Jyri Virkki wrote: > sunanda menon wrote: > >> Please review the changes made to the MySQL-OpenSSL ARC writeup. >> > > > >> MySQL source provides the Certificate Authority(CA) >> certificate, the server public key and the server private key >> to start the MySQL server so that it allows the clients to >> connect via SSL. >> > > Not clear to me what you mean by "MySQL source provides ..."? > It sounds as if the CA cert and server keys are embedded in the source? > That can't be it though. But then what does the above paragraph mean? > It actually means the keys+certificates are embedded in the source and they are usually placed in mysql-test/std_data.I'm showing here the bits of mysql-5.0.67 ,but the same is true for 5.0.77 ./mysql-5.0.67/mysql-test/std_data/cacert.pem ./mysql-5.0.67/mysql-test/std_data/server8k-key.pem ./mysql-5.0.67/mysql-test/std_data/untrusted-cacert.pem ./mysql-5.0.67/mysql-test/std_data/client-key.pem ./mysql-5.0.67/mysql-test/std_data/server-cert-des.pem ./mysql-5.0.67/mysql-test/std_data/server-key-des.pem ./mysql-5.0.67/mysql-test/std_data/client-cert.pem ./mysql-5.0.67/mysql-test/std_data/server8k-cert.pem ./mysql-5.0.67/mysql-test/std_data/server-cert.pem ./mysql-5.0.67/mysql-test/std_data/server-key.pem
What I'm trying to do is just make use of the keys while starting the MySQL server . > > >> * --ssl-ca identifies the Certificate Authority (CA) >> certificate. >> * --ssl-cert identifies the server public key. This can be >> sent to the client and authenticated against the CA >> certificate that it has. >> * --ssl-key identifies the server private key. >> > > These are options to the /usr/bin/mysql CLI but the doc doesn't say > that. That's confusing to a reader who may not know that beforehand, > so call it out in the doc. Below in s.4.3 the doc should also say that > these options already exist and are being listed for information only, > they're not being added by this case. > > Otherwise it can be confusing, since this section may be interpreted > to be adding new options in which case the text in s.4.3 may be seen > as conflicting. > > > ok. I can add this as mysqld /mysql CLI options are already present.and no changes are done. >> MySQL source code also provides the client key(client-key.pem) >> and certificate files(client-cert.pem) or the server will >> reject any SSL connection initiated. >> > > Same questions here. > > Please see above .yes ,they are a part of the source. >> 4.3. Interfaces: >> >> we do NOT add any new command line option. >> > > (see above) > > >
