Re: Securing mysql with openssl

Sun, 14 May 2006 19:59:25 -0700 

On Sun, May 14, 2006 at 06:33:54PM -0700, jamesp81 (sent by Nabble.com) wrote:

> 
> I am trying to write a program that will access a mysql database across a
> network.  The data being transferred needs to be encrypted.  The mysql
> server supports openssl, but getting it to work has been problematic at
> best, and the documentation I've found on openssl is so bad that it causes
> physical illness to even attempt to read it.

If you are describing the OpenSSL documentation (rather than OpenSSL
specific MySQL documentation),  keep in mind that OpenSSL is a developer
toolkit, not an end-user application, and the documentation for OpenSSL
is *reference* documentation, not a tutorial. There are books that cover
introductory material, show sample programs, ... These are still of
course targetted at developers, once again because OpenSSL is a toolkit...

Some of the people on this list best positioned to help you wrote the
OpenSSL documentation, this is not a good way to introduce yourself...

> I created a user name in the mysql server with the REQUIRE SSL clause, but
> clearly this alone is insufficient.
> 
> I have no interest in verifying users with certificates; I'm going to use a
> username password scheme for user verification.  With that in mind, what do
> I need to do with the mysql server to get it ready to accept SSL
> connections?

You'll need:

- a private/public key for your server,
- a mutually trusted CA to sign the public key and issue an X.509 certificate
- the client application will need to be configured to trust the CA and
- to use SSL.
- the server will either accept SSL on a separate address/port, or the
  MySQL protocol allows SSL to be negotiated over a common port for encrypted
  and unencrypted connections.

The gory details of how to do this with MySQL are not the subject of
this forum. An forum dedicated to MySQL is more likely to yield concrete
advice.  Perhaps you can find a step-by-step HOWTO file for MySQL over
TLS with OpenSSL. Web search engines may also yield useful results.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to