* Marcin Jessa <[EMAIL PROTECTED]> [2005-03-19 13:17]: > On Sat, 19 Mar 2005 04:14:11 +0100 Wolfram Schlich <[EMAIL PROTECTED]> wrote: > > * Marcin Jessa <[EMAIL PROTECTED]> [2005-03-19 04:05]: > > > On Sat, 19 Mar 2005 03:52:52 +0100 Wolfram Schlich <[EMAIL PROTECTED]> > > > wrote: > > > > * Wolfram Schlich <[EMAIL PROTECTED]> [2005-03-17 00:55]: > > > > > * Wolfram Schlich <[EMAIL PROTECTED]> [2005-03-16 09:05]: > > > > > > Hey guys, > > > > > > > > > > > > we would like to implement the following setup: > > > > > > - FreeRADIUS radiusd on machine A > > > > > > - MySQL mysqld on machine B > > > > > > > > > > > > FreeRADIUS should use the MySQL database on machine A over an SSL > > > > > > secured connection. Does FreeRADIUS support SSL for MySQL > > > > > > connections? > > > > > > > > > > I'm not a C coder, but! :) I had a look at the sql_mysql.c file as > > > > > well > > > > > as the mysql sources (/usr/include/mysql/mysql.h). > > > > > > > > > > It looks like you need to call mysql_ssl_set() with the needed > > > > > parameters (mysql socket connection, ssl key file, ssl cert file, ssl > > > > > ca file, ssl ca path and ssl cipher) right after the mysql_init() > > > > > call, which is located in line 76 of the sql_mysql.c file (at least in > > > > > the FreeRADIUS-1.0.2 distribution source tarball, subdirectory > > > > > src/modules/rlm_sql/drivers/rlm_sql_mysql). > > > > > > > > > > Any volunteers for coding a test implementation? :) > > > > > > > > Ok, I have sat down and hacked something together, with a little help > > > > from a friend. I probably did something wrong or suboptimal (as I > > > > said, I am not a C coder), but at a first glance, it seems to work fine. > > > > Here's the patch: > > > > > > > > > > > > http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch > > > > > > > > Please feel invited to test it and eventually fix any bugs you find :-) > > > > > > All you need is stunnel. > > > > Yeah, right -- because MySQL supports SSL right out of the box, I will > > use another piece of external software. EBADIDEA. > > With MySQL-4, there's no need for such a kludgy workaround anymore. > > I never said to use stunnel on the box with MySQL. > Use it on the box with Freeradius
As far as I can tell MySQL doesn't use SSL as one might think at first, it uses the standard (unencrypted) MySQL protocol to make a handshake with the peer and negotiate SSL flags, then it switches to SSL secured communication, so I doubt it'd work the way you suggested. I'm open to a counter-evidence, of course :) > and dont use untested > patches on what I take is gonna be a production server. That's what I'm doing all this for, to get it tested and maybe some kind of "approved" by the FreeRADIUS maintainers. Nonetheless this patch is only for _enabling_ already tested functionality (from the MySQL client library), so it won't be a big deal anyway -- either it works, or it doesn't, you'll notice it right at the start :) > Stunnel is very stable and reliable. I think you are right, but that still doesn't make me want to use it for the forementioned scenario :) I use stunnel for software which doesn't support SSL _at all_, but MySQL does -- FreeRADIUS just lacks a few lines of code for enabling it. > Anyway, I'd rather make SSL connection between two MySQL servers > with database replication and make your radius talk to the one > local to it. That would be even more overhead than the use of stunnel. I still don't see a logical reason to forego the native MySQL4 SSL implementation for an external 3rd party one. Anyway, this discussion was not meant to be about personal taste. So, if you'd go for stunnel, I'm absolutely fine with that :) If you have to say something regarding the patch _besides_ philosophical aspects, feel free to participate. Thanks. -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
