[replying to my own thread yet again ... Sorry about that] Thought that anyone silently following my experiments on this may be interested to know:
Using the /usr/local/ssl/apps/CA.sh script (part of the openssl installation) as follows: ./CA.sh -newca ./CA.sh -newreq ./CA.sh -sign Then copying files like this: cp newcert.pem /usr/local/etc/mysqlssl/server-cert.pem cp demoCA/cacert.pem /usr/local/etc/mysqlssl/cacert.pem And running: openssl rsa -inform pem < newreq.pem > /usr/local/etc/mysqlssl/server-key.pem (And doing it all over again with "client-" for the client machine files) Then adding: ssl-ca=/usr/local/etc/mysqlssl/cacert.pem ssl-cert=/usr/local/etc/mysqlssl/server-cert.pem ssl-key=/usr/local/etc/mysqlssl/server-key.pem ... To your [mysqld] section of my.cnf THEN (finally) adding: ssl-ca=/usr/local/etc/mysqlssl/cacert.pem ssl-cert=/usr/local/etc/mysqlssl/client-cert.pem ssl-key=/usr/local/etc/mysqlssl/client-key.pem ... To your [mysql] section of my.cnf on your client connection machine ... Does the trick. In addition to doing all this, you need to use the GRANT command to allow access to MySQL over SSL as described here: http://www.mysql.com/doc/S/e/Secure_GRANT.html It all works. (Working for me, anyway.) Connecting via the command-line MySQL client now gets me: SSL cipher in use is EDH-RSA-DES-CBC3-SHA Instead of: SSL not in use. Good times! Now if I can just figure out how to get the mysql client embedded in PHP to pick up these [mysql] client values, I'll be all set. Hope this has been helpful to someone! -Clay > From: Clay Loveless <[EMAIL PROTECTED]> > Date: Tue, 18 Jun 2002 18:03:02 -0700 > To: MySQL <[EMAIL PROTECTED]> > Subject: Re: MySQL 4.0.1 & SSL config - a shot in the dark > > A little more information on this problem ... > > - Tonu's notes state that there are sample SSL keys & certs for testing > purposes in the "SSL" directory of the mysql tarball. There is no SSL > directory in the mysql-4.0.1-alpha.tar.gz file. Does anyone know which > tarball he may be referring to? > > > - In Tonu's notes, there is an example my.cnf entry of: > > [mysqld] > ssl-ca=SSL/cacert.pem > ssl-cert=SSL/server-cert.pem > ssl-key=SSL/server-key.pem > > Further in the notes, there's an example of a command-line switch for > mysqld: > > mysqld --ssl-cert=SSL/server-cert.pem --ssl-ca=SSL/cacert.pem > --ssl-key=SSL/server-req.pem > > > In other words, one example shows "ssl-key" pointing to the "server-key.pem" > file, another example shows "ssl-key" pointing to "server-req.pem". > > > I'm looking through the files I created by doing these commands (extracted > from Tonu's notes): > >> From the /usr/local/ssl/apps directory > ./CA.sh -newca > ./CA.sh -newreq > ./CA.sh -sign > > As I mentioned previously, those commands leave me with the following > structure: > newcert.pem > newreq.pem > demoCA/ > newcerts/ > 01.pem > private/ > cakey.pem > > > "newcert.pem" and "demoCA/newcerts/01.pem" are identical. > > Tonu's notes indicate that passwords should be removed from the key files > like this: > > openssl rsa -inform pem < server-req.pem > server-key.pem > > I'm *assuming* that server-req.pem is the same as "newreq.pem" ... But the > leap in file names isn't documented, and the two contradictory examples of > ssl-key usage (mentioned above) are confusing. > > > - Is there an estimate for when the documentation on MySQL's SSL > functionality will be completed? I would love to be able to set this up > without having to guess at how it's done. : ) I'm going to start > experimenting with the files I've got to see what works ... I'll report what > I find. Meanwhile, the general idea of "guessing at how to configure the > secure connection" is killing the notion of "security" for me to some > extent. > > > - Has anyone successfully set this up on their servers? If so, I would be > grateful for your tips! > > Thanks, > Clay > > >> From: Clay Loveless <[EMAIL PROTECTED]> >> Date: Tue, 18 Jun 2002 12:00:51 -0700 >> To: MySQL <[EMAIL PROTECTED]> >> Subject: Re: MySQL 4.0.1 & SSL config - a shot in the dark >> >> Hello, >> >>> From the sound of Tonu's original response, he's pretty busy right now ... >> If anyone else has