RE: SSL-enabled interaction with MySQL
Hi,
Huge regards for your efforts. I am wee bit taking more time as I am also
looking out for other options like using some SSL-supportive intermediaries;
> http://svwe10.itex.at/downloads/mod_auth_mysql/
I used the updated source and now the error has become SSL connection
specific.
--
[Tue May 01 11:15:58 2007] [error] [client 192.168.1.17] MOD_AUTH_MYSQL:
MYSQL ERROR: SSL connection error :: connect to DB
[Tue May 01 11:15:58 2007] [error] [client 192.168.1.17] host
(localhost.localdomain) not found in db
[Tue May 01 11:15:58 2007] [crit] [client 192.168.1.17] configuration error:
couldn't check user. No user file?: /
--
> I'm just also hacking in the module, and I see this few lines above the
> mysql connect:
>
>if (!conf->db_host || strcmp(conf->db_host,"localhost") == 0 ||
> strcmp(conf->db_host,"127.0.0.1") == 0) {
>db_host = NULL;
>db_port = 0;
>} else {
>db_host = conf->db_host;
>db_port = conf->db_port;
>}
>
>
> I think its now mandatory that you access the mysql server from another
> host than localhost to make sure you really establish a TCPIP
> connection...
I am still using the same box to for mysql server and my accessing code.
Moreover I am using my box's IP in conf->db_host.
conf->db_host = "192.168.x.x";
Will not this allow a TCPIP connection? What about skipping this part of the
code at least for now?
What would you suggest, should I really have to access mysql from some other
host?
The updates contain 5 new directives for SSL and ciphers. How these new
directives can be set in httpd.conf like other AuthMySql* directives ?
> and then I found a bug report related to this option:
> http://bugs.mysql.com/bug.php?id=24121
I suppose this fixing at my end would need me to recompile my mysql. AM I
RIGHT HERE?
Thanks again,
Naveen
Re: svn commit: r533820 - /httpd/httpd/trunk/modules/http/http_request.c
[EMAIL PROTECTED] wrote: > Author: gregames > Date: Mon Apr 30 11:16:06 2007 > New Revision: 533820 > > URL: http://svn.apache.org/viewvc?view=rev&rev=533820 > Log: > check_pipeline: use AP_MODE_SPECULATIVE to check for data in the input > filters > to accomodate mod_ssl's input filter. AP_MODE_EATCRLF is essentially a no-op > in that filter. Whatever happened to AP_MODE_INIT which was added for just this purpose?
RE: SSL-enabled interaction with MySQL
Hi, again a new complete archive: http://svwe10.itex.at/downloads/mod_auth_mysql/ mod_auth_mysql.c source for viewing: http://svwe10.itex.at/downloads/mod_auth_mysql/mod_auth_mysql.c changes summary: http://svwe10.itex.at/downloads/mod_auth_mysql/changes.new shell script from mysql site to create the certs: http://svwe10.itex.at/downloads/mod_auth_mysql/creacerts.sh to compile with MySQL SSL support you need to define MYSQL_USE_SSL: apxs -cia -lmysqlclient -DMYSQL_USE_SSL mod_auth_mysql.c this version does _not_ try to use SSL if host = localhost | 127.0.0.1 | NULL ! BTW. I've entered a feature request for SSL-enabled MySQL binary dists: http://bugs.mysql.com/bug.php?id=28146 votes/comments welcome! Guenter.
Re: [PATCH] mod_wombat: add table_get and table_set
On Apr 30, 2007, at 2:02 PM, Akins, Brian wrote:
Probably more changes than needs to be in one patch:
- use hooks for:
-- wombat_open - called by create_vm
+1 Perfect!
-- wombat_request - called instead of apw_request_push
I would like to maintain a function which is analogous to
lua_pushstring() and lua_pushinteger() for pushing the request_rec
into a function call or whatnot from the C side.
Will this work with the hook? (I am a hook newb).
-added apr_lua.c and .h - only handles tables for now. Can be
extended to do
more in future.
