* Paul Hampson <[EMAIL PROTECTED]> [2005-03-19 04:56]: > On Sat, Mar 19, 2005 at 03:52:52AM +0100, Wolfram Schlich wrote: > > * Wolfram Schlich <[EMAIL PROTECTED]> [2005-03-17 00:55]: > > > * Wolfram Schlich <[EMAIL PROTECTED]> [2005-03-16 09:05]: > > > > Hey guys, > > > > > we would like to implement the following setup: > > > > - FreeRADIUS radiusd on machine A > > > > - MySQL mysqld on machine B > > > > > FreeRADIUS should use the MySQL database on machine A over an SSL > > > > secured connection. Does FreeRADIUS support SSL for MySQL connections? > > > > I'm not a C coder, but! :) I had a look at the sql_mysql.c file as well > > > as the mysql sources (/usr/include/mysql/mysql.h). > > > > It looks like you need to call mysql_ssl_set() with the needed > > > parameters (mysql socket connection, ssl key file, ssl cert file, ssl > > > ca file, ssl ca path and ssl cipher) right after the mysql_init() > > > call, which is located in line 76 of the sql_mysql.c file (at least in > > > the FreeRADIUS-1.0.2 distribution source tarball, subdirectory > > > src/modules/rlm_sql/drivers/rlm_sql_mysql). > > > > Any volunteers for coding a test implementation? :) > > > Ok, I have sat down and hacked something together, with a little help > > from a friend. I probably did something wrong or suboptimal (as I > > said, I am not a C coder), but at a first glance, it seems to work fine. > > Here's the patch: > > > http://dev.gentoo.org/~wschlich/src/freeradius-1.0.2-mysql-ssl.patch > > Please remember to post patches to the list for easier discussion.
Ok, sorry. > And also, this sort of patch would probably be best against HEAD. The patch wasn't meant as an official submission for upstream, but as a basis for a discussion :) > I don't > give it much chance of getting into 1.0.3, especially since MySQL don't > distribute SSL-enabled binaries. What does the MySQL client distribution policy have to do with this?! *wonder* > They're apparently moving away from > OpenSSL in the server, but no indication that they're going to > un-OpenSSL the _client_ libraries. [1] [2] Well, OpenSSL or GnuTLS -- it doesn't matter as long as the MySQL protocol keeps supporting SSL'd connections... I have posted a comment to [2] in order to get some more information from that MySQL guy. > That said, this patch looks OK to me, although it does raise the > question of when that function was added to the mySQL client library. 4.0.x IIRC > It's not a problem if the client was built without SSL support, as the > function will still exist and run, but is effectively a no-op. [3] Yup. > I'd maybe be happier if it was a configure option, so that people who > _need_ to link against the LGPL libmysqlclient10 (or whatever it's > called outside Debian. ^_^) don't get stuck unable to build > rlm_sql_mysql. And with that configure option, I expect the configure > help to mention what version of the client library is needed. ^_^ Good idea. > (For reference, a quick check in Debian suggests that in 3.23.49, > the function is only present if mySQL was compiled with --with-ssl, > while in 4.0.23 it was always available. So this _does_ have to be > done before it can be accepted.) Oh, I didn't know 3.23.x did support SSL to whatever extent :) > If you like, you can probably make it a configure test that checks > for mysql_ssl_set being available in mysql.h, and flags it accordingly > to make it easier for the user. (eg. They have to do exactly nothing > to use their SSL-enabled libmysqlclient with FreeRADIUS.) This should > only be a line or two in configure.in. ^_^ Agreed. I guess I'll email the -devel list and ask the developers about their opionion to probe for a possible inclusion of the SSL functionality into upstream. Thanks for your input! > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291945 > [2] http://bugs.mysql.com/bug.php?id=8508 > [3] http://dev.mysql.com/doc/mysql/en/mysql-ssl-set.html -- Wolfram Schlich - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html