A little more information on this problem ... - Tonu's notes state that there are sample SSL keys & certs for testing purposes in the "SSL" directory of the mysql tarball. There is no SSL directory in the mysql-4.0.1-alpha.tar.gz file. Does anyone know which tarball he may be referring to?
- In Tonu's notes, there is an example my.cnf entry of: [mysqld] ssl-ca=SSL/cacert.pem ssl-cert=SSL/server-cert.pem ssl-key=SSL/server-key.pem Further in the notes, there's an example of a command-line switch for mysqld: mysqld --ssl-cert=SSL/server-cert.pem --ssl-ca=SSL/cacert.pem --ssl-key=SSL/server-req.pem In other words, one example shows "ssl-key" pointing to the "server-key.pem" file, another example shows "ssl-key" pointing to "server-req.pem". I'm looking through the files I created by doing these commands (extracted from Tonu's notes): >From the /usr/local/ssl/apps directory ./CA.sh -newca ./CA.sh -newreq ./CA.sh -sign As I mentioned previously, those commands leave me with the following structure: newcert.pem newreq.pem demoCA/ newcerts/ 01.pem private/ cakey.pem "newcert.pem" and "demoCA/newcerts/01.pem" are identical. Tonu's notes indicate that passwords should be removed from the key files like this: openssl rsa -inform pem < server-req.pem > server-key.pem I'm *assuming* that server-req.pem is the same as "newreq.pem" ... But the leap in file names isn't documented, and the two contradictory examples of ssl-key usage (mentioned above) are confusing. - Is there an estimate for when the documentation on MySQL's SSL functionality will be completed? I would love to be able to set this up without having to guess at how it's done. : ) I'm going to start experimenting with the files I've got to see what works ... I'll report what I find. Meanwhile, the general idea of "guessing at how to configure the secure connection" is killing the notion of "security" for me to some extent. - Has anyone successfully set this up on their servers? If so, I would be grateful for your tips! Thanks, Clay > From: Clay Loveless <[EMAIL PROTECTED]> > Date: Tue, 18 Jun 2002 12:00:51 -0700 > To: MySQL <[EMAIL PROTECTED]> > Subject: Re: MySQL 4.0.1 & SSL config - a shot in the dark > > Hello, > >> From the sound of Tonu's original response, he's pretty busy right now ... > If anyone else has an idea based on experience with SSL & MySQL, or just > with openssl in general, can offer an opinion on this, I would be grateful. > > I've ordered a book on OpenSSL in an effort to learn more about it for this > application as well as others, but it hasn't gotten here yet. I would > appreciate any insight before I get around to just guessing! > > Thanks, > Clay > > > >> From: Clay Loveless <[EMAIL PROTECTED]> >> Date: Sat, 15 Jun 2002 21:30:31 -0700 >> To: MySQL <[EMAIL PROTECTED]> >> Subject: Re: MySQL 4.0.1 & SSL config - a shot in the dark >> >> Tonu, >> >> Thank you, thank you! The formal documentation effort is apparently still >> underway based on your notes ... The link you included eliminates a lot of >> guesswork! : ) >> >>> This part of MySQL is written by me and I am sure it worked :) >> >> I'm sure it does -- what I meant was that the way I had it configured (my >> best guess last night) wasn't working. No wonder! >> >>>> 3. EDIT my.cnf ON CLIENT & SERVER >>>> I added these values to my.cnf: >>>> >>>> [ssl] >>>> key = (LONG public key value - 394 chars - copied from server.crt) >>>> cert = ca.crt >>>> ca = (Organization Name answer from the Q & A session while doing the >>>> first ca.key generation) >>>> capath = /usr/local/etc/mysqlssl >>> >>> >>> nono, a lot of errors here. I am pretty sleepy and can do smaller mistakes >>> right now but mistakes I see: >>> >>> section [ssl] is wrong. MySQL server uses [mysqld] section, command line >>> - client [client] but nobody read [ssl] section! Everything should be >>> added under those common sections >>> - values "key" and "ca" are wrong. Should be ssl-key, ssl-ca and so on... >> >> >> Makes sense. I went through the procedures with CA.sh logged in your notes, >> and was left with these files in my working directory: >> >> newcert.pem >> newreq.pem >> demoCA/ >> newcerts/ >> 01.pem >> private/ >> cakey.pem >> >> Can you tell me which of those files translates into the files you used in >> your configuration? >> >> [mysqld] >> ssl-ca=SSL/cacert.pem >> ssl-cert=SSL/server-cert.pem >> ssl-key=SSL/server-key.pem >> >> [mysql] >> ssl-ca=SSL/cacert.pem >> ssl-cert=SSL/client-cert.pem >> ssl-key=SSL/client-key.pem >> >> [mysqldump] >> ssl-ca=SSL/cacert.pem >> ssl-cert=SSL/client-cert.pem >> ssl-key=SSL/client-key.pem >> >> >> Your notes don't include the steps where you renamed the output .pem files >> to the filenames used in your example my.cnf entries. >> >> >> >>>> Page 390 of the new Managing & Using MySQL (O'Reilly) book provided some >>>> clues for doing this ... In reference to C functions, it says: >>>> >>>> 'key' contains an SSL public key >>>> 'cert' contains the filename of a certificate >>>> 'ca' contians the name of the certificate authority >>>> 'capath' contains the directory containing the certificate >>> >>> Hmm this is not the first time when O'Reilly publishes bad and >>> misguiding book about MySQL. I personally suggest to avoid them. Paul >>> DuBois one is good example. >> >> Could be that I was just making the wrong assumption. I've read a good chunk >> of the rest of that O'Reilly book today, and it was all pretty good. The >> section I quoted wasn't specifically documenting the SSL functionality, but >> just listing a C function for reading SSL-related values from the .cnf file. >> So, it was probably just the author's shorthand for that function, and I >> leapt to the wrong conclusion. >> >> >>> There is a file in MySQL source tree I wrote about using SSL connections >>> with MySQL: >>> >>> http://www.mysqldeveloper.com/4.x-bk_tree/SSL/NOTES >>> >>> I hope they work for you. There are some pregenerated example >>> key/certificate files included. You may try with then first to ensure that >>> your command-line stuff works first. >>> >> >> Thanks again for posting this link! This really helps a lot. I would be >> happy to write all this up for use as a FAQ answer on mysqldeveloper.com, as >> I'm sure this has (or will) come up often. >> >> Regards, >> Clay >> >> >> --------------------------------------------------------------------- >> Before posting, please check: >> http://www.mysql.com/manual.php (the manual) >> http://lists.mysql.com/ (the list archive) >> >> To request this thread, e-mail <[EMAIL PROTECTED]> >> To unsubscribe, e-mail >> <[EMAIL PROTECTED]> >> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php >> > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php