Index: apr_lua.c
===
--- apr_lua.c (revision 0)
+++ apr_lua.c (revision 0)
@@ -0,0 +1,55 @@
+#include "apr.h"
+#include "apr_tables.h"
+
+#include "lua.h"
+#include "lauxlib.h"
+#include "lualib.h"
+
+#define lua_unboxpointer(L,i) (*(void **)(lua_touserdata(L, i)))
+
+static apr_table_t* check_apr_table(lua_State* L, int index) {
+luaL_checkudata(L, index, "Apr.Table");
+apr_table_t* t = (apr_table_t*)lua_unboxpointer(L, index);
+return t;
+}
+
+static int lua_table_set(lua_State* L) {
+apr_table_t *t = check_apr_table(L, 1);
+const char* key = luaL_checkstring(L, 2);
+const char* val = luaL_checkstring(L, 3);
+
+apr_table_set(t, key, val);
+return 0;
+}
+
+static int lua_table_get(lua_State* L) {
+apr_table_t *t = check_apr_table(L, 1);
+const char* key = luaL_checkstring(L, 2);
+const char *val = apr_table_get(t, key);
+lua_pushstring(L, val);
+return 1;
+}
+
+static const luaL_reg lua_table_methods[] = {
+{"set", lua_table_set},
+{"get", lua_table_get},
+{0, 0}
+};
Even though these are static, we might want to be careful in naming
as these are reaching into lua's namespace (lua_* and luaL_*).
+
+
+int apr_lua_init(lua_State *L, apr_pool_t *p) {
+luaL_newmetatable(L, "Apr.Table");
+luaL_openlib(L, "apr_table", lua_table_methods, 0);
+lua_pushstring(L, "__index");
+lua_pushstring(L, "get");
+lua_gettable(L, 2);
+lua_settable(L, 1);
+
+lua_pushstring(L, "__newindex");
+lua_pushstring(L, "set");
+lua_gettable(L, 2);
+lua_settable(L, 1);
+
+return 0;
+}
Why pass the pool in (other than matching the hook form, but this
isn't invoked via ) and what is the general policy on borrowing from
the apr namespace for an exported function?
-Brian
Re: [PATCH] mod_wombat: add table_get and table_set
Probably more changes than needs to be in one patch: - use hooks for: -- wombat_open - called by create_vm -- wombat_request - called instead of apw_request_push -added apr_lua.c and .h - only handles tables for now. Can be extended to do more in future. -- Brian Akins Chief Operations Engineer Turner Digital Media Technologies wombat_hooks.diff Description: Binary data
Re: [mod_wombat] Patch to improve docs
Brian McCallister <[EMAIL PROTECTED]> writes: > +If compiling (make) reports an error that it cannot find the > +libapreq2 header file, please tell me ( [EMAIL PROTECTED] ) > +as this occurs under some configurations but we haven't > +hammered down the weird things libapreq2 does with its > +install. If you build libapreq2 with a --prefix configuration > +option, it always seems to work. By default, libapreq2 tries to install itself alongside libaprutil. This is the relevant part of acinclude.m4: dnl Reset the default installation prefix to be the same as apu's ac_default_prefix="`$APU_CONFIG --prefix`" Does mod_wombat use the apreq2_config script for getting at apreq2's installation data? -- Joe Schaefer
Re: [mod_wombat] Patch to improve docs
On 4/30/07, Brian McCallister <[EMAIL PROTECTED]> wrote: Patch to add information on building, running tests, and organize the README into some actual docu. +1, looks like a big improvement. -garrett
[mod_wombat] Patch to improve docs
Patch to add information on building, running tests, and organize the README into some actual docu. docs.patch Description: Binary data
Re: SatisfyOne