an idea based on experience with SSL & MySQL, or just >> with openssl in general, can offer an opinion on this, I would be grateful. >> >> I've ordered a book on OpenSSL in an effort to learn more about it for this >> application as well as others, but it hasn't gotten here yet. I would >> appreciate any insight before I get around to just guessing! >> >> Thanks, >> Clay >> >> >> >>> From: Clay Loveless <[EMAIL PROTECTED]> >>> Date: Sat, 15 Jun 2002 21:30:31 -0700 >>> To: MySQL <[EMAIL PROTECTED]> >>> Subject: Re: MySQL 4.0.1 & SSL config - a shot in the dark >>> >>> Tonu, >>> >>> Thank you, thank you! The formal documentation effort is apparently still >>> underway based on your notes ... The link you included eliminates a lot of >>> guesswork! : ) >>> >>>> This part of MySQL is written by me and I am sure it worked :) >>> >>> I'm sure it does -- what I meant was that the way I had it configured (my >>> best guess last night) wasn't working. No wonder! >>> >>>>> 3. EDIT my.cnf ON CLIENT & SERVER >>>>> I added these values to my.cnf: >>>>> >>>>> [ssl] >>>>> key = (LONG public key value - 394 chars - copied from server.crt) >>>>> cert = ca.crt >>>>> ca = (Organization Name answer from the Q & A session while doing the >>>>> first ca.key generation) >>>>> capath = /usr/local/etc/mysqlssl >>>> >>>> >>>> nono, a lot of errors here. I am pretty sleepy and can do smaller mistakes >>>> right now but mistakes I see: >>>> >>>> section [ssl] is wrong. MySQL server uses [mysqld] section, command line >>>> - client [client] but nobody read [ssl] section! Everything should be >>>> added under those common sections >>>> - values "key" and "ca" are wrong. Should be ssl-key, ssl-ca and so on... >>> >>> >>> Makes sense. I went through the procedures with CA.sh logged in your notes, >>> and was left with these files in my working directory: >>> >>> newcert.pem >>> newreq.pem >>> demoCA/ >>> newcerts/ >>> 01.pem >>> private/ >>> cakey.pem >>> >>> Can you tell me which of those files translates into the files you used in >>> your configuration? >>> >>> [mysqld] >>> ssl-ca=SSL/cacert.pem >>> ssl-cert=SSL/server-cert.pem >>> ssl-key=SSL/server-key.pem >>> >>> [mysql] >>> ssl-ca=SSL/cacert.pem >>> ssl-cert=SSL/client-cert.pem >>> ssl-key=SSL/client-key.pem >>> >>> [mysqldump] >>> ssl-ca=SSL/cacert.pem >>> ssl-cert=SSL/client-cert.pem >>> ssl-key=SSL/client-key.pem >>> >>> >>> Your notes don't include the steps where you renamed the output .pem files >>> to the filenames used in your example my.cnf entries. >>> >>> >>> >>>>> Page 390 of the new Managing & Using MySQL (O'Reilly) book provided some >>>>> clues for doing this ... In reference to C functions, it says: >>>>> >>>>> 'key' contains an SSL public key >>>>> 'cert' contains the filename of a certificate >>>>> 'ca' contians the name of the certificate authority >>>>> 'capath' contains the directory containing the certificate >>>> >>>> Hmm this is not the first time when O'Reilly publishes bad and >>>> misguiding book about MySQL. I personally suggest to avoid them. Paul >>>> DuBois one is good example. >>> >>> Could be that I was just making the wrong assumption. I've read a good chunk >>> of the rest of that O'Reilly book today, and it was all pretty good. The >>> section I quoted wasn't specifically documenting the SSL functionality, but >>> just listing a C function for reading SSL-related values from the .cnf file. >>> So, it was probably just the author's shorthand for that function, and I >>> leapt to the wrong conclusion. >>> >>> >>>> There is a file in MySQL source tree I wrote about using SSL connections >>>> with MySQL: >>>> >>>> http://www.mysqldeveloper.com/4.x-bk_tree/SSL/NOTES >>>> >>>> I hope they work for you. There are some pregenerated example >>>> key/certificate files included. You may try with then first to ensure that >>>> your command-line stuff works first. >>>> >>> >>> Thanks again for posting this link! This really helps a lot. I would be >>> happy to write all this up for use as a FAQ answer on mysqldeveloper.com, as >>> I'm sure this has (or will) come up often. >>> >>> Regards, >>> Clay >>> >>> --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
