Re: MySQL 4.0.1 SSL config - a shot in the dark
Hello, From the sound of Tonu's original response, he's pretty busy right now ... If anyone else has an idea based on experience with SSL MySQL, or just with openssl in general, can offer an opinion on this, I would be grateful. I've ordered a book on OpenSSL in an effort to learn more about it for this application as well as others, but it hasn't gotten here yet. I would appreciate any insight before I get around to just guessing! Thanks, Clay From: Clay Loveless [EMAIL PROTECTED] Date: Sat, 15 Jun 2002 21:30:31 -0700 To: MySQL [EMAIL PROTECTED] Subject: Re: MySQL 4.0.1 SSL config - a shot in the dark Tonu, Thank you, thank you! The formal documentation effort is apparently still underway based on your notes ... The link you included eliminates a lot of guesswork! : ) This part of MySQL is written by me and I am sure it worked :) I'm sure it does -- what I meant was that the way I had it configured (my best guess last night) wasn't working. No wonder! 3. EDIT my.cnf ON CLIENT SERVER I added these values to my.cnf: [ssl] key = (LONG public key value - 394 chars - copied from server.crt) cert = ca.crt ca = (Organization Name answer from the Q A session while doing the first ca.key generation) capath = /usr/local/etc/mysqlssl nono, a lot of errors here. I am pretty sleepy and can do smaller mistakes right now but mistakes I see: section [ssl] is wrong. MySQL server uses [mysqld] section, command line - client [client] but nobody read [ssl] section! Everything should be added under those common sections - values key and ca are wrong. Should be ssl-key, ssl-ca and so on... Makes sense. I went through the procedures with CA.sh logged in your notes, and was left with these files in my working directory: newcert.pem newreq.pem demoCA/ newcerts/ 01.pem private/ cakey.pem Can you tell me which of those files translates into the files you used in your configuration? [mysqld] ssl-ca=SSL/cacert.pem ssl-cert=SSL/server-cert.pem ssl-key=SSL/server-key.pem [mysql] ssl-ca=SSL/cacert.pem ssl-cert=SSL/client-cert.pem ssl-key=SSL/client-key.pem [mysqldump] ssl-ca=SSL/cacert.pem ssl-cert=SSL/client-cert.pem ssl-key=SSL/client-key.pem Your notes don't include the steps where you renamed the output .pem files to the filenames used in your example my.cnf entries. Page 390 of the new Managing Using MySQL (O'Reilly) book provided some clues for doing this ... In reference to C functions, it says: 'key' contains an SSL public key 'cert' contains the filename of a certificate 'ca' contians the name of the certificate authority 'capath' contains the directory containing the certificate Hmm this is not the first time when O'Reilly publishes bad and misguiding book about MySQL. I personally suggest to avoid them. Paul DuBois one is good example. Could be that I was just making the wrong assumption. I've read a good chunk of the rest of that O'Reilly book today, and it was all pretty good. The section I quoted wasn't specifically documenting the SSL functionality, but just listing a C function for reading SSL-related values from the .cnf file. So, it was probably just the author's shorthand for that function, and I leapt to the wrong conclusion. There is a file in MySQL source tree I wrote about using SSL connections with MySQL: http://www.mysqldeveloper.com/4.x-bk_tree/SSL/NOTES I hope they work for you. There are some pregenerated example key/certificate files included. You may try with then first to ensure that your command-line stuff works first. Thanks again for posting this link! This really helps a lot. I would be happy to write all this up for use as a FAQ answer on mysqldeveloper.com, as I'm sure this has (or will) come up often. Regards, Clay - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL 4.0.1 SSL config - a shot in the dark
