I'm trying to set up my mysql 5.1 server to work over ssl, I'm following the directions at http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html. I've confirmed that my server supports ssl
mysql> SHOW VARIABLES LIKE 'have_ssl'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | have_ssl | YES | +---------------+-------+ set up certs according to http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.html bash-3.2# ls -l newcerts/ total 20 -rwxrwxrwx 1 root root 1761 Sep 8 14:01 ca-cert.pem -rwxrwxrwx 1 root root 1675 Sep 8 14:00 ca-key.pem -rwxrwxrwx 1 root root 1371 Sep 8 14:02 server-cert.pem -rwxrwxrwx 1 root root 1675 Sep 8 14:01 server-key.pem -rwxrwxrwx 1 root root 1094 Sep 8 14:01 server-req.pem and that mysql is started with the appropriate --ssl-xxx options (I set 777 permissions on the newcerts directory to insure that permissions wouldn't be a problem during testing but was planning on tightening permissions once I got ssl working) bash-3.2# ps aux | grep mysql root 13326 0.0 0.2 63848 1332 pts/0 S 15:25 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/mysql.example.com.pid --ssl-ca=/var/lib/mysql/newcerts/ca-cert.pem --ssl-cert=/var/lib/mysql/newcerts/server-cert.pem --ssl-key=/var/lib/mysql/newcerts/server-key.pem mysql 13399 0.1 3.4 138488 17676 pts/0 Sl 15:25 0:00 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --ssl-ca=/var/lib/mysql/newcerts/ca-cert.pem --ssl-cert=/var/lib/mysql/newcerts/server-cert.pem --ssl-key=/var/lib/mysql/newcerts/server-key.pem --log-error=/var/lib/mysql/mysql.example.com.err --pid-file=/var/lib/mysql/mysql.example.com.pid root 13430 0.0 0.1 61164 768 pts/0 R+ 15:25 0:00 grep mysql I'm also following documentation http://www.stunnel.org/examples/mysql.htmlhere to set up mysql with ssl support over stunnel. My stunnel.conf looks like cert = /etc/stunnel/stunnel.pem pid = /tmp/stunnel.pid debug = 7 output = stunnel.log [mysqls] accept = 3307 connect = 3306 I've confirmed that my server is listening on 3307 [u...@mysql.example.com ~]$ netstat -anF | grep 3306 tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN [u...@mysql.example.com ~]$ netstat -anF | grep 3307 tcp 0 0 0.0.0.0:3307 0.0.0.0:* LISTEN and that I can connect successfully over 3306 mysql -u user -p -h mysql.example.com -P 3306 but when I try to connect over port 3307, mysql -u user -p -h mysql.example.com -P 3307 it fails to connect (my graphical client gives an error message that reads 'connection reset'). I'm not sure what's wrong. My mysql user was created without any specific SSL requirements, so I'm thinking I should be able to connect over either port without specifying any --ssl-xxx options on the client side. I'd like the user to be able to connect either way. I tried looking at the mysql error log but it didn't provide any useful information - is there a way to increase the log level to get at the source of the problem? Any tips would be appreciated. Thanks.
