Re: can't authenticate ssl user account
Hi Reindel, you client configuration shows no indication for SSL, i see it in my.cnf only in the [mysqld] section and remember when you initrialize replication you need to specify it there too i doubt there is anything to change the logging but since you *know* what that user requires that should really not be the problem - said from somebody using SSL for any mysql connection over TCP for years now (replication, php-applications, cli-client...) Ok!! Thanks. But when I try to setup my client configuration to use SSL, mariadb server refuses to start. It times out: [root@db2:~] #systemctl status mysql.service mysql.service - LSB: start and stop MySQL Loaded: loaded (/etc/rc.d/init.d/mysql) Active: failed (Result: exit-code) since Tue 2015-07-21 18:29:24 UTC; 13s ago Process: 19965 ExecStop=/etc/rc.d/init.d/mysql stop (code=exited, status=0/SUCCESS) Process: 21973 ExecStart=/etc/rc.d/init.d/mysql start (code=exited, status=1/FAILURE) Jul 21 18:29:23 db2 systemd[1]: Starting LSB: start and stop MySQL... Jul 21 18:29:24 db2 mysql[21973]: Starting MySQL. ERROR! Jul 21 18:29:24 db2 systemd[1]: mysql.service: control process exited, code=exited status=1 Jul 21 18:29:24 db2 systemd[1]: Failed to start LSB: start and stop MySQL. Jul 21 18:29:24 db2 systemd[1]: Unit mysql.service entered failed state. Here's my my.cnf on the client side that is causing the time out error to occur: [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock symbolic-links=0 old_passwords=1 ssl server-id=2 replicate-do-db=jfwiki [mysqld_safe] log-error=/var/log/mariadb/mariadb.log pid-file=/var/run/mariadb/mariadb.pid master-connect-retry=60 !includedir /etc/my.cnf.d [client] ssl-ca=/opt/mysql/ca-cert.pem ssl-cert=/opt/mysql/client-cert.pem ssl-key=/opt/mysql/client-key.pem Any idea why that's happening or how to correct it? Thanks, Tim On Tue, Jul 21, 2015 at 4:25 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 21.07.2015 um 05:03 schrieb Tim Dunphy: I see absolutely NO indication as to why the login for the 'slave2' user (that requires SSL) is failing So my questions are 1) how to I bump up the verbosity on the logs so I can get an indication as to why this is failing? 2) what is the best way to troubleshoot this? you client configuration shows no indication for SSL, i see it in my.cnf only in the [mysqld] section and remember when you initrialize replication you need to specify it there too i doubt there is anything to change the logging but since you *know* what that user requires that should really not be the problem - said from somebody using SSL for any mysql connection over TCP for years now (replication, php-applications, cli-client...) CHANGE MASTER TO MASTER_HOST='masterip', MASTER_USER='user', MASTER_PASSWORD='password', MASTER_PORT=3306, MASTER_CONNECT_RETRY=3600, MASTER_SSL=1, MASTER_SSL_CA='/etc/mysqlssl/ca.crt', MASTER_SSL_CERT='/etc/mysqlssl/client.pem', MASTER_SSL_KEY='/etc/mysqlssl/client.pem'; START SLAVE; -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Re: can't authenticate ssl user account
Am 21.07.2015 um 05:03 schrieb Tim Dunphy: I see absolutely NO indication as to why the login for the 'slave2' user (that requires SSL) is failing So my questions are 1) how to I bump up the verbosity on the logs so I can get an indication as to why this is failing? 2) what is the best way to troubleshoot this? you client configuration shows no indication for SSL, i see it in my.cnf only in the [mysqld] section and remember when you initrialize replication you need to specify it there too i doubt there is anything to change the logging but since you *know* what that user requires that should really not be the problem - said from somebody using SSL for any mysql connection over TCP for years now (replication, php-applications, cli-client...) CHANGE MASTER TO MASTER_HOST='masterip', MASTER_USER='user', MASTER_PASSWORD='password', MASTER_PORT=3306, MASTER_CONNECT_RETRY=3600, MASTER_SSL=1, MASTER_SSL_CA='/etc/mysqlssl/ca.crt', MASTER_SSL_CERT='/etc/mysqlssl/client.pem', MASTER_SSL_KEY='/etc/mysqlssl/client.pem'; START SLAVE; signature.asc Description: OpenPGP digital signature
can't authenticate ssl user account
