On Mon, 2003-01-13 at 23:48, David Rock wrote: > Hello, > This is discouraging after I spent most of the weekend getting OpenSSL > working with our MySQL 4 server. Unfortunately I can't use Stunnel to secure > the connection between our website and our MySQL server because our ISP will > not allow me to run the Stunnel daemon on their servers. They have a web > server farm and claim that they would need to configure Stunnel for me on > each of their servers in the farm. How do people typically handle setting up > Stunnel to secure their connections from a public ISP to their MySQL server? > Is it possible that I only need to run the Stunnel daemon on my MySQL box? > Securing the connection between a public ISP and a privately-hosted MySQL > server seems like something that many people would have overcome by now. Am > I really at the mercy of my ISP on this?
Usually SSL can be used with separate wrapper program on any side. But this is "usually". SSL handshake is different in MySQL because compatibility issues. Even when doing handshake with SSL enabled MySQL client, first packet is sent without encryption. There is a byte or two having bits named "Client capabilities". If client want to establish SSL connection it raises bit "I want SSL", server responds with similar structure "Server capabilities" having "server can do SSL". Only after that all negotiation gets repeated with SSL turned on. This is why it is impossible to use stunnel on client side only and use native SSL of MySQL server (or opposite). In case of serious interest I can develop some separate piece of code which allows to fake first MySQL handshake packet or handle this issue somehow but it does not look serious idea to me :). Tõnu --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
