Paul DuBois [EMAIL PROTECTED] wrote:
> At 11:06 -0400 8/14/03, Hardy Merrill wrote:
> >Rudy Lippan [EMAIL PROTECTED] wrote:
> >> On Thu, 14 Aug 2003, Hardy Merrill wrote:
> >> > If I'm running DBI/DBD::mysql on a mysql client machine,
> >> > and I want to connect to a different mysql server
> >> > machine, I must supply the username and password
> >> > in the DBI connect. So, that username and password
> >> > will be passed from the client machine to the server
> >> > machine in cleartext, right? My question is, how can I do
> >> > that such that the username and password is NOT
> >> > passed over the wire in cleartext - in the connect
> >> > statement?
> >>
> >> In theory you should be able to use SSL. I have yet to try it, but
> >> DBD::mysql does support it if you compile with the -ssl option.
> >
> >Thanks Rudy - I did read 'perldoc DBD::mysql' where it
> >talks about mysql_ssl* parameters, but didn't notice that
> >those were in the connect section :( After reading that
> >
> > mysql_ssl
> > A true value turns on the CLIENT_SSL flag when connecting to
> > the MySQL database:
> >
> > mysql_ssl=1
> >
> > This means that your communication with the server will be
> > encrypted.
> >
> >my thought was that specifying 'mysql_ssl' in the connect
> >would connect 1st, and *then* start encrypting communications
> >between the client and server - it doesn't really clearly
> >state that the connect itself (username, pw) will also be
> >encrypted.
> >
> >Is this clear to everyone else? If not, I'd like to
> >propose a clarification to the DBD::mysql perldocs - to
> >explicitely say that mysql_ssl will cause the connect,
> >and all subsequent dbi statements, to be encrypted between
> >client and server.
>
> Everybody seems to be accepting the idea that the password is passed
> in cleartext. On what is that based? It's false. (It is true that
> in MySQL 4.1.x some improvements are made to the encryption, but in
> earlier versions the password is not sent in cleartext.)
Paul, maybe my initial assumption is wrong. Let me step
back.
If I, on a mysql client machine, use DBI/DBD::mysql to
connect to a mysql server machine, I might do that
connect something like this:
my $dbh = DBI->connect("DBI:mysql:host=my.mysql_server.com;database=mydb",
"db_user", "db_password",
{PrintError => 0, RaiseError => 1});
notice "db_user" and "db_password" - whether I get
those from a module, or I type in the literal values
right into the code, either way my assumption was/is
that those values get transferred over the network
from mysql client machine to mysql server machine in
cleartext. Is this assumption correct or incorrect?
If this assumption is incorrect, and doing this connect
does NOT display the password in cleartext as it
travels over the network, then this is great, and
I probably don't need mysql_ssl* parameters at all.
Then Rudy reminded me about using the mysql_ssl*
parameters that are described in DBD::mysql perldocs.
So if I add to that connect(above) the proper
mysql_ssl* parameters, I'm assuming that I then
get an ssl connection from mysql client to mysql
server, which encrypts all communications, including
the connect parameters, for that connect and subsequent
dbi statements using that $dbh. Is this correct or
incorrect?
I don't mean to make a big deal of this - just trying
to understand what happens with user passwords
in db connections in DBI/DBD::mysql, and what it
takes to *NOT* display the database password in
cleartext on the network.
Thanks.
Hardy
>
> The username is sent in cleartext, yes.
>
> Also, adding mysql_ssl=1 won't in itself give you an SSL connection.
> You need the other mysql_ssl_xxx options to specify the key and
> certificate files.
