Hello, >From the sound of Tonu's original response, he's pretty busy right now ... If anyone else has an idea based on experience with SSL & MySQL, or just with openssl in general, can offer an opinion on this, I would be grateful.
I've ordered a book on OpenSSL in an effort to learn more about it for this application as well as others, but it hasn't gotten here yet. I would appreciate any insight before I get around to just guessing! Thanks, Clay > From: Clay Loveless <[EMAIL PROTECTED]> > Date: Sat, 15 Jun 2002 21:30:31 -0700 > To: MySQL <[EMAIL PROTECTED]> > Subject: Re: MySQL 4.0.1 & SSL config - a shot in the dark > > Tonu, > > Thank you, thank you! The formal documentation effort is apparently still > underway based on your notes ... The link you included eliminates a lot of > guesswork! : ) > >> This part of MySQL is written by me and I am sure it worked :) > > I'm sure it does -- what I meant was that the way I had it configured (my > best guess last night) wasn't working. No wonder! > >>> 3. EDIT my.cnf ON CLIENT & SERVER >>> I added these values to my.cnf: >>> >>> [ssl] >>> key = (LONG public key value - 394 chars - copied from server.crt) >>> cert = ca.crt >>> ca = (Organization Name answer from the Q & A session while doing the >>> first ca.key generation) >>> capath = /usr/local/etc/mysqlssl >> >> >> nono, a lot of errors here. I am pretty sleepy and can do smaller mistakes >> right now but mistakes I see: >> >> section [ssl] is wrong. MySQL server uses [mysqld] section, command line >> - client [client] but nobody read [ssl] section! Everything should be >> added under those common sections >> - values "key" and "ca" are wrong. Should be ssl-key, ssl-ca and so on... > > > Makes sense. I went through the procedures with CA.sh logged in your notes, > and was left with these files in my working directory: > > newcert.pem > newreq.pem > demoCA/ > newcerts/ > 01.pem > private/ > cakey.pem > > Can you tell me which of those files translates into the files you used in > your configuration? > > [mysqld] > ssl-ca=SSL/cacert.pem > ssl-cert=SSL/server-cert.pem > ssl-key=SSL/server-key.pem > > [mysql] > ssl-ca=SSL/cacert.pem > ssl-cert=SSL/client-cert.pem > ssl-key=SSL/client-key.pem > > [mysqldump] > ssl-ca=SSL/cacert.pem > ssl-cert=SSL/client-cert.pem > ssl-key=SSL/client-key.pem > > > Your notes don't include the steps where you renamed the output .pem files > to the filenames used in your example my.cnf entries. > > > >>> Page 390 of the new Managing & Using MySQL (O'Reilly) book provided some >>> clues for doing this ... In reference to C functions, it says: >>> >>> 'key' contains an SSL public key >>> 'cert' contains the filename of a certificate >>> 'ca' contians the name of the certificate authority >>> 'capath' contains the directory containing the certificate >> >> Hmm this is not the first time when O'Reilly publishes bad and >> misguiding book about MySQL. I personally suggest to avoid them. Paul >> DuBois one is good example. > > Could be that I was just making the wrong assumption. I've read a good chunk > of the rest of that O'Reilly book today, and it was all pretty good. The > section I quoted wasn't specifically documenting the SSL functionality, but > just listing a C function for reading SSL-related values from the .cnf file. > So, it was probably just the author's shorthand for that function, and I > leapt to the wrong conclusion. > > >> There is a file in MySQL source tree I wrote about using SSL connections >> with MySQL: >> >> http://www.mysqldeveloper.com/4.x-bk_tree/SSL/NOTES >> >> I hope they work for you. There are some pregenerated example >> key/certificate files included. You may try with then first to ensure that >> your command-line stuff works first. >> > > Thanks again for posting this link! This really helps a lot. I would be > happy to write all this up for use as a FAQ answer on mysqldeveloper.com, as > I'm sure this has (or will) come up often. > > Regards, > Clay > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php