Hey all, I need to setup replication via SSL. 2 nodes master/master for H/A. Then 2 slave nodes for backup. Node 3 will slave off of node 1, and node 4 will slave off of node 2 for redundant backups. Nodes 3 4 will store backups to a directory mapped to S3 via S3FS. All nodes are physical. We're using mariadb-5.5.41 server on CentOS 7 hosts. It's a neat plan! However I am unable to get authentication to work with ssl required of the user. We already have a CA certificate and key established in the environment. And we used those to generate the cert and key to be used with mariadb. This is the process we used to generate the cert/key: openssl genrsa -des3 -out db1.example.com.key 4096 openssl req -new -key db1.example.com.key -out db1.example.com.csr openssl x509 -req -days 3650 -in db1.example.com.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out db1.example.com.crt Using those keys I put together this my.cnf file. Haven't gotten around to configuring replication yet, as I have yet to get ssl logins to work. [root@db1:~] #cat /etc/my.cnf [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock # Disabling symbolic-links is recommended to prevent assorted security risks symbolic-links=0 # Settings user and group are ignored when systemd is used. # If you need to run mysqld under a different user or group, # customize your systemd unit file for mariadb according to the # instructions in http://fedoraproject.org/wiki/Systemd ssl ssl-ca=/opt/mysql/ca.crt ssl-cert=/opt/mysql/db1.example.com.crt ssl-key=/opt/mysql/db1.example.com.key [mysqld_safe] general_log_file=/var/log/mariadb/mariadb.log general_log=1 log-error=/var/log/mariadb/mariadb_error.log pid-file=/var/run/mariadb/mariadb.pid log_slow_queries=/var/log/mysql/mysql-slow.log long_query_time=2 log-queries-not-using-indexes # # include all files from the config directory # !includedir /etc/my.cnf.d Made sure mariadb could read the cert files: [root@db1:~] #ls -ld /opt/mysql/ /opt/mysql/* drwx--. 2 mysql mysql 86 Jul 20 06:20 /opt/mysql/ -r. 1 mysql mysql 2212 Jul 20 05:14 /opt/mysql/ca.crt -r. 1 mysql mysql 1956 Jul 20 05:17 /opt/mysql/db1.example.com.crt -r. 1 mysql mysql 3247 Jul 20 05:15 /opt/mysql/db1.example.com.key And restarted mariadb. And if I take a look at my SSL variables in my mysql command line, everything is looking good. MariaDB [mysql] show variables like '%ssl%'; +---+-+ | Variable_name | Value | +---+-+ | have_openssl | YES | | have_ssl | YES | | ssl_ca| /opt/mysql/ca.crt | | ssl_capath| | | ssl_cert | /opt/mysql/db1.example.com.crt | | ssl_cipher| | | ssl_key | /opt/mysql/db1.example.com.key | +---+-+ 7 rows in set (0.00 sec) If I create one replication user without SSL required, he is able to log in from node 2 to node 1 no problem: MariaDB [mysql] grant replication slave on *.* to 'slave1'@' db2.example.com' identified by 'secret'; Query OK, 0 rows affected (0.00 sec) [root@db2:~] #mysql -uslave1 -p -h db1.example.com Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 15 Server version: 5.5.41-MariaDB MariaDB Server Copyright (c) 2000, 2014, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)] If I show grants on this user I can confirm that SSL is not required MariaDB [mysql] show grants for 'slave1'@'db2.example.com'; ++ | Grants for sla...@db2.example.com | ++ | GRANT REPLICATION SLAVE ON *.* TO 'slave1'@'db2.example.com' IDENTIFIED BY PASSWORD '*somelongpasswordhash' | ++ 1 row in set (0.00 sec) If I create the second slave user with the SSL requirement, and even flush privileges, I can not log into node 1 from node 2 MariaDB [mysql] grant replication slave on *.* to 'slave2'@' db2.example.com' identified by 'test' require ssl; Query OK, 0 rows affected
MySQL - SSL - with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256
I have compiled MySQL with openssl, I am able to connect to MySQL over SSL with TLS1.0 ciphers. But when I tried to connect with TLS1.2 ciphers connection fails with error. === MySQL server version :- 5.6.23-log Source distribution Custom OpenSSL version :- OpenSSL 1.0.1j 15 Oct 2014 Java version :- 1.8.0_40 === Error thrown with TLS1.2 cipher connect :- mysql -umysql --ssl-cipher=DHE-RSA-AES256-SHA256 -T -v ERROR 2026 (HY000): SSL connection error: error:0001:lib(0):func(0):reason(1) User time 0.00, System time 0.00 Maximum resident set size 2664, Integral resident set size 0 Non-physical pagefaults 777, Physical pagefaults 0, Swaps 0 Blocks in 0 out 0, Messages in 0 out 0, Signals 0 Voluntary context switches 2, Involuntary context switches 5 === Snippet of my.cnf :- [client] default-character-set=utf8 ssl=ON ssl-ca=/home/mysql-cert/ca.pem ssl-cert=/home/mysql-cert/client-cert.pem ssl-key=/home/mysql-cert/client-key.pem [mysql] default-character-set=utf8 [mysqld] general_log=1 ssl-cipher=DHE-RSA-AES256-SHA256 ssl-cipher=AES256-SHA256 ssl-cipher=AES256-SHA ssl-ca=/home/mysql-cert/ca.pem ssl-cert=/home/mysql-cert/server-cert.pem ssl-key=/home/mysql-cert/server-key.pem === MySQL prompt snipeet with TLS1.0 cipher connected :- mysql \s -- mysql Ver 14.14 Distrib 5.6.23, for Linux (x86_64) using EditLine wrapper Connection id: 6 Current database: Current user: root@localhost SSL:Cipher in use is AES256-SHA Current pager: stdout Using outfile: '' Using delimiter:; Server version: 5.6.23-log Source distribution Protocol version: 10 Connection: Localhost via UNIX socket Server characterset:latin1 Db characterset:latin1 Client characterset:utf8 Conn. characterset:utf8 UNIX socket:/tmp/mysql.sock Uptime: 1 hour 32 min 40 sec Threads: 1 Questions: 11 Slow queries: 0 Opens: 67 Flush tables: 1 Open tables: 60 Queries per second avg: 0.001 -- mysql SHOW STATUS LIKE 'ssl%'; ++--+ | Variable_name | Value| ++--+ | Ssl_accept_renegotiates| 0| | Ssl_accepts| 6| | Ssl_callback_cache_hits| 0| | Ssl_cipher | AES256-SHA | | Ssl_cipher_list| AES256-SHA | | Ssl_client_connects| 0| | Ssl_connect_renegotiates | 0| | Ssl_ctx_verify_depth | 18446744073709551615 | | Ssl_ctx_verify_mode| 5| | Ssl_default_timeout| 7200 | | Ssl_finished_accepts | 3| | Ssl_finished_connects | 0| | Ssl_server_not_after | Jan 23 10:29:20 2025 GMT | | Ssl_server_not_before | Mar 17 10:29:20 2015 GMT | | Ssl_session_cache_hits | 0| | Ssl_session_cache_misses | 0| | Ssl_session_cache_mode | SERVER | | Ssl_session_cache_overflows| 0| | Ssl_session_cache_size | 128 | | Ssl_session_cache_timeouts | 0| | Ssl_sessions_reused| 0| | Ssl_used_session_cache_entries | 0| | Ssl_verify_depth | 18446744073709551615 | | Ssl_verify_mode| 5| | Ssl_version| TLSv1| ++--+ 25 rows in set (0.00 sec) mysql SHOW VARIABLES LIKE '%ssl%'; +---+--+ | Variable_name | Value| +---+--+ | have_openssl | YES | | have_ssl | YES | | ssl_ca| /home/mysql-cert/ca.pem | | ssl_capath| | | ssl_cert | /home/mysql-cert/server-cert.pem | | ssl_cipher| AES256-SHA | | ssl_crl | | | ssl_crlpath | | | ssl_key | /home/mysql-cert/server-key.pem | +---+--+ 9 rows in set (0.00 sec) mysql === MySQL compiled as :- cmake . -DCMAKE_PREFIX_PATH=/opt/scr-openssl/ssl/ -DWITH_SSL=/opt/scr-openssl/ssl/ -DWITH_OPENSSL=/opt/scr-openssl/ssl/bin/ -DWITH_OPENSSL_INCLUDES=/opt/scr-openssl/ssl/include/ -DWITH_OPENSSL_LIBS=/opt/scr-openssl/ssl/lib/ -DENABLE_DOWNLOADS
Re: MySQL - SSL - with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256
Am 17.03.2015 um 13:21 schrieb Bhushan Rane: I have compiled MySQL with openssl, I am able to connect to MySQL over SSL with TLS1.0 ciphers. But when I tried to connect with TLS1.2 ciphers connection fails with error MySQL / MariaDB don't support anything better than DHE-RSA-AES128-SHA (AES256 is supported but not more secure than AES128) * no ECHDE * no AES-GCM * no SHA256 no idea how they manage that because openssl has support ___ ssl-cipher=DHE-RSA-AES256-SHA256 ssl-cipher=AES256-SHA256 are not supported and don't make much sense anyways ___ the currently best ciphersuite would be the following because AES-GCM is hardware optimized on recent machines (Intel AES) and GCM is *always* better than a stupid CBC cipher ECDHE-RSA-AES128-GCM-SHA256 signature.asc Description: OpenPGP digital signature
Re: MySQL - SSL - with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256
Am 17.03.2015 um 14:25 schrieb Bhushan Rane: Thanks for instant reply. As suggested I tried with ECDHE-RSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-SHA but no luck. Created new certs for EC - configured my.cnf with new certs you *did not* really read my reply MySQL / MariaDB don't support anything better than DHE-RSA-AES128-SHA (AES256 is supported but not more secure than AES128) * no ECHDE * no AES-GCM * no SHA256 Below are commands used for cert creation :- /opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_root.key -name secp384r1 -genkey echo -e US\nObt\nIntelSelfSA\nSSG\nTesters\nCAServer\n\n\n | /opt/scr-openssl/ssl/bin/openssl req -new -x509 -days 365 -key ecc_ecdsa_root.key -out ecc_ecdsa_root.pem /opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_ca.key -name secp384r1 -genkey echo -e US\nObt\nIntelSelfSA\nSSG\nTesters\nMySQLServer\n\n\n | /opt/scr-openssl/ssl/bin/openssl req -new -key ecc_ecdsa_ca.key -out ecc_ecdsa_ca.csr /opt/scr-openssl/ssl/bin/openssl x509 -req -extensions v3_ca -extfile x509_1.ext -days 365 -in ecc_ecdsa_ca.csr -CA ecc_ecdsa_root.pem -CAkey ecc_ecdsa_root.key -out ecc_ecdsa_ca.pem -CAcreateserial /opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_client.key -name secp384r1 -genkey echo -e US\nObt\nIntelSelfSA\nSSG\nTesters\nMySQLClient\n\n\n | /opt/scr-openssl/ssl/bin/openssl req -new -key ecc_ecdsa_client.key -out ecc_ecdsa_client.csr /opt/scr-openssl/ssl/bin/openssl x509 -req -extensions v3_ca -extfile x509_2.ext -days 365 -in ecc_ecdsa_client.csr -CA ecc_ecdsa_ca.pem -CAkey ecc_ecdsa_ca.key -out ecc_ecdsa_client.pem -CAcreateserial mysql -uroot -p --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 -T -v Enter password: ERROR 2026 (HY000): SSL connection error: error:0001:lib(0):func(0):reason(1) User time 0.00, System time 0.00 Maximum resident set size 2728, Integral resident set size 0 Non-physical pagefaults 793, Physical pagefaults 0, Swaps 0 Blocks in 0 out 0, Messages in 0 out 0, Signals 0 Voluntary context switches 3, Involuntary context switches 3 mysql -uroot -p --ssl-cipher=ECDHE-RSA-AES128-SHA -T -v Enter password: ERROR 2026 (HY000): SSL connection error: error:0001:lib(0):func(0):reason(1) User time 0.00, System time 0.00 Maximum resident set size 2748, Integral resident set size 0 Non-physical pagefaults 798, Physical pagefaults 0, Swaps 0 Blocks in 0 out 0, Messages in 0 out 0, Signals 0 Voluntary context switches 4, Involuntary context switches 5 Also, check openssl - used openssl supports EC ciphers listed above. Am 17.03.2015 um 13:21 schrieb Bhushan Rane: I have compiled MySQL with openssl, I am able to connect to MySQL over SSL with TLS1.0 ciphers. But when I tried to connect with TLS1.2 ciphers connection fails with error MySQL / MariaDB don't support anything better than DHE-RSA-AES128-SHA (AES256 is supported but not more secure than AES128) * no ECHDE * no AES-GCM * no SHA256 no idea how they manage that because openssl has support ___ ssl-cipher=DHE-RSA-AES256-SHA256 ssl-cipher=AES256-SHA256 are not supported and don't make much sense anyways ___ the currently best ciphersuite would be the following because AES-GCM is hardware optimized on recent machines (Intel AES) and GCM is *always* better than a stupid CBC cipher ECDHE-RSA-AES128-GCM-SHA256 signature.asc Description: OpenPGP digital signature
Re: Failed to setup SSL
Am 25.11.2012 00:30, schrieb Jackie Zhang: Hello everyone, I want to setup SSL for mysql server. I followed the manual on http://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html I first generated the certificates and key files by strictly following the following link, http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html with everything verified: shell *openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem* server-cert.pem: OK client-cert.pem: OK But, when I start my server using bin/mysqld --ssl-ca=./newcerts/ca-cert.pem \ --ssl-cert=./newcerts/server-cert.pem \ --ssl-key=./newcerts/server-key.pem The server started with the following error message: 121124 14:41:27 [Warning] Failed to setup SSL 121124 14:41:27 [Warning] SSL error: Failed to set ciphers to use Did I miss something? I tried to add --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA and --ssl, but it didn't help. Please give me some clue... i used the script below for generate ca.crt, client.pem, server.pem this setup works since years for replication as also php-scripts [root@buildserver:~]$ cat /buildserver/ssl-cert/mysql/generate.sh #!/bin/bash DIR=/buildserver/ssl-cert/mysql rm -rf $DIR/cert/ rm -rf $DIR/db/ mkdir $DIR/cert/ mkdir $DIR/db/ touch $DIR/db/index.txt echo 01 $DIR/db/serial rm -f $DIR/ca.key rm -f $DIR/cert/ca.crt openssl req -new -x509 -days 3650 -keyout $DIR/ca.key -out $DIR/cert/ca.crt -config $DIR/openssl.cnf openssl req -new -keyout $DIR/cert/server.key -out $DIR/cert/server.csr -days 3650 -config $DIR/openssl.cnf openssl rsa -in $DIR/cert/server.key -out $DIR/cert/server.key openssl ca -policy policy_anything -out $DIR/cert/server.crt -days 3650 -config $DIR/openssl.cnf -infiles $DIR/cert/server.csr openssl req -new -keyout $DIR/cert/client.key -out $DIR/cert/client.csr -days 3650 -config $DIR/openssl.cnf openssl rsa -in $DIR/cert/client.key -out $DIR/cert/client.key openssl ca -policy policy_anything -out $DIR/cert/client.crt -days 3650 -config $DIR/openssl.cnf -infiles $DIR/cert/client.csr rm -f $DIR/cert/server.csr rm -f $DIR/cert/client.csr rm -f $DIR/cert/01.pem rm -f $DIR/cert/02.pem cat $DIR/cert/server.crt $DIR/cert/server.key $DIR/cert/server.pem rm -f $DIR/cert/server.crt rm -f $DIR/cert/server.key cat $DIR/cert/client.crt $DIR/cert/client.key $DIR/cert/client.pem rm -f $DIR/cert/client.crt rm -f $DIR/cert/client.key chmod 644 $DIR/cert/* rm -f /etc/mysql-ssl/* cp $DIR/cert/* /etc/mysql-ssl/ chmod 755 /etc/mysql-ssl/ chmod 644 /etc/mysql-ssl/* signature.asc Description: OpenPGP digital signature
