrecy is vital for you, between your RADIUS server and your MySQL server. Why not creating an IPSEC tunnel between the two ones ? It doesn't require any programming skills, and it's fully secure if it is well set. It might be any encrypted VPN system, by the way. IPSEC is just an example. Hoggins! Alan DeKok a écrit : Anders Holm wrote: So, that's a yes .. :) Yes. rlm_sql_mysql is the driver, and I'd rather not have my own version running, but would love to see that rolled in, if possible. My only problem with creating a patch and send it in is more that I am not a coder really. I'd be more likely to create more problems then I'd solve .. ;) There are other options. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MySQL connection over SSL possible?
Hi, No. Driver is sql_mysql.c file in src/modules/rlm_sql/drivers/rlm_sql_mysql/ folder of your distribution. You will need to edit the source file and recompile to have freeradius mysql client ask for a SSL connection. hmm, i could see a future with sql.conf containing ssl = yes and each SQL driver, if supported, using SSL method to connect. would probably also need certs etc in the config for this to happen. for another option, without editing code, use eg stunnel to connect to the remote SQL server and then tell FreeRADIUS to use the local end port of the stunnel session. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html