Re: FreeRADIUS and MySQL+SSL
* Wolfram Schlich [EMAIL PROTECTED] [2005-03-19 13:11]: * Paul Hampson [EMAIL PROTECTED] [2005-03-19 04:56]: On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: [ FreeRADIUS + MySQL + SSL ] Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch [...] I don't give it much chance of getting into 1.0.3, especially since MySQL don't distribute SSL-enabled binaries. What does the MySQL client distribution policy have to do with this?! *wonder* They're apparently moving away from OpenSSL in the server, but no indication that they're going to un-OpenSSL the _client_ libraries. [1] [2] Well, OpenSSL or GnuTLS -- it doesn't matter as long as the MySQL protocol keeps supporting SSL'd connections... I have posted a comment to [2] in order to get some more information from that MySQL guy. There's some news: MySQL is going for yaSSL in the 5.0 tree: http://bugs.mysql.com/bug.php?id=8508error=lp Anyway, it won't affect the mysql_ssl_set() function I guess. -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
On Fri, Apr 01, 2005 at 01:34:37AM +0200, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-19 13:11]: * Paul Hampson [EMAIL PROTECTED] [2005-03-19 04:56]: On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: [ FreeRADIUS + MySQL + SSL ] Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch [...] I don't give it much chance of getting into 1.0.3, especially since MySQL don't distribute SSL-enabled binaries. What does the MySQL client distribution policy have to do with this?! *wonder* They're apparently moving away from OpenSSL in the server, but no indication that they're going to un-OpenSSL the _client_ libraries. [1] [2] Well, OpenSSL or GnuTLS -- it doesn't matter as long as the MySQL protocol keeps supporting SSL'd connections... I have posted a comment to [2] in order to get some more information from that MySQL guy. There's some news: MySQL is going for yaSSL in the 5.0 tree: http://bugs.mysql.com/bug.php?id=8508error=lp Anyway, it won't affect the mysql_ssl_set() function I guess. Hmm. For the record, [1] too. Yassl looks interesting. You're right though, as long as they don't change the libmysqlclient API, all the previous comments about protecting it with a #define based on a header function check are sufficient. [1] http://bugs.mysql.com/bug.php?id=6924 -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
* Paul Hampson [EMAIL PROTECTED] [2005-03-20 03:50]: On Sat, Mar 19, 2005 at 02:06:56PM +0100, Wolfram Schlich wrote: * Paul Hampson [EMAIL PROTECTED] [2005-03-19 04:56]: On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: [ MySQL+SSL patch for FreeRADIUS ] Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please remember to post patches to the list for easier discussion. Ok, sorry. And also, this sort of patch would probably be best against HEAD. The patch wasn't meant as an official submission for upstream, but as a basis for a discussion :) Yeah, sorry about that. I didn't notice this was on -user intead of -devel, and treated it as if it was on the latter. _ Not your fault. I should have labelled it accordingly :-) I don't give it much chance of getting into 1.0.3, especially since MySQL don't distribute SSL-enabled binaries. What does the MySQL client distribution policy have to do with this?! *wonder* Basically, things going into 1.0.3 (if it happens) are bug fixes, not feature changes. The fact that you have to recompile your mySQL locally anyway to enable SSL makes it reasonable to me to say this change is something you can patch in yourself as well. Well, using Gentoo Linux for example, when you have the 'ssl' USE flag set, which is the default, MySQL will be compiled with SSL support right from the start, so there's no need to re-compile it if you have already installed it. If upstream binaries were coming SSL-enabled, we could almost build a case that this is a bug, rather than a new feature. I still don't see why we have to depend the inclusion of this kind of functionality on MySQL distribution binaries. It doesn't affect Gentoo or other source based distros at all for example. Still, it has to get into HEAD before I'll consider it for 1.0.3, so one hurdle at a time. Ok. I will post something to -devel asking for help on how to deal with it :o) They're apparently moving away from OpenSSL in the server, but no indication that they're going to un-OpenSSL the _client_ libraries. [1] [2] Well, OpenSSL or GnuTLS -- it doesn't matter as long as the MySQL protocol keeps supporting SSL'd connections... I have posted a comment to [2] in order to get some more information from that MySQL guy. It matters as far as distributing binaries goes. You can't distribute a binary that links GPL code without any exception (such as FreeRADIUS and many of its depended-on libraries) with OpenSSL. Ah, of course. But well, binaries is just an additional form of distribution for me, source is the main one IMHO. You could disable SSL by default in the configure script btw. It's slightly more complicated than that, but there is a license issue of some kind which needs to be looked out for. It doesn't really affect _us_, but it's something to be mindful of when playing with these things. Yup, thanks for your thoughts. -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
I never said to use stunnel on the box with MySQL. Use it on the box with Freeradius and dont use untested patches on what I take is gonna be a production server. Stunnel is very stable and reliable. Anyway, I'd rather make SSL connection between two MySQL servers with database replication and make your radius talk to the one local to it. And be nice, Yeah, right is not something you say asking strangers for advices. On Sat, 19 Mar 2005 04:14:11 +0100 Wolfram Schlich [EMAIL PROTECTED] wrote: * Marcin Jessa [EMAIL PROTECTED] [2005-03-19 04:05]: On Sat, 19 Mar 2005 03:52:52 +0100 Wolfram Schlich [EMAIL PROTECTED] wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please feel invited to test it and eventually fix any bugs you find :-) All you need is stunnel. Yeah, right -- because MySQL supports SSL right out of the box, I will use another piece of external software. EBADIDEA. With MySQL-4, there's no need for such a kludgy workaround anymore. -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regards, M. Jessa http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
* Marcin Jessa [EMAIL PROTECTED] [2005-03-19 13:17]: On Sat, 19 Mar 2005 04:14:11 +0100 Wolfram Schlich [EMAIL PROTECTED] wrote: * Marcin Jessa [EMAIL PROTECTED] [2005-03-19 04:05]: On Sat, 19 Mar 2005 03:52:52 +0100 Wolfram Schlich [EMAIL PROTECTED] wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please feel invited to test it and eventually fix any bugs you find :-) All you need is stunnel. Yeah, right -- because MySQL supports SSL right out of the box, I will use another piece of external software. EBADIDEA. With MySQL-4, there's no need for such a kludgy workaround anymore. I never said to use stunnel on the box with MySQL. Use it on the box with Freeradius As far as I can tell MySQL doesn't use SSL as one might think at first, it uses the standard (unencrypted) MySQL protocol to make a handshake with the peer and negotiate SSL flags, then it switches to SSL secured communication, so I doubt it'd work the way you suggested. I'm open to a counter-evidence, of course :) and dont use untested patches on what I take is gonna be a production server. That's what I'm doing all this for, to get it tested and maybe some kind of approved by the FreeRADIUS maintainers. Nonetheless this patch is only for _enabling_ already tested functionality (from the MySQL client library), so it won't be a big deal anyway -- either it works, or it doesn't, you'll notice it right at the start :) Stunnel is very stable and reliable. I think you are right, but that still doesn't make me want to use it for the forementioned scenario :) I use stunnel for software which doesn't support SSL _at all_, but MySQL does -- FreeRADIUS just lacks a few lines of code for enabling it. Anyway, I'd rather make SSL connection between two MySQL servers with database replication and make your radius talk to the one local to it. That would be even more overhead than the use of stunnel. I still don't see a logical reason to forego the native MySQL4 SSL implementation for an external 3rd party one. Anyway, this discussion was not meant to be about personal taste. So, if you'd go for stunnel, I'm absolutely fine with that :) If you have to say something regarding the patch _besides_ philosophical aspects, feel free to participate. Thanks. -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
* Paul Hampson [EMAIL PROTECTED] [2005-03-19 04:56]: On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please remember to post patches to the list for easier discussion. Ok, sorry. And also, this sort of patch would probably be best against HEAD. The patch wasn't meant as an official submission for upstream, but as a basis for a discussion :) I don't give it much chance of getting into 1.0.3, especially since MySQL don't distribute SSL-enabled binaries. What does the MySQL client distribution policy have to do with this?! *wonder* They're apparently moving away from OpenSSL in the server, but no indication that they're going to un-OpenSSL the _client_ libraries. [1] [2] Well, OpenSSL or GnuTLS -- it doesn't matter as long as the MySQL protocol keeps supporting SSL'd connections... I have posted a comment to [2] in order to get some more information from that MySQL guy. That said, this patch looks OK to me, although it does raise the question of when that function was added to the mySQL client library. 4.0.x IIRC It's not a problem if the client was built without SSL support, as the function will still exist and run, but is effectively a no-op. [3] Yup. I'd maybe be happier if it was a configure option, so that people who _need_ to link against the LGPL libmysqlclient10 (or whatever it's called outside Debian. ^_^) don't get stuck unable to build rlm_sql_mysql. And with that configure option, I expect the configure help to mention what version of the client library is needed. ^_^ Good idea. (For reference, a quick check in Debian suggests that in 3.23.49, the function is only present if mySQL was compiled with --with-ssl, while in 4.0.23 it was always available. So this _does_ have to be done before it can be accepted.) Oh, I didn't know 3.23.x did support SSL to whatever extent :) If you like, you can probably make it a configure test that checks for mysql_ssl_set being available in mysql.h, and flags it accordingly to make it easier for the user. (eg. They have to do exactly nothing to use their SSL-enabled libmysqlclient with FreeRADIUS.) This should only be a line or two in configure.in. ^_^ Agreed. I guess I'll email the -devel list and ask the developers about their opionion to probe for a possible inclusion of the SSL functionality into upstream. Thanks for your input! [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291945 [2] http://bugs.mysql.com/bug.php?id=8508 [3] http://dev.mysql.com/doc/mysql/en/mysql-ssl-set.html -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