Re: Failed to setup SSL
Dear Reindl, Thanks a lot for the reply! I tried your scripts (the only difference is the openssl.cnf because I don't have it) Unfortunately, I still failed to start the server with the same message: 121124 17:00:06 [Warning] Failed to setup SSL 121124 17:00:06 [Warning] SSL error: Failed to set ciphers to use Do you have any idea from the log message? Best regards, Jackie On Sat, Nov 24, 2012 at 4:02 PM, Reindl Harald h.rei...@thelounge.netwrote: Am 25.11.2012 00:30, schrieb Jackie Zhang: Hello everyone, I want to setup SSL for mysql server. I followed the manual on http://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html I first generated the certificates and key files by strictly following the following link, http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html with everything verified: shell *openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem* server-cert.pem: OK client-cert.pem: OK But, when I start my server using bin/mysqld --ssl-ca=./newcerts/ca-cert.pem \ --ssl-cert=./newcerts/server-cert.pem \ --ssl-key=./newcerts/server-key.pem The server started with the following error message: 121124 14:41:27 [Warning] Failed to setup SSL 121124 14:41:27 [Warning] SSL error: Failed to set ciphers to use Did I miss something? I tried to add --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA and --ssl, but it didn't help. Please give me some clue... i used the script below for generate ca.crt, client.pem, server.pem this setup works since years for replication as also php-scripts [root@buildserver:~]$ cat /buildserver/ssl-cert/mysql/generate.sh #!/bin/bash DIR=/buildserver/ssl-cert/mysql rm -rf $DIR/cert/ rm -rf $DIR/db/ mkdir $DIR/cert/ mkdir $DIR/db/ touch $DIR/db/index.txt echo 01 $DIR/db/serial rm -f $DIR/ca.key rm -f $DIR/cert/ca.crt openssl req -new -x509 -days 3650 -keyout $DIR/ca.key -out $DIR/cert/ca.crt -config $DIR/openssl.cnf openssl req -new -keyout $DIR/cert/server.key -out $DIR/cert/server.csr -days 3650 -config $DIR/openssl.cnf openssl rsa -in $DIR/cert/server.key -out $DIR/cert/server.key openssl ca -policy policy_anything -out $DIR/cert/server.crt -days 3650 -config $DIR/openssl.cnf -infiles $DIR/cert/server.csr openssl req -new -keyout $DIR/cert/client.key -out $DIR/cert/client.csr -days 3650 -config $DIR/openssl.cnf openssl rsa -in $DIR/cert/client.key -out $DIR/cert/client.key openssl ca -policy policy_anything -out $DIR/cert/client.crt -days 3650 -config $DIR/openssl.cnf -infiles $DIR/cert/client.csr rm -f $DIR/cert/server.csr rm -f $DIR/cert/client.csr rm -f $DIR/cert/01.pem rm -f $DIR/cert/02.pem cat $DIR/cert/server.crt $DIR/cert/server.key $DIR/cert/server.pem rm -f $DIR/cert/server.crt rm -f $DIR/cert/server.key cat $DIR/cert/client.crt $DIR/cert/client.key $DIR/cert/client.pem rm -f $DIR/cert/client.crt rm -f $DIR/cert/client.key chmod 644 $DIR/cert/* rm -f /etc/mysql-ssl/* cp $DIR/cert/* /etc/mysql-ssl/ chmod 755 /etc/mysql-ssl/ chmod 644 /etc/mysql-ssl/*
Re: Failed to setup SSL
I had noticed that the paths to your certificates were expressed as relative paths. I think at least part of Reindl's recommendation was to express fully qualified paths to your certs and to examined the permissions on those files carefully. SSL is very particular about rejecting security files which have too-permisive permissions.. also, considered tailing /var/log/secure On 2012-11-24 8:05 PM, Jackie Zhang jackie.qq.zh...@gmail.com wrote: Dear Reindl, Thanks a lot for the reply! I tried your scripts (the only difference is the openssl.cnf because I don't have it) Unfortunately, I still failed to start the server with the same message: 121124 17:00:06 [Warning] Failed to setup SSL 121124 17:00:06 [Warning] SSL error: Failed to set ciphers to use Do you have any idea from the log message? Best regards, Jackie On Sat, Nov 24, 2012 at 4:02 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 25.11.2012 00:30, schrieb Jackie Zhang: Hello everyone, I want to setup SSL fo...