A little more information on this problem ... - Tonu's notes state that there are sample SSL keys certs for testing purposes in the SSL directory of the mysql tarball. There is no SSL directory in the mysql-4.0.1-alpha.tar.gz file. Does anyone know which tarball he may be referring to? - In Tonu's notes, there is an example my.cnf entry of: [mysqld] ssl-ca=SSL/cacert.pem ssl-cert=SSL/server-cert.pem ssl-key=SSL/server-key.pem Further in the notes, there's an example of a command-line switch for mysqld: mysqld --ssl-cert=SSL/server-cert.pem --ssl-ca=SSL/cacert.pem --ssl-key=SSL/server-req.pem In other words, one example shows ssl-key pointing to the server-key.pem file, another example shows ssl-key pointing to server-req.pem. I'm looking through the files I created by doing these commands (extracted from Tonu's notes): From the /usr/local/ssl/apps directory ./CA.sh -newca ./CA.sh -newreq ./CA.sh -sign As I mentioned previously, those commands leave me with the following structure: newcert.pem newreq.pem demoCA/ newcerts/ 01.pem private/ cakey.pem newcert.pem and demoCA/newcerts/01.pem are identical. Tonu's notes indicate that passwords should be removed from the key files like this: openssl rsa -inform pem server-req.pem server-key.pem I'm *assuming* that server-req.pem is the same as newreq.pem ... But the leap in file names isn't documented, and the two contradictory examples of ssl-key usage (mentioned above) are confusing. - Is there an estimate for when the documentation on MySQL's SSL functionality will be completed? I would love to be able to set this up without having to guess at how it's done. : ) I'm going to start experimenting with the files I've got to see what works ... I'll report what I find. Meanwhile, the general idea of guessing at how to configure the secure connection is killing the notion of security for me to some extent. - Has anyone successfully set this up on their servers? If so, I would be grateful for your tips! Thanks, Clay From: Clay Loveless [EMAIL PROTECTED] Date: Tue, 18 Jun 2002 12:00:51 -0700 To: MySQL [EMAIL PROTECTED] Subject: Re: MySQL 4.0.1 SSL config - a shot in the dark Hello, From the sound of Tonu's original response, he's pretty busy right now ... If anyone else has an idea based on experience with SSL MySQL, or just with openssl in general, can offer an opinion on this, I would be grateful. I've ordered a book on OpenSSL in an effort to learn more about it for this application as well as others, but it hasn't gotten here yet. I would appreciate any insight before I get around to just guessing! Thanks, Clay From: Clay Loveless [EMAIL PROTECTED] Date: Sat, 15 Jun 2002 21:30:31 -0700 To: MySQL [EMAIL PROTECTED] Subject: Re: MySQL 4.0.1 SSL config - a shot in the dark Tonu, Thank you, thank you! The formal documentation effort is apparently still underway based on your notes ... The link you included eliminates a lot of guesswork! : ) This part of MySQL is written by me and I am sure it worked :) I'm sure it does -- what I meant was that the way I had it configured (my best guess last night) wasn't working. No wonder! 3. EDIT my.cnf ON CLIENT SERVER I added these values to my.cnf: [ssl] key = (LONG public key value - 394 chars - copied from server.crt) cert = ca.crt ca = (Organization Name answer from the Q A session while doing the first ca.key generation) capath = /usr/local/etc/mysqlssl nono, a lot of errors here. I am pretty sleepy and can do smaller mistakes right now but mistakes I see: section [ssl] is wrong. MySQL server uses [mysqld] section, command line - client [client] but nobody read [ssl] section! Everything should be added under those common sections - values key and ca are wrong. Should be ssl-key, ssl-ca and so on... Makes sense. I went through the procedures with CA.sh logged in your notes, and was left with these files in my working directory: newcert.pem newreq.pem demoCA/ newcerts/ 01.pem private/ cakey.pem Can you tell me which of those files translates into the files you used in your configuration? [mysqld] ssl-ca=SSL/cacert.pem ssl-cert=SSL/server-cert.pem ssl-key=SSL/server-key.pem [mysql] ssl-ca=SSL/cacert.pem ssl-cert=SSL/client-cert.pem ssl-key=SSL/client-key.pem [mysqldump] ssl-ca=SSL/cacert.pem ssl-cert=SSL/client-cert.pem ssl-key=SSL/client-key.pem Your notes don't include the steps where you renamed the output .pem files to the filenames used in your example my.cnf entries. Page 390 of the new Managing Using MySQL (O'Reilly) book provided some clues for doing this ... In reference to C functions, it says: 'key' contains an SSL public key 'cert' contains the filename of a certificate 'ca' contians the name of the certificate authority 'capath' contains
