David Schwartz wrote:
I can understand your summary quite clearly.
Great.
Suppose the server encrypts data it sends to the client and the client
needs to decrypt that data. This is the case when my client SELECTs data
from the MySQL database. Does this need a different sequence than the
sequence mentioned above, where the client sends the server the client's
public key so that the server uses it to encrypt data before sending it
to the client who decrypts it using the client's private key ? Or can
the same server public-private key be used as you originally specified ?
Once session establishment is completed, the client and the server have a
shared secret. This is some chunk of data that only the server and the
client know. Each side can use the shared secret to encrypt data that only
the other side can decrypt. They typically do so using a symmetric
encryption algorithm such as AES or RC4.
OK, I understand this now. The original public key-private key is only
used for session establishment, after which the 'shared secret' is
always used to encrypt/decrypt data.
The reason I ask this is that MySQL, in setting up certificates,
specifies a public key-private key pair for both the server and any
given client. My original thought on seeing this is that this is
necessary because both the client and the database server may
encrypt/decrypt data.
No, that's not why. That would simply be to allow the server to identify the
client. If you have no need to do this, and already authenticate the client
by some other means (such as username/password) you can probably not specify
a client certificate. (It would be fairly unusual to absolutely require one
in a case where there is some other way to authenticate the client.)
MySQL does use a username/password to access the database server. So it
sounds like the entire client certificate in MySQL should be
unnecessary, although optional.
But others seem to imply that only the server public key-private key
pair is necessary.
That would be the usual situation.
In which case if this is true, when the server sends
encrypted data to the client which the client must decrypt, the data
must be encryoted with the server's private key and decrypted by the
client with the server's public key, therefore reversing the role of the
public key-private key for encrypting/decrypting data you mention above.
No. That would be hideously inefficient. The public/private keys are only
used during session establishment.
Thanks for the information. Evidently MySQL works with both the server
and a given client both having a public key-private key pair. In using
the MySQL client library API I must pass the paths to my client
certificates as SSL options to a client library connection object before
making a SSL connection to the server. After that everything works
automatically to encrypt/decrypr data between the client and the
database server.
Really? It absolutely requires a client certificate? Why not just have the
client make up a self-signed certificate then?
I just did some research, yes, you are correct. This is a known deficiency
of MySQL's SSL support, first reported in 2003! Bug number 2233. From
reading this bug and related bugs, there appears to be a lot of weirdness in
MySQL's usage of OpenSSL to perform transport encryption. I wonder if there
has been any kind of security review.
Perhaps your seeing this shows why I was at least nominally concerned
about the MySQL client having its own public key-private key
certificates. I have tried to find out what actual use the client's
public key-private key has in MySQL, from either the client or the
server's point of view, but to no avail since no one involved with MySQL
answers questions about SSL and the documentation that comes with MySQL
does not explain the use MySQL may have for the client certs.
Evidently the only way to get any answers about MySQL and SSL is to pay
Sun for the Enterprise version rather than use the free version. My
employer is considering this.
Thanks for all your patient help.
I will report to my employer what I have learned in this NG and I will
investigate cryptography and certificates further via the books others
have recommended.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