Re: Failed to setup SSL
Thanks, Michael. I used the absolute paths but it still does not work. I think the problem is not because of the relative path because the example showed in the manual also uses relative path (see below): shell *mysqld --ssl-ca=ca-cert.pem \* *--ssl-cert=server-cert.pem \* *--ssl-key=server-key.pem * For the permission, I used exactly the same as Reindl's (I used his scripts). Since the error messages are still the same, I guess there should be something else wrong? Best regards, Jackie On Sat, Nov 24, 2012 at 5:15 PM, Michael Dykman mdyk...@gmail.com wrote: I had noticed that the paths to your certificates were expressed as relative paths. I think at least part of Reindl's recommendation was to express fully qualified paths to your certs and to examined the permissions on those files carefully. SSL is very particular about rejecting security files which have too-permisive permissions.. also, considered tailing /var/log/secure On 2012-11-24 8:05 PM, Jackie Zhang jackie.qq.zh...@gmail.com wrote: Dear Reindl, Thanks a lot for the reply! I tried your scripts (the only difference is the openssl.cnf because I don't have it) Unfortunately, I still failed to start the server with the same message: 121124 17:00:06 [Warning] Failed to setup SSL 121124 17:00:06 [Warning] SSL error: Failed to set ciphers to use Do you have any idea from the log message? Best regards, Jackie On Sat, Nov 24, 2012 at 4:02 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 25.11.2012 00:30, schrieb Jackie Zhang: Hello everyone, I want to setup SSL fo...
Re: Problems Connecting with SSL
Hi Tim, all! Sorry, but I have to start with a negative remark: Why, oh why, don't you mention the version number you are using? I hope it is some roughly current 5.1, but I'd rather like you to tell it. Tim Gustafson wrote: I have three mySQL server, all of which are SSL-enable and all of which are generally accessible from remote clients over SSL. However, one of my FreeBSD mySQL clients is having problems connecting to any of the servers. Running mySQL under truss reports the following: Looking at this output tells something went terribly wrong: file descriptor 2 is mishandled. -- clock_gettime(13,{1298593067.0 }) = 0 (0x0) open(/dev/urandom,O_RDONLY,00) = 4 (0x4) read(4,\a\^V\M-)\^C\M-L{`\M^O\M^@\M-v...,32) = 32 (0x20) sendto(2,\^V\^C\^A\0Y\^A\0\0U\^C\^A\M-m...,94,0x0,NULL,0x0) = 94 (0x5e) recvfrom(2,\^V,1,0x2,NULL,0x0) = 1 (0x1) ioctl(2,FIONREAD,0xd784) = 0 (0x0) recvfrom(2,\^V\^C\^A\0J\^B\0\0F\^C\^AMf\M-u...,1819,0x0,NULL,0x0) = 1819 (0x71b) In the above lines, socket calls 'sendto()' and 'recvfrom()' are applied to FD 2. Whatever the transmitted data may be, this should not be done: FD 2 is standard error, so it is a file and no socket, and receiving from it doesn't make any sense at all. As the problem happens only for one of your combinations, I suspect that for some unknown reason FD 2 was closed in that run, and then this number got returned when a socket was to be created. Again, this should not happen: The only reason to close FD 2 should be to re-open standard error to some other destination, which is unlikely for the client to do. [[...]] shutdown(2,SHUT_RDWR) = 0 (0x0) close(2) = 0 (0x0) So FD 2 is closed now. fstat(1,{ mode=crw--w ,inode=113,size=0,blksize=4096 }) = 0 (0x0) ioctl(1,TIOCGETA,0xe390) = 0 (0x0) write(2,ERROR 2026 (HY000): ,20) ERR#9 'Bad file descriptor' write(2,SSL connection error,20) ERR#9 'Bad file descriptor' write(2,\n,1)ERR#9 'Bad file descriptor' ... but with a closed FD 2 there is no chance to output an error message. (The operations on FD 1 also look suspicious to me.) write(1,\a,1)= 1 (0x1) close(4) = 0 (0x0) process exit, rval = 1 -- Can anyone tell me, based on the truss output above, what might be going wrong? I'm using the exact same command line options and ssl-ca file that I am using on other clients, which can connect successfully. I can't really tell what happened. It might be that file descriptor 2 (and probably also 1) were closed without good reason, and then creating a socket (or opening some file) returned these descriptors. You might check the preceding truss output for a close(2), IMO that would likely be an error - but I have no idea why it happened. (As an aside: feature request: better SSL connection debugging, please!) I assume your SSL problems might just be a consequence of inappropriate actions on FDs 1 and 2. Did you do any redirection, are you running into disk full, or is there any similar rsk on your stdout and stderr? HTH, Jörg -- Joerg Bruehe, MySQL Build Team, joerg.bru...