>>> On 4/30/2007 at 9:54 AM, in message <[EMAIL PROTECTED]>, "Joshua Slive" <[EMAIL PROTECTED]> wrote: > On 4/27/07, Brad Nicholes <[EMAIL PROTECTED]> wrote: > >> >> It's beginning to look like Order, Allow, Deny, Satisfy can't be deprecated > after all. However I still think that there is a usefulness for the same > type of authorization rules defined by "require". >> > > I don't really understand why you say this. Isn't it just a question > of defining the order of evaluation of blocks? And the > proper order seems quite straight-forward to me. > > Joshua. Well, the reason why is because of the order in which the hooks are called . We have three different hooks, access_checker, check_user_id and auth_checker. Basically, to give the hooks more understandable names, we have access_control, authentication and authorization. The directives that cause these hooks to be invoked are: Order, Allow from, Deny from- access_control hook AuthBasicProvider, AuthDigestProvider - Authentication hook Require - Authorization hook With the host based directives moving from "Allow from [host|IP|ENV]", "Deny From [host|IP|ENV]" to "Require [host|IP|ENV]", "Reject [host|IP|ENV]", the access control functionality moved from the access_control hook to the Authorization hook. This works great until you try to throw authentication into the mix. If your intention was to avoid a credentials challenge through access control, as soon as you include authentication, the check_user_id hook gets called and the first thing that happens is a check for the user name and password in the request header. If it isn't there, the challenge is sent back to the browser and the browser prompts for the user name and password. In this case there was no chance for "Require [host|IP]" to even have a crack at satisfying the request since the authorization hook was never called. When I implemented this I thought I had all of the bases covered but apparently not (which is why I would like to see us at least roll an alpha of 2.3 so this stuff would get some visibility). There seems to be cases where access control and authorization should be separate. So I am starting to see the need to retain Order, Allow, Deny, Satisfy so that in cases where access control needs to happen outside of authorization, it can. I don't really like having to retain those directives, because it makes access control and authorization a little more confusing. Better ideas? Brad
RE: SSL-enabled interaction with MySQL
Hi Naveen, new archive: http://svwe10.itex.at/downloads/mod_auth_mysql/ replaced exists() with accessible() (also borrowed from htpasswd.c); so should now also check for read permissions... Guenter.
Re: [PATCH] mod_wombat: add table_get and table_set
On 4/27/07 2:34 PM, "Brian McCallister" <[EMAIL PROTECTED]> wrote: > We may want to consider not putting table_set and table_get on the > request, though. It might be better to have a general purpose > userdata type (metatable) for apr_table_t and put the functions > there. This would allow for something like: > > function handle(r) >r.headers_out['Lua'] = 'Cool' >val = r.headers_in['User-Agent'] > end > Here's the patch that does just that. Ugly, I'm sure. I know lua now, and I know C. Still having issues stitching them together... -- Brian Akins Chief Operations Engineer Turner Digital Media Technologies request-table.diff Description: Binary data
RE: SSL-enabled interaction with MySQL
Hi Naveen, here's what I have hacked so far: http://svwe10.itex.at/downloads/mod_auth_mysql/ to keep the code more readable I've inserted a new function exists() (borrowed from htpasswd.c) which does for now _only_ check if the certs exists; but should be easily extendable for permission check as you did already. Also I have made all settings configurable for easier testing. At least I get an error in the error_log when a path is entered wrong - unfortunately I've not had the time to compile a SSL-aware mysql server, so not able to test further at the moment... just wanted to share the code here; oh, and I believe also the mysql_init() call is wrong since it takes the mysql_handle and not the mysql_conn which is used for mysql_real_connect()...; fixed that too. I will also propose it to the author once it works since I know him (see change log where I appear already); then we have a ready solution without patching around... Guenter.
