Michael S. Zick wrote:
On Thu January 1 2009, Edward Diener wrote:
Perhaps your seeing this shows why I was at least nominally concerned
about the MySQL client having its own public key-private key
certificates. I have tried to find out what actual use the client's
public key-private key has in MySQL, from either the client or the
server's point of view, but to no avail since no one involved with MySQL
answers questions about SSL and the documentation that comes with MySQL
does not explain the use MySQL may have for the client certs.
Evidently the only way to get any answers about MySQL and SSL is to pay
Sun for the Enterprise version rather than use the free version. My
employer is considering this.
Ah, but Google knows the answer. ;) (Try the on-line Reference Manual)
[quoting 5.5.7.1]
As for using certificates to replace passwords, yes, it can be done. Following
the instructions in the Mysql documentation for GRANT options, do something
like the following:
GRANT SELECT, INSERT, UPDATE ON database.* TO new_user@'hostname' REQUIRE X509;
[/quote]
I do not find the quote above in the 5.5.7.1 section of the MySQL
documentation. I do see some links to the MySQL GRANT statement in
sections under 5.5.7.
Although not clear there, digging deeper finds that it is the "REQUIRE X509"
option
that makes the client side certificate required. There are other options which
do
not; I did not run those references down myself.
I see that in the MySQL GRANT statement it is possible to setup just a
REQUIRE SSL rather than a REQUIRE X509. This might allow me to just pass
the CA certificate issued to the client. I can try that.
To increase the confusion, the reference manual on setting up SSL (using
openSSL)
gayly trips right along and has the reader create the _client side_ key pair - -
Rhetorical:
What part of "Private" do the reference manual authors not understand?
So I would suggest digging into the MySQL documentation, find "GRANT" options
that
give you the control you want and possibly even skip the entire question of
client-side things to hide from the client. ;)
Thanks for pointing this out to me. I did read the 5.5.7 part of the
manual but I did not make the connection between the client certs and
the REQUIRE X509 option of the GRANT statement because I did not pursue
the GRANT statement and its REQUIRE option.
I do not know if programatically I can pass only the CA cert, if the
GRANT statement only has a REQUIRE SSL, and still have an SSL connection
work properly but at least I can try and see if this works.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
