> I can understand your summary quite clearly. Great.
> Suppose the server encrypts data it sends to the client and the client > needs to decrypt that data. This is the case when my client SELECTs data > from the MySQL database. Does this need a different sequence than the > sequence mentioned above, where the client sends the server the client's > public key so that the server uses it to encrypt data before sending it > to the client who decrypts it using the client's private key ? Or can > the same server public-private key be used as you originally specified ? Once session establishment is completed, the client and the server have a shared secret. This is some chunk of data that only the server and the client know. Each side can use the shared secret to encrypt data that only the other side can decrypt. They typically do so using a symmetric encryption algorithm such as AES or RC4. > The reason I ask this is that MySQL, in setting up certificates, > specifies a public key-private key pair for both the server and any > given client. My original thought on seeing this is that this is > necessary because both the client and the database server may > encrypt/decrypt data. No, that's not why. That would simply be to allow the server to identify the client. If you have no need to do this, and already authenticate the client by some other means (such as username/password) you can probably not specify a client certificate. (It would be fairly unusual to absolutely require one in a case where there is some other way to authenticate the client.) > But others seem to imply that only the server public key-private key > pair is necessary. That would be the usual situation. > In which case if this is true, when the server sends > encrypted data to the client which the client must decrypt, the data > must be encryoted with the server's private key and decrypted by the > client with the server's public key, therefore reversing the role of the > public key-private key for encrypting/decrypting data you mention above. No. That would be hideously inefficient. The public/private keys are only used during session establishment. > Thanks for the information. Evidently MySQL works with both the server > and a given client both having a public key-private key pair. In using > the MySQL client library API I must pass the paths to my client > certificates as SSL options to a client library connection object before > making a SSL connection to the server. After that everything works > automatically to encrypt/decrypr data between the client and the > database server. Really? It absolutely requires a client certificate? Why not just have the client make up a self-signed certificate then? I just did some research, yes, you are correct. This is a known deficiency of MySQL's SSL support, first reported in 2003! Bug number 2233. From reading this bug and related bugs, there appears to be a lot of weirdness in MySQL's usage of OpenSSL to perform transport encryption. I wonder if there has been any kind of security review. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
