Hi there,
Thanks for the responses.
>>> Does your client library know SSL? Really?)
>>
>> YES. My database (MySQL) is compiled from source and my end
>> libmysqlclient
>> supports SSL and that too very well. This already been tested from a very
>> basic standalone database client + a packet sniffer tool (ethereal).
>
> what I'm currently after is a way to determine _if_ the client lib really
> is SSL-aware; I've not found yet an API call which tells me this piece -
> instead I see in the shipping mysql apps, f.e. in mysqlshow, that simply
> mysql_ssl_set() is called before mysql_real_connect(), and the later just
> bails out if the conection could not be established for whatever reason. I
> would however prefer to make a test if libmysqlclient is really SSL-aware,
> and bail out with a more informative error to the user when not.
> Did you find such perhaps?
A standalone client is working perfect to provide the SSL layer with the
database, and it is using the same client lib (libmysqlclient). I used
common ethereal tool to ensure that everything it does is encrypted. I used
the same mysql_ssl_set() prior to establishing the connection. I simply did
the following :
mysql_init(&mysql);
#ifdef HAVE_OPENSSL
mysql_ssl_set(&mysql, "/root/DIGI_DEPS/newcerts/client-
key.pem","/root/DIGI_DEPS/newcerts/client-cert.pem",
"/root/DIGI_DEPS/newcerts/ca-cert.pem", 0, 0);
#endif
if (!(sock =
mysql_real_connect(&mysql,"127.0.0.1","mysql","mysql","digi_auth_support",33
06,NULL,0)))
The lib is surely SSL-aware and my client supports this. Moreover I am
otherwise not getting any ssl-related linking error.
>> I am using a third party authentication module 'mod_auth_mysql'
>> which will do this task for me. Unlike my requirement this particular
>> module does not provide for SSL encryption when it validates the data
>> (username / password) against my database. This module is having MySQL C
>> APIs usage for talking to the databse.
>> I have generated the musts for SSL - keys/certificates for the
>> database clients, MySQL server and a dummy CA. Grants are well set for
>> the MySQL connecting users compelling them to provide their keys/
>> certificates at the time they connect to the database. These same set of
>> keys/certs. Have been found to be valid as they are working for a basic
>> database client application.
>
>
> this part is just not clear to me: what do you really test here? Did you
>modify the source of mod_auth_mysql and insert the call to mysql_ssl_set()?
The module provides for authenticating users at the browser end when they
fire HTTP/S request for my server.
I want SSL-layer encoding for authenticating such users against their
account in the database. For this I need SSL certificates and keys for both
my module and the MySQL database. The module will connect to the database
using a database user account, which has to be given the grant for
performing a secured (SSL-rich) connection. Without the grant the database
will not be able to enforce that account-user (my module) to provide the
keys and certificates. My perfectly working non-module client is using these
same resources which shows that the issue doesn't lies either with my
certificates or keys.
YES, I have included the call in my module.
> if so I'd suggest that you make your modified code available somewhere to
> us so that those here interested in this can take a look (and sure I am
> since I will soon have a similar requirement); also for me personally the
> next prob is that I coudnt find yet a ready-to-use SSL-aware mysql binary
> distro; so seems for that I would have to compile self first....
> therefore it would help me a lot if you would be willing/able to provide a
> test account on your SSL-aware mysql server so that I could directly start
> with some testing with the module.
I am using an openly available mod_auth-mysql1.9.1. I am providing here the
relevant part and specifically the one that enables SSL.
.
.
.
mysql_handle=mysql_init(NULL);
static my_bool opt_ssl_verify_server_cert= 0;
mysql_ssl_set(mysql_handle, 0, 0, "/root/DIGI_DEPS/newcerts/ca-cert.pem", 0,
0);
mysql_options(&mysql_conn,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,(char*)&opt_ssl_v
erify_server_cert);
mysql_handle=mysql_real_connect(&mysql_conn,db_host,
conf->db_username,conf->db_password,conf->db_name,db_port,NULL,0);
.
.
.
The source distro of mod_auth_mysql 1.9.1 also provides the data structures
needed. I regret not being able to provide you an access to it as it being
installed at my work place.
> If you did not modify the mod_auth_mysql module self then I guess you have
> some misunderstanding: you can only secure the connection between
> mod_auth_mysql (if it is modified to use mysql_ssl_set() + libmysqlclient
> is SSL-aware) and the mysql server;
Done the same.
> secure the communication which happens between a client's browser and
> Apache is task of mod_ssl, and has nothing to do with mysql SSL and certs
> etc; instead there only the usual OpenSSL certs which you specify for
> mod_ssl count here - regardless which auth module you might use....
Exactly.
Regarding moving this discussion to other place, I feel for now it is fine
to continue here itself in this common user's forum for other user's
reference and involvement. In case any objection arises, we will seek other
appropriate.
Best Regards,
Naveen Rawat