Re: MySQL 4.0.1 SSL config - a shot in the dark
[replying to my own thread yet again ... Sorry about that] Thought that anyone silently following my experiments on this may be interested to know: Using the /usr/local/ssl/apps/CA.sh script (part of the openssl installation) as follows: ./CA.sh -newca ./CA.sh -newreq ./CA.sh -sign Then copying files like this: cp newcert.pem /usr/local/etc/mysqlssl/server-cert.pem cp demoCA/cacert.pem /usr/local/etc/mysqlssl/cacert.pem And running: openssl rsa -inform pem newreq.pem /usr/local/etc/mysqlssl/server-key.pem (And doing it all over again with client- for the client machine files) Then adding: ssl-ca=/usr/local/etc/mysqlssl/cacert.pem ssl-cert=/usr/local/etc/mysqlssl/server-cert.pem ssl-key=/usr/local/etc/mysqlssl/server-key.pem ... To your [mysqld] section of my.cnf THEN (finally) adding: ssl-ca=/usr/local/etc/mysqlssl/cacert.pem ssl-cert=/usr/local/etc/mysqlssl/client-cert.pem ssl-key=/usr/local/etc/mysqlssl/client-key.pem ... To your [mysql] section of my.cnf on your client connection machine ... Does the trick. In addition to doing all this, you need to use the GRANT command to allow access to MySQL over SSL as described here: http://www.mysql.com/doc/S/e/Secure_GRANT.html It all works. (Working for me, anyway.) Connecting via the command-line MySQL client now gets me: SSL cipher in use is EDH-RSA-DES-CBC3-SHA Instead of: SSL not in use. Good times! Now if I can just figure out how to get the mysql client embedded in PHP to pick up these [mysql] client values, I'll be all set. Hope this has been helpful to someone! -Clay From: Clay Loveless [EMAIL PROTECTED] Date: Tue, 18 Jun 2002 18:03:02 -0700 To: MySQL [EMAIL PROTECTED] Subject: Re: MySQL 4.0.1 SSL config - a shot in the dark A little more information on this problem ... - Tonu's notes state that there are sample SSL keys certs for testing purposes in the SSL directory of the mysql tarball. There is no SSL directory in the mysql-4.0.1-alpha.tar.gz file. Does anyone know which tarball he may be referring to? - In Tonu's notes, there is an example my.cnf entry of: [mysqld] ssl-ca=SSL/cacert.pem ssl-cert=SSL/server-cert.pem ssl-key=SSL/server-key.pem Further in the notes, there's an example of a command-line switch for mysqld: mysqld --ssl-cert=SSL/server-cert.pem --ssl-ca=SSL/cacert.pem --ssl-key=SSL/server-req.pem In other words, one example shows ssl-key pointing to the server-key.pem file, another example shows ssl-key pointing to server-req.pem. I'm looking through the files I created by doing these commands (extracted from Tonu's notes): From the /usr/local/ssl/apps directory ./CA.sh -newca ./CA.sh -newreq ./CA.sh -sign As I mentioned previously, those commands leave me with the following structure: newcert.pem newreq.pem demoCA/ newcerts/ 01.pem private/ cakey.pem newcert.pem and demoCA/newcerts/01.pem are identical. Tonu's notes indicate that passwords should be removed from the key files like this: openssl rsa -inform pem server-req.pem server-key.pem I'm *assuming* that server-req.pem is the same as newreq.pem ... But the leap in file names isn't documented, and the two contradictory examples of ssl-key usage (mentioned above) are confusing. - Is there an estimate for when the documentation on MySQL's SSL functionality will be completed? I would love to be able to set this up without having to guess at how it's done. : ) I'm going to start experimenting with the files I've got to see what works ... I'll report what I find. Meanwhile, the general idea of guessing at how to configure the secure connection is killing the notion of security for me to some extent. - Has anyone successfully set this up on their servers? If so, I would be grateful for your tips! Thanks, Clay From: Clay Loveless [EMAIL PROTECTED] Date: Tue, 18 Jun 2002 12:00:51 -0700 To: MySQL [EMAIL PROTECTED] Subject: Re: MySQL 4.0.1 SSL config - a shot in the dark Hello, From the sound of Tonu's original response, he's pretty busy right now ... If anyone else has an idea based on experience with SSL MySQL, or just with openssl in general, can offer an opinion on this, I would be grateful. I've ordered a book on OpenSSL in an effort to learn more about it for this application as well as others, but it hasn't gotten here yet. I would appreciate any insight before I get around to just guessing! Thanks, Clay From: Clay Loveless [EMAIL PROTECTED] Date: Sat, 15 Jun 2002 21:30:31 -0700 To: MySQL [EMAIL PROTECTED] Subject: Re: MySQL 4.0.1 SSL config - a shot in the dark Tonu, Thank you, thank you! The formal documentation effort is apparently still underway based on your notes ... The link you included eliminates a lot of guesswork! : ) This part of MySQL is written by me and I am sure it worked :) I'm sure it does -- what I meant was that the way I had it configured (my
