Tonu,
Thank you, thank you! The formal documentation effort is apparently still
underway based on your notes ... The link you included eliminates a lot of
guesswork! : )
> This part of MySQL is written by me and I am sure it worked :)
I'm sure it does -- what I meant was that the way I had it configured (my
best guess last night) wasn't working. No wonder!
>> 3. EDIT my.cnf ON CLIENT & SERVER
>> I added these values to my.cnf:
>>
>> [ssl]
>> key = (LONG public key value - 394 chars - copied from server.crt)
>> cert = ca.crt
>> ca = (Organization Name answer from the Q & A session while doing the
>> first ca.key generation)
>> capath = /usr/local/etc/mysqlssl
>
>
> nono, a lot of errors here. I am pretty sleepy and can do smaller mistakes
> right now but mistakes I see:
>
> section [ssl] is wrong. MySQL server uses [mysqld] section, command line
> - client [client] but nobody read [ssl] section! Everything should be
> added under those common sections
> - values "key" and "ca" are wrong. Should be ssl-key, ssl-ca and so on...
Makes sense. I went through the procedures with CA.sh logged in your notes,
and was left with these files in my working directory:
newcert.pem
newreq.pem
demoCA/
newcerts/
01.pem
private/
cakey.pem
Can you tell me which of those files translates into the files you used in
your configuration?
[mysqld]
ssl-ca=SSL/cacert.pem
ssl-cert=SSL/server-cert.pem
ssl-key=SSL/server-key.pem
[mysql]
ssl-ca=SSL/cacert.pem
ssl-cert=SSL/client-cert.pem
ssl-key=SSL/client-key.pem
[mysqldump]
ssl-ca=SSL/cacert.pem
ssl-cert=SSL/client-cert.pem
ssl-key=SSL/client-key.pem
Your notes don't include the steps where you renamed the output .pem files
to the filenames used in your example my.cnf entries.
>> Page 390 of the new Managing & Using MySQL (O'Reilly) book provided some
>> clues for doing this ... In reference to C functions, it says:
>>
>> 'key' contains an SSL public key
>> 'cert' contains the filename of a certificate
>> 'ca' contians the name of the certificate authority
>> 'capath' contains the directory containing the certificate
>
> Hmm this is not the first time when O'Reilly publishes bad and
> misguiding book about MySQL. I personally suggest to avoid them. Paul
> DuBois one is good example.
Could be that I was just making the wrong assumption. I've read a good chunk
of the rest of that O'Reilly book today, and it was all pretty good. The
section I quoted wasn't specifically documenting the SSL functionality, but
just listing a C function for reading SSL-related values from the .cnf file.
So, it was probably just the author's shorthand for that function, and I
leapt to the wrong conclusion.
> There is a file in MySQL source tree I wrote about using SSL connections
> with MySQL:
>
> http://www.mysqldeveloper.com/4.x-bk_tree/SSL/NOTES
>
> I hope they work for you. There are some pregenerated example
> key/certificate files included. You may try with then first to ensure that
> your command-line stuff works first.
>
Thanks again for posting this link! This really helps a lot. I would be
happy to write all this up for use as a FAQ answer on mysqldeveloper.com, as
I'm sure this has (or will) come up often.
Regards,
Clay
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