Re: SatisfyOne
On Fri, Apr 27, 2007 at 03:44:08PM -0600, Brad Nicholes wrote: > >>> On 4/27/2007 at 11:30 AM, in message > <[EMAIL PROTECTED]>, Patrick Welche > <[EMAIL PROTECTED]> wrote: ... > > Using httpd trunk 529626, of Apr 19 2007, I tried a FAQ configuration > > with the new authentication framework: > > > > > > AuthType basic > > AuthName "raven test" > > AuthBasicProvider file > > AuthUserFile /usr/local/etc/pass.txt > > > > Require host quartz.itdept.newn.cam.ac.uk > > Require ip 192.168.200.180 > > Require valid-user > > > > ... > It's beginning to look like Order, Allow, Deny, Satisfy can't be deprecated > after all. However I still think that there is a usefulness for the same > type of authorization rules defined by "require". Indeed, translating to the compat form: AuthType basic AuthName "raven test" AuthBasicProvider file AuthBasicAuthoritative Off AuthUserFile /usr/local/etc/httppwddb Order Deny,Allow Deny from All Allow from quartz.itdept.newn.cam.ac.uk 192.168.200.180 Require valid-user Satisfy Any behaves as expected. Cheers, Patrick
Re: SatisfyOne
On Fri, Apr 27, 2007 at 05:22:16PM -0400, Jim Jagielski wrote: > Are you sure that there are no other conflicting ACLs? Yes - it's basically the as-distributed httpd.conf file with the following addition. > On Apr 27, 2007, at 1:30 PM, Patrick Welche wrote: > > >Basically, bug or configuration error? > > > >Using httpd trunk 529626, of Apr 19 2007, I tried a FAQ configuration > >with the new authentication framework: > > > > > >AuthType basic > >AuthName "raven test" > >AuthBasicProvider file > >AuthUserFile /usr/local/etc/pass.txt > > > >Require host quartz.itdept.newn.cam.ac.uk > >Require ip 192.168.200.180 > >Require valid-user > > > >
Re: SatisfyOne
On 4/27/07, Brad Nicholes <[EMAIL PROTECTED]> wrote: It's beginning to look like Order, Allow, Deny, Satisfy can't be deprecated after all. However I still think that there is a usefulness for the same type of authorization rules defined by "require". I don't really understand why you say this. Isn't it just a question of defining the order of evaluation of blocks? And the proper order seems quite straight-forward to me. Joshua.
RE: SSL-enabled interaction with MySQL
Hi Naveen,
another shot:
I'm just also hacking in the module, and I see this few lines above the mysql
connect:
if (!conf->db_host || strcmp(conf->db_host,"localhost") == 0 ||
strcmp(conf->db_host,"127.0.0.1") == 0) {
db_host = NULL;
db_port = 0;
} else {
...
I'm not sure, but I guess that the client lib uses a unix socket when passed in
NULL for host, and that might not work with SSL at all since its not needed
then...
I think its now mandatory that you access the mysql server from another host
than localhost to make sure you really establish a TCPIP connection...
then I saw in your previous post that you have set:
static my_bool opt_ssl_verify_server_cert= 0;
why not setting to 1 ?
and then I found a bug report related to this option:
http://bugs.mysql.com/bug.php?id=24121
Guenter.
RE: SSL-enabled interaction with MySQL
Hi Guenter,
>> A standalone client is working perfect to provide the SSL layer with the
>> database, and it is using the same client lib (libmysqlclient). I used
>> common ethereal tool to ensure that everything it does is encrypted. I
>> used the same mysql_ssl_set() prior to establishing the connection. I
>> simply did the following :
>>
>> mysql_handle=mysql_init(NULL);
>> static my_bool opt_ssl_verify_server_cert= 0;
>>
>> mysql_ssl_set(mysql_handle, 0, 0, "/root/DIGI_DEPS/newcerts/ca-cert.pem",
>> 0,
>> 0);
>> mysql_options(&mysql_conn,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,(char*)
>> &opt_ssl_verify_server_cert);
>>
>> mysql_handle=mysql_real_connect(&mysql_conn,db_host,
>> conf->db_username,conf->db_password,conf->db_name,db_port,NULL,0);
>> .
> Since everything you posted sounds perfect, here a shot in the dark:
> I see you have a path to the /root directory for the certs. Apache changes
> indentity when starting, and it might be a simple access problem perhaps?
> I would do two things:
> - move the certs below a place you make worldwide readable for testing
> - insert apr_stat() calls before you try to use the certs, and bail out
> and write info to the error log if the certs cant be accessed for whatever
> reason.