Re: MySQL 4.0.1 SSL config - a shot in the dark
Tonu, Thank you, thank you! The formal documentation effort is apparently still underway based on your notes ... The link you included eliminates a lot of guesswork! : ) This part of MySQL is written by me and I am sure it worked :) I'm sure it does -- what I meant was that the way I had it configured (my best guess last night) wasn't working. No wonder! 3. EDIT my.cnf ON CLIENT SERVER I added these values to my.cnf: [ssl] key = (LONG public key value - 394 chars - copied from server.crt) cert = ca.crt ca = (Organization Name answer from the Q A session while doing the first ca.key generation) capath = /usr/local/etc/mysqlssl nono, a lot of errors here. I am pretty sleepy and can do smaller mistakes right now but mistakes I see: section [ssl] is wrong. MySQL server uses [mysqld] section, command line - client [client] but nobody read [ssl] section! Everything should be added under those common sections - values key and ca are wrong. Should be ssl-key, ssl-ca and so on... Makes sense. I went through the procedures with CA.sh logged in your notes, and was left with these files in my working directory: newcert.pem newreq.pem demoCA/ newcerts/ 01.pem private/ cakey.pem Can you tell me which of those files translates into the files you used in your configuration? [mysqld] ssl-ca=SSL/cacert.pem ssl-cert=SSL/server-cert.pem ssl-key=SSL/server-key.pem [mysql] ssl-ca=SSL/cacert.pem ssl-cert=SSL/client-cert.pem ssl-key=SSL/client-key.pem [mysqldump] ssl-ca=SSL/cacert.pem ssl-cert=SSL/client-cert.pem ssl-key=SSL/client-key.pem Your notes don't include the steps where you renamed the output .pem files to the filenames used in your example my.cnf entries. Page 390 of the new Managing Using MySQL (O'Reilly) book provided some clues for doing this ... In reference to C functions, it says: 'key' contains an SSL public key 'cert' contains the filename of a certificate 'ca' contians the name of the certificate authority 'capath' contains the directory containing the certificate Hmm this is not the first time when O'Reilly publishes bad and misguiding book about MySQL. I personally suggest to avoid them. Paul DuBois one is good example. Could be that I was just making the wrong assumption. I've read a good chunk of the rest of that O'Reilly book today, and it was all pretty good. The section I quoted wasn't specifically documenting the SSL functionality, but just listing a C function for reading SSL-related values from the .cnf file. So, it was probably just the author's shorthand for that function, and I leapt to the wrong conclusion. There is a file in MySQL source tree I wrote about using SSL connections with MySQL: http://www.mysqldeveloper.com/4.x-bk_tree/SSL/NOTES I hope they work for you. There are some pregenerated example key/certificate files included. You may try with then first to ensure that your command-line stuff works first. Thanks again for posting this link! This really helps a lot. I would be happy to write all this up for use as a FAQ answer on mysqldeveloper.com, as I'm sure this has (or will) come up often. Regards, Clay - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
MySQL 4.0.1 SSL config - a shot in the dark
