Tonu, Thank you, thank you! The formal documentation effort is apparently still underway based on your notes ... The link you included eliminates a lot of guesswork! : )
> This part of MySQL is written by me and I am sure it worked :) I'm sure it does -- what I meant was that the way I had it configured (my best guess last night) wasn't working. No wonder! >> 3. EDIT my.cnf ON CLIENT & SERVER >> I added these values to my.cnf: >> >> [ssl] >> key = (LONG public key value - 394 chars - copied from server.crt) >> cert = ca.crt >> ca = (Organization Name answer from the Q & A session while doing the >> first ca.key generation) >> capath = /usr/local/etc/mysqlssl > > > nono, a lot of errors here. I am pretty sleepy and can do smaller mistakes > right now but mistakes I see: > > section [ssl] is wrong. MySQL server uses [mysqld] section, command line > - client [client] but nobody read [ssl] section! Everything should be > added under those common sections > - values "key" and "ca" are wrong. Should be ssl-key, ssl-ca and so on... Makes sense. I went through the procedures with CA.sh logged in your notes, and was left with these files in my working directory: newcert.pem newreq.pem demoCA/ newcerts/ 01.pem private/ cakey.pem Can you tell me which of those files translates into the files you used in your configuration? [mysqld] ssl-ca=SSL/cacert.pem ssl-cert=SSL/server-cert.pem ssl-key=SSL/server-key.pem [mysql] ssl-ca=SSL/cacert.pem ssl-cert=SSL/client-cert.pem ssl-key=SSL/client-key.pem [mysqldump] ssl-ca=SSL/cacert.pem ssl-cert=SSL/client-cert.pem ssl-key=SSL/client-key.pem Your notes don't include the steps where you renamed the output .pem files to the filenames used in your example my.cnf entries. >> Page 390 of the new Managing & Using MySQL (O'Reilly) book provided some >> clues for doing this ... In reference to C functions, it says: >> >> 'key' contains an SSL public key >> 'cert' contains the filename of a certificate >> 'ca' contians the name of the certificate authority >> 'capath' contains the directory containing the certificate > > Hmm this is not the first time when O'Reilly publishes bad and > misguiding book about MySQL. I personally suggest to avoid them. Paul > DuBois one is good example. Could be that I was just making the wrong assumption. I've read a good chunk of the rest of that O'Reilly book today, and it was all pretty good. The section I quoted wasn't specifically documenting the SSL functionality, but just listing a C function for reading SSL-related values from the .cnf file. So, it was probably just the author's shorthand for that function, and I leapt to the wrong conclusion. > There is a file in MySQL source tree I wrote about using SSL connections > with MySQL: > > http://www.mysqldeveloper.com/4.x-bk_tree/SSL/NOTES > > I hope they work for you. There are some pregenerated example > key/certificate files included. You may try with then first to ensure that > your command-line stuff works first. > Thanks again for posting this link! This really helps a lot. I would be happy to write all this up for use as a FAQ answer on mysqldeveloper.com, as I'm sure this has (or will) come up often. Regards, Clay --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php