On Sat, Mar 19, 2005 at 02:06:56PM +0100, Wolfram Schlich wrote: * Paul Hampson [EMAIL PROTECTED] [2005-03-19 04:56]: On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please remember to post patches to the list for easier discussion. Ok, sorry. And also, this sort of patch would probably be best against HEAD. The patch wasn't meant as an official submission for upstream, but as a basis for a discussion :) Yeah, sorry about that. I didn't notice this was on -user intead of -devel, and treated it as if it was on the latter. _ I don't give it much chance of getting into 1.0.3, especially since MySQL don't distribute SSL-enabled binaries. What does the MySQL client distribution policy have to do with this?! *wonder* Basically, things going into 1.0.3 (if it happens) are bug fixes, not feature changes. The fact that you have to recompile your mySQL locally anyway to enable SSL makes it reasonable to me to say this change is something you can patch in yourself as well. If upstream binaries were coming SSL-enabled, we could almost build a case that this is a bug, rather than a new feature. Still, it has to get into HEAD before I'll consider it for 1.0.3, so one hurdle at a time. They're apparently moving away from OpenSSL in the server, but no indication that they're going to un-OpenSSL the _client_ libraries. [1] [2] Well, OpenSSL or GnuTLS -- it doesn't matter as long as the MySQL protocol keeps supporting SSL'd connections... I have posted a comment to [2] in order to get some more information from that MySQL guy. It matters as far as distributing binaries goes. You can't distribute a binary that links GPL code without any exception (such as FreeRADIUS and many of its depended-on libraries) with OpenSSL. It's slightly more complicated than that, but there is a license issue of some kind which needs to be looked out for. It doesn't really affect _us_, but it's something to be mindful of when playing with these things. -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
All you need is stunnel. On Sat, 19 Mar 2005 03:52:52 +0100 Wolfram Schlich [EMAIL PROTECTED] wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please feel invited to test it and eventually fix any bugs you find :-) -- Wolfram Schlich -- Regards, M. Jessa http://www.yazzy.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
* Marcin Jessa [EMAIL PROTECTED] [2005-03-19 04:05]: On Sat, 19 Mar 2005 03:52:52 +0100 Wolfram Schlich [EMAIL PROTECTED] wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please feel invited to test it and eventually fix any bugs you find :-) All you need is stunnel. Yeah, right -- because MySQL supports SSL right out of the box, I will use another piece of external software. EBADIDEA. With MySQL-4, there's no need for such a kludgy workaround anymore. -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS and MySQL+SSL
On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-17 00:55]: * Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) Ok, I have sat down and hacked something together, with a little help from a friend. I probably did something wrong or suboptimal (as I said, I am not a C coder), but at a first glance, it seems to work fine. Here's the patch: http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch Please remember to post patches to the list for easier discussion. And also, this sort of patch would probably be best against HEAD. I don't give it much chance of getting into 1.0.3, especially since MySQL don't distribute SSL-enabled binaries. They're apparently moving away from OpenSSL in the server, but no indication that they're going to un-OpenSSL the _client_ libraries. [1] [2] That said, this patch looks OK to me, although it does raise the question of when that function was added to the mySQL client library. It's not a problem if the client was built without SSL support, as the function will still exist and run, but is effectively a no-op. [3] I'd maybe be happier if it was a configure option, so that people who _need_ to link against the LGPL libmysqlclient10 (or whatever it's called outside Debian. ^_^) don't get stuck unable to build rlm_sql_mysql. And with that configure option, I expect the configure help to mention what version of the client library is needed. ^_^ (For reference, a quick check in Debian suggests that in 3.23.49, the function is only present if mySQL was compiled with --with-ssl, while in 4.0.23 it was always available. So this _does_ have to be done before it can be accepted.) If you like, you can probably make it a configure test that checks for mysql_ssl_set being available in mysql.h, and flags it accordingly to make it easier for the user. (eg. They have to do exactly nothing to use their SSL-enabled libmysqlclient with FreeRADIUS.) This should only be a line or two in configure.in. ^_^ [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291945 [2] http://bugs.mysql.com/bug.php?id=8508 [3] http://dev.mysql.com/doc/mysql/en/mysql-ssl-set.html -- Paul TBBle Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and MySQL+SSL
Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? -- Wolfram Schlich pgp1kF3OmAIVR.pgp Description: PGP signature
Re: FreeRADIUS and MySQL+SSL
* Wolfram Schlich [EMAIL PROTECTED] [2005-03-16 09:05]: Hey guys, we would like to implement the following setup: - FreeRADIUS radiusd on machine A - MySQL mysqld on machine B FreeRADIUS should use the MySQL database on machine A over an SSL secured connection. Does FreeRADIUS support SSL for MySQL connections? I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well as the mysql sources (/usr/include/mysql/mysql.h). It looks like you need to call mysql_ssl_set() with the needed parameters (mysql socket connection, ssl key file, ssl cert file, ssl ca file, ssl ca path and ssl cipher) right after the mysql_init() call, which is located in line 76 of the sql_mysql.c file (at least in the FreeRADIUS-1.0.2 distribution source tarball, subdirectory src/modules/rlm_sql/drivers/rlm_sql_mysql). Any volunteers for coding a test implementation? :) -- Wolfram Schlich pgpmM6VwKGHEe.pgp Description: PGP signature
