This is an issue I have seen many people ask over the last year or two, but I can't say I've ever seen a comprehensive answer (searched the archives heavily, too).
I realize there are no binaries available directly from MySQL with OpenSSL support compiled in. I am curious as to why (I'm sure there is a very good reason for this as I have no doubt such binaries would be available otherwise).
Under most circumstances, I would not consider compiling MySQL from scratch, based upon the number of people (MySQL developers and gurus) who have counseled against going so (citing that the precompiled binaries will almost always offer better performance and stability). However, I am faced with some security requirements from some financials customers who require that our installation of MySQL offer encryption of client connections (and slave connections as well once we migrate to 4.1). This leaves me in a position where I am going to need to go down the path of compilation (and before someone mentions it yes I've looked at doing this via stunnel etc but it has been decided that native SSL support is going to be needed to meet all the audit requirements).
I suppose my questions are this:
1. What issues are preventing MySQL from distributing binaries that have OpenSSL support compiled in?
2. Are these issues something that may be resolved in the (hopefully near) future?
3. If the answers to 1 and 2 are negative, what would be the advice for compilation of MySQL (compiler version, etc) that would ensure the most successful compilation (i.e. I want to avoid sacrificing performance and/or stability).
Many thanks,
Doug
Doug,
This is only a guess, but if SSL encryption was in binary form, then MySQL could face import/export restrictions in certain countries. As it stands, each user has to recompile SSL into MySQL according to the laws of their own country. So the onus on following the law is now up to the user, not MySQL AB. At least this is my thinking. Unfortunately you can't trust a 3rd party to compile the SLL into MySQL because what if they accidentally or deliberately compiled a backdoor into SSL. Without the source you would never know. So compiling SSL directly from the open source ensures the algorithm has not been tampered with.
Mike
-- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