@oracle.com ORACLE Deutschland B.V. Co. KG, Komturstrasse 18a, D-12099 Berlin Geschaeftsfuehrer: Juergen Kunz, Marcel v.d. Molen, Alexander v.d. Ven Amtsgericht Muenchen: HRA 95603 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: Problems Connecting with SSL
Sorry, but I have to start with a negative remark: Why, oh why, don't you mention the version number you are using? I hope it is some roughly current 5.1, but I'd rather like you to tell it. Doh! Right you are! Sorry, that was totally my bad. mysql select version(); ++ | version() | ++ | 5.1.51-log | ++ The server and the client are both running FreeBSD as follows: FreeBSD 8.1-RELEASE-p2 Tim Gustafson Baskin School of Engineering UC Santa Cruz t...@soe.ucsc.edu 831-459-5354 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: Problems Connecting with SSL
Interesting that you can request advice from finland vs calling from redwood shores CA for technical advice first take a look at: http://dev.mysql.com/doc/refman/5.0/en/secure-basics.html once you've determined the algorithm you will want to implement take a look at SSL 1,2,3 and TLS 1.0,1.1,1.2 and determine which protocol works best for you http://en.wikipedia.org/wiki/Transport_Layer_Security feel free to ping me offline for implementation details In my original post, I stated that I had SSL connections up and running on all but this one client. I'm intimately familiar with the inner workings of SSL and TLS, and I'm positive that the servers are configured correctly, and that in general my clients are all able to connect using SSL. It's just this one client that is failing, and absent any useful debugging information, I'm having a hard time understanding why. As to why I didn't call Redwood Shores: I didn't realize that Oracle was in the business of giving out free tech support. I just e-mailed the mySQL general support list, which is usually what I do when I need help from an Open Source software group. :) Tim Gustafson Baskin School of Engineering UC Santa Cruz t...@soe.ucsc.edu 831-459-5354 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: Problems Connecting with SSL
perhaps a misconfiguration on the failing client .. can you go to successful client, enable DEBUG level debugging and log the connection and then go to the failing client..enable DEBUG level debugging and log the connection to the failing client this would determine deltas between the failing and successful connections and you compare each log side-by-side to ascertain the point of failure. joerg ..any thoughts on this matter?? Well that's exactly my question: how does one enable debugging of this kind of connection on the mySQL client? I get no more information when I use --verbose --verbose --verbose than when I don't. Tim Gustafson Baskin School of Engineering UC Santa Cruz t...@soe.ucsc.edu 831-459-5354 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: Problems Connecting with SSL