You guessed right, the certs were not really read properly from the path I
had specified. So I put them for testing, straight at root '/'. Now the
certs are accessed well which is also verified by the apr_stat() call which
does not brings any error.
But the eventual outcome is no better. Still the apache log gives the same
error.
--
[Mon Apr 30 18:57:16 2007] [error] [client 192.168.1.17] MOD_AUTH_MYSQL:
MYSQL ERROR: Access denied for user 'mysql'@'localhost' (using password:
YES) :: connect to DB
[Mon Apr 30 18:57:16 2007] [error] [client 192.168.1.17] host
(localhost.localdomain) not found in db
[Mon Apr 30 18:57:16 2007] [crit] [client 192.168.1.17] configuration error:
couldn't check user. No user file?: /
---
When I go for non-SSL mode (by granting the used 'mysql' user account no
SSL-specific grant). The very bit same code gives no error and runs fine. No
logs as generated above are seen there.
The code fragment for what is done-
.
.
.
apr_size_t length;
apr_status_t stat;
char msgbuf[80];
apr_status_t rv;
apr_pool_t *mp;
apr_file_t *fp;
const char *fname="/ca-cert.pem";
apr_finfo_t finfo;
apr_initialize();
apr_pool_create(&mp, NULL);
if ((rv = apr_file_open(&fp, fname, APR_READ, APR_OS_DEFAULT, mp)) !=
APR_SUCCESS) {
ap_log_rerror (APLOG_MARK, APLOG_ERR, 0, r,
"MOD_AUTH_MYSQL: FILE OPEN ERROR:: %s :: %s\n",
mysql_error(&mysql_conn), apr_strerror(rv, msgbuf, sizeof(msgbuf)));
return -1;
}
if ((rv = apr_stat(&finfo, fname, APR_FINFO_NORM, mp)) == APR_INCOMPLETE) {
ap_log_rerror (APLOG_MARK, APLOG_ERR, 0, r,
"MOD_AUTH_MYSQL: FILE READ ERROR: %s :: %s\n",
mysql_error(&mysql_conn), apr_strerror(rv, msgbuf, sizeof(msgbuf)));
return -1;
}
mysql_handle=mysql_init(NULL);
mysql_ssl_set(mysql_handle, 0, 0, finfo.fname, 0, 0);
mysql_handle=mysql_real_connect(&mysql_conn,db_host,
conf->db_username,conf->db_password,conf->db_name,db_port,NULL,0);
.
.
.
Thanks in advance.
Best Regards,
Naveen Rawat
RE: SSL-enabled interaction with MySQL
Hi Naveen, > A standalone client is working perfect to provide the SSL layer with the > database, and it is using the same client lib (libmysqlclient). I used > common ethereal tool to ensure that everything it does is encrypted. I > used > the same mysql_ssl_set() prior to establishing the connection. I simply > did > the following : > mysql_handle=mysql_init(NULL); > static my_bool opt_ssl_verify_server_cert= 0; > mysql_ssl_set(mysql_handle, 0, 0, "/root/DIGI_DEPS/newcerts/ca-cert.pem", > 0, > 0); > mysql_options(&mysql_conn,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,(char*)&opt_ssl > _v > erify_server_cert); > mysql_handle=mysql_real_connect(&mysql_conn,db_host, > conf->db_username,conf->db_password,conf->db_name,db_port,NULL,0); > . Since everything you posted sounds perfect, here a shot in the dark: I see you have a path to the /root directory for the certs. Apache changes indentity when starting, and it might be a simple access problem perhaps? I would do two things: - move the certs below a place you make worldwide readable for testing - insert apr_stat() calls before you try to use the certs, and bail out and write info to the error log if the certs cant be accessed for whatever reason. good luck! Guenter.
