On Thu January 1 2009, Edward Diener wrote: > Michael S. Zick wrote: > > On Thu January 1 2009, Edward Diener wrote: > >> Perhaps your seeing this shows why I was at least nominally concerned > >> about the MySQL client having its own public key-private key > >> certificates. I have tried to find out what actual use the client's > >> public key-private key has in MySQL, from either the client or the > >> server's point of view, but to no avail since no one involved with MySQL > >> answers questions about SSL and the documentation that comes with MySQL > >> does not explain the use MySQL may have for the client certs. > >> > >> Evidently the only way to get any answers about MySQL and SSL is to pay > >> Sun for the Enterprise version rather than use the free version. My > >> employer is considering this. > >> > > > > Ah, but Google knows the answer. ;) (Try the on-line Reference Manual) > > > > [quoting 5.5.7.1] > > As for using certificates to replace passwords, yes, it can be done. > > Following the instructions in the Mysql documentation for GRANT options, do > > something like the following: > > GRANT SELECT, INSERT, UPDATE ON database.* TO new_user@'hostname' REQUIRE > > X509; > > [/quote] > > I do not find the quote above in the 5.5.7.1 section of the MySQL > documentation. I do see some links to the MySQL GRANT statement in > sections under 5.5.7. >
I was reading that in the version 5.0 on-line document, but did not check the other versions. The link that I did post has a buried link in the page to the 5.5.7.1 section I quoted. > > > > Although not clear there, digging deeper finds that it is the "REQUIRE > > X509" option > > that makes the client side certificate required. There are other options > > which do > > not; I did not run those references down myself. > > I see that in the MySQL GRANT statement it is possible to setup just a > REQUIRE SSL rather than a REQUIRE X509. This might allow me to just pass > the CA certificate issued to the client. I can try that. > That is the way I read the manual also - Note the 'ssl' option only requires the --ssl-ca client option; and that the 'x509' option is very explicitly different. But that is one long page - you may wear out your 'page down' button. ;) I suspect that manual section on setting up SSL using the openSSL tool, where it just "falls into" making the client side stuff without mentioning that part is optional (depending on GRANT options) has confused the subject. > > > > To increase the confusion, the reference manual on setting up SSL (using > > openSSL) > > gayly trips right along and has the reader create the _client side_ key > > pair - - > > > > Rhetorical: > > What part of "Private" do the reference manual authors not understand? > > > > So I would suggest digging into the MySQL documentation, find "GRANT" > > options that > > give you the control you want and possibly even skip the entire question of > > client-side things to hide from the client. ;) > > Thanks for pointing this out to me. I did read the 5.5.7 part of the > manual but I did not make the connection between the client certs and > the REQUIRE X509 option of the GRANT statement because I did not pursue > the GRANT statement and its REQUIRE option. > > I do not know if programatically I can pass only the CA cert, if the > GRANT statement only has a REQUIRE SSL, and still have an SSL connection > work properly but at least I can try and see if this works. > According to my browsing, that is what 'ssl' does, enable encrypted connection and leaves it up to some other method (username/password) to ident the user. (Think: https access to a site, and basic user/pass identification on a page.) Should work just like what I think you want. But I admit I am guessing. ;) Mike > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
