On Thu January 1 2009, Edward Diener wrote: > Perhaps your seeing this shows why I was at least nominally concerned > about the MySQL client having its own public key-private key > certificates. I have tried to find out what actual use the client's > public key-private key has in MySQL, from either the client or the > server's point of view, but to no avail since no one involved with MySQL > answers questions about SSL and the documentation that comes with MySQL > does not explain the use MySQL may have for the client certs. > > Evidently the only way to get any answers about MySQL and SSL is to pay > Sun for the Enterprise version rather than use the free version. My > employer is considering this. >
Ah, but Google knows the answer. ;) (Try the on-line Reference Manual) [quoting 5.5.7.1] As for using certificates to replace passwords, yes, it can be done. Following the instructions in the Mysql documentation for GRANT options, do something like the following: GRANT SELECT, INSERT, UPDATE ON database.* TO new_user@'hostname' REQUIRE X509; [/quote] Although not clear there, digging deeper finds that it is the "REQUIRE X509" option that makes the client side certificate required. There are other options which do not; I did not run those references down myself. To increase the confusion, the reference manual on setting up SSL (using openSSL) gayly trips right along and has the reader create the _client side_ key pair - - Rhetorical: What part of "Private" do the reference manual authors not understand? So I would suggest digging into the MySQL documentation, find "GRANT" options that give you the control you want and possibly even skip the entire question of client-side things to hide from the client. ;) Mike ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