I've been trying to figure out how to set up SSL support in mysql-4.0.1 ... The online documentation is pretty sparse on the subject. Here's what I've got so far -- and so far this is *NOT* working. I'm putting it out here so that someone else may be able to fiddle around on their end and help figure out how to get this working. OBJECTIVE Get mysql client and mysql server talking to each other over SSL connection. ASSUMES Both MySQL client server were built with these options: --with-vio --with-openssl As described here: http://www.mysql.com/doc/S/e/Secure_requirements.html QUESTION How to configure client server certificates to ensure successful SSL connection? DISCLAIMER I'm no expert on OpenSSL. :-) 1. CREATE A SELF-SIGNED CERTIFICATE Going off of instructions posted here: http://www.coruscant.demon.co.uk/mike/imap/security.html I did this: shell openssl genrsa -des3 -out /path/to/cadir/ca.key 1024 shell openssl req -new -x509 -days 365 -key /path/to/cadir/ca.key \ -out /path/to/cadir/ca.crt shell openssl req -new -key /path/to/cadir/ca.key \ -out /path/to/cadir/server.csr Then I grabbed the mod_ssl package from www.modssl.org, moved the sign.sh script from pkg.contrib into /path/to/cadir Then: shell ./sign.sh server.csr 2. PLACE CERTIFICATE FILES IN APPROPRIATE PLACES On both my client machine and server machine, I copied the contents of /path/to/cadir to /usr/local/etc/mysqlssl 3. EDIT my.cnf ON CLIENT SERVER I added these values to my.cnf: [ssl] key = (LONG public key value - 394 chars - copied from server.crt) cert = ca.crt ca = (Organization Name answer from the Q A session while doing the first ca.key generation) capath = /usr/local/etc/mysqlssl So far, this hasn't worked ... But at least MySQL runs without errors, so I believe I've got the my.cnf variable names correct. Page 390 of the new Managing Using MySQL (O'Reilly) book provided some clues for doing this ... In reference to C functions, it says: 'key' contains an SSL public key 'cert' contains the filename of a certificate 'ca' contians the name of the certificate authority 'capath' contains the directory containing the certificate Like I said, this hasn't worked yet -- I'm still getting SSL is not in use when I connect via the mysql client. No errors appear in the error log. Has anyone else tried this? Any luck? - Clay - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL 4.0.1 SSL config - a shot in the dark
On Sat, 15 Jun 2002, Clay Loveless wrote: I've been trying to figure out how to set up SSL support in mysql-4.0.1 ... The online documentation is pretty sparse on the subject. Here's what I've got so far -- and so far this is *NOT* working. I'm putting it out here so that someone else may be able to fiddle around on their end and help figure out how to get this working. This part of MySQL is written by me and I am sure it worked :) 3. EDIT my.cnf ON CLIENT SERVER I added these values to my.cnf: [ssl] key = (LONG public key value - 394 chars - copied from server.crt) cert = ca.crt ca = (Organization Name answer from the Q A session while doing the first ca.key generation) capath = /usr/local/etc/mysqlssl nono, a lot of errors here. I am pretty sleepy and can do smaller mistakes right now but mistakes I see: section [ssl] is wrong. MySQL server uses [mysqld] section, command line - client [client] but nobody read [ssl] section! Everything should be added under those common sections - values key and ca are wrong. Should be ssl-key, ssl-ca and so on... So far, this hasn't worked ... But at least MySQL runs without errors, so I believe I've got the my.cnf variable names correct. Page 390 of the new Managing Using MySQL (O'Reilly) book provided some clues for doing this ... In reference to C functions, it says: 'key' contains an SSL public key 'cert' contains the filename of a certificate 'ca' contians the name of the certificate authority 'capath' contains the directory containing the certificate Hmm this is not the first time when O'Reilly publishes bad and misguiding book about MySQL. I personally suggest to avoid them. Paul DuBois one is good example. There is a file in MySQL source tree I wrote about using SSL connections with MySQL: http://www.mysqldeveloper.com/4.x-bk_tree/SSL/NOTES I hope they work for you. There are some pregenerated example key/certificate files included. You may try with then first to ensure that your command-line stuff works first. Like I said, this hasn't worked yet -- I'm still getting SSL is not in use when I connect via the mysql client. No errors appear in the error log. Any questions more which I can help to solve - please ask but keep discussion Cc:-d in this list. Also any sponsorship offers for developing SSL around replication are welcome. I am sure someone needs it :) Tonu - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php