RE: SSL-enabled interaction with MySQL
Hi there, Thanks for the responses. >>> Does your client library know SSL? Really?) >> >> YES. My database (MySQL) is compiled from source and my end >> libmysqlclient >> supports SSL and that too very well. This already been tested from a very >> basic standalone database client + a packet sniffer tool (ethereal). > > what I'm currently after is a way to determine _if_ the client lib really > is SSL-aware; I've not found yet an API call which tells me this piece - > instead I see in the shipping mysql apps, f.e. in mysqlshow, that simply > mysql_ssl_set() is called before mysql_real_connect(), and the later just > bails out if the conection could not be established for whatever reason. I > would however prefer to make a test if libmysqlclient is really SSL-aware, > and bail out with a more informative error to the user when not. > Did you find such perhaps? A standalone client is working perfect to provide the SSL layer with the database, and it is using the same client lib (libmysqlclient). I used common ethereal tool to ensure that everything it does is encrypted. I used the same mysql_ssl_set() prior to establishing the connection. I simply did the following : mysql_init(&mysql); #ifdef HAVE_OPENSSL mysql_ssl_set(&mysql, "/root/DIGI_DEPS/newcerts/client- key.pem","/root/DIGI_DEPS/newcerts/client-cert.pem", "/root/DIGI_DEPS/newcerts/ca-cert.pem", 0, 0); #endif if (!(sock = mysql_real_connect(&mysql,"127.0.0.1","mysql","mysql","digi_auth_support",33 06,NULL,0))) The lib is surely SSL-aware and my client supports this. Moreover I am otherwise not getting any ssl-related linking error. >> I am using a third party authentication module 'mod_auth_mysql' >> which will do this task for me. Unlike my requirement this particular >> module does not provide for SSL encryption when it validates the data >> (username / password) against my database. This module is having MySQL C >> APIs usage for talking to the databse. >> I have generated the musts for SSL - keys/certificates for the >> database clients, MySQL server and a dummy CA. Grants are well set for >> the MySQL connecting users compelling them to provide their keys/ >> certificates at the time they connect to the database. These same set of >> keys/certs. Have been found to be valid as they are working for a basic >> database client application. > > > this part is just not clear to me: what do you really test here? Did you >modify the source of mod_auth_mysql and insert the call to mysql_ssl_set()? The module provides for authenticating users at the browser end when they fire HTTP/S request for my server. I want SSL-layer encoding for authenticating such users against their account in the database. For this I need SSL certificates and keys for both my module and the MySQL database. The module will connect to the database using a database user account, which has to be given the grant for performing a secured (SSL-rich) connection. Without the grant the database will not be able to enforce that account-user (my module) to provide the keys and certificates. My perfectly working non-module client is using these same resources which shows that the issue doesn't lies either with my certificates or keys. YES, I have included the call in my module. > if so I'd suggest that you make your modified code available somewhere to > us so that those here interested in this can take a look (and sure I am > since I will soon have a similar requirement); also for me personally the > next prob is that I coudnt find yet a ready-to-use SSL-aware mysql binary > distro; so seems for that I would have to compile self first > therefore it would help me a lot if you would be willing/able to provide a > test account on your SSL-aware mysql server so that I could directly start > with some testing with the module. I am using an openly available mod_auth-mysql1.9.1. I am providing here the relevant part and specifically the one that enables SSL. . . . mysql_handle=mysql_init(NULL); static my_bool opt_ssl_verify_server_cert= 0; mysql_ssl_set(mysql_handle, 0, 0, "/root/DIGI_DEPS/newcerts/ca-cert.pem", 0, 0); mysql_options(&mysql_conn,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,(char*)&opt_ssl_v erify_server_cert); mysql_handle=mysql_real_connect(&mysql_conn,db_host, conf->db_username,conf->db_password,conf->db_name,db_port,NULL,0); . . . The source distro of mod_auth_mysql 1.9.1 also provides the data structures needed. I regret not being able to provide you an access to it as it being installed at my work place. > If you did not modify the mod_auth_mysql module self then I guess you have > some misunderstanding: you can only secure the connection between > mod_auth_mysql (if it is modified to use mysql_ssl_set() + libmysqlclient > is SSL-aware) and the mysql server; Done the same. > secure the communication which happens between a client's browser and > Apache is task of mod_ssl, and has nothing to do with mysql SSL and certs > etc; instead ther