Hi! Martin Gainty wrote: [[...]] joerg ..any thoughts on this matter?? Sorry - none. I never dealt with the inner workings of the SSL library. Just seeing file descriptor 2 (standard error) used for socket operations makes me assume *very* strongly that something went wrong well before that part: For some (until now: unknown) reason standard error must have been closed, so that FD 2 became available for the socket creation, and in a MYSQL client application I don't see any reason to ever close standard error. I propose Tim should check the full truss output for some preceding close(2). Hopefully, the surroundings of that call will give a hint what went wrong. (I hope it was caused by some write error, disk full, permission problem, ... which Tim can fix. I of course agree such an error should not make the program do a close(2), but it might happen nonetheless.) That's all I can say here. Regards, Jörg -- Joerg Bruehe, MySQL Build Team, joerg.bru...@oracle.com ORACLE Deutschland B.V. Co. KG, Komturstrasse 18a, D-12099 Berlin Geschaeftsfuehrer: Juergen Kunz, Marcel v.d. Molen, Alexander v.d. Ven Amtsgericht Muenchen: HRA 95603 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Problems Connecting with SSL
I have three mySQL server, all of which are SSL-enable and all of which are generally accessible from remote clients over SSL. However, one of my FreeBSD mySQL clients is having problems connecting to any of the servers. Running mySQL under truss reports the following: -- clock_gettime(13,{1298593067.0 })= 0 (0x0) open(/dev/urandom,O_RDONLY,00) = 4 (0x4) read(4,\a\^V\M-)\^C\M-L{`\M^O\M^@\M-v...,32) = 32 (0x20) sendto(2,\^V\^C\^A\0Y\^A\0\0U\^C\^A\M-m...,94,0x0,NULL,0x0) = 94 (0x5e) recvfrom(2,\^V,1,0x2,NULL,0x0) = 1 (0x1) ioctl(2,FIONREAD,0xd784) = 0 (0x0) recvfrom(2,\^V\^C\^A\0J\^B\0\0F\^C\^AMf\M-u...,1819,0x0,NULL,0x0) = 1819 (0x71b) clock_gettime(13,{1298593067.0 })= 0 (0x0) clock_gettime(13,{1298593067.0 })= 0 (0x0) gettimeofday({1298593067.844592 },0x0) = 0 (0x0) sendto(2,\^V\^C\^A\0F\^P\0\0B\0@\M-B\M^Y...,134,0x0,NULL,0x0) = 134 (0x86) recvfrom(2,\^U,1,0x2,NULL,0x0) = 1 (0x1) ioctl(2,FIONREAD,0xd784) = 0 (0x0) recvfrom(2,\^U\^C\^A\0\^B\^B\n\^V\0\0\^B...,33,0x0,NULL,0x0) = 33 (0x21) close(3) = 0 (0x0) shutdown(2,SHUT_RDWR)= 0 (0x0) close(2) = 0 (0x0) fstat(1,{ mode=crw--w ,inode=113,size=0,blksize=4096 }) = 0 (0x0) ioctl(1,TIOCGETA,0xe390) = 0 (0x0) write(2,ERROR 2026 (HY000): ,20) ERR#9 'Bad file descriptor' write(2,SSL connection error,20) ERR#9 'Bad file descriptor' write(2,\n,1) ERR#9 'Bad file descriptor' write(1,\a,1) = 1 (0x1) close(4) = 0 (0x0) process exit, rval = 1 -- Can anyone tell me, based on the truss output above, what might be going wrong? I'm using the exact same command line options and ssl-ca file that I am using on other clients, which can connect successfully. (As an aside: feature request: better SSL connection debugging, please!) Tim Gustafson Baskin School of Engineering UC Santa Cruz t...@soe.ucsc.edu 831-459-5354 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Slave using SSL?
Hey can anyone tell me is my slave is utilizing SSL? I am unsure why the Master SSL Cipher is not listed under show slave status. Here's some info: mysql show slave status\G *** 1. row *** Slave_IO_State: Waiting for master to send event Master_Host: host Master_User: rep Master_Port: 3306 Connect_Retry: 60 Master_Log_File: mysql-bin.38 Read_Master_Log_Pos: 74709312 Relay_Log_File: slave-relay.000577 Relay_Log_Pos: 8579562 Relay_Master_Log_File: mysql-bin.38 Slave_IO_Running: Yes Slave_SQL_Running: Yes Replicate_Do_DB: crm Replicate_Ignore_DB: Replicate_Do_Table: Replicate_Ignore_Table: Replicate_Wild_Do_Table: Replicate_Wild_Ignore_Table: Last_Errno: 0 Last_Error: Skip_Counter: 0 Exec_Master_Log_Pos: 74709312 Relay_Log_Space: 8579562 Until_Condition: None Until_Log_File: Until_Log_Pos: 0 Master_SSL_Allowed: Yes Master_SSL_CA_File: /etc/mysql/ssl/ca-cert.pem Master_SSL_CA_Path: /etc/mysql/ssl/ Master_SSL_Cert: /etc/mysql/ssl/client-cert.pem Master_SSL_Cipher: Master_SSL_Key: /etc/mysql/ssl/client-key.pem Seconds_Behind_Master: 0 1 row in set (0.00 sec) mysql SHOW VARIABLES LIKE 'have_ssl'; +---+---+ | Variable_name | Value | +---+---+ | have_ssl | YES | +---+---+ 1 row in set (0.01 sec) mysql SHOW STATUS LIKE 'Ssl_cipher'; +---++ | Variable_name | Value | +---++ | Ssl_cipher| DHE-RSA-AES256-SHA | +---++ 1 row in set (0.00 sec) Thank you, Paul -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: Slave using SSL?
To me it really looks you are SSL replicating. In my experience If you are replicating in SSL either it works or not, I dont remember what should be there at Master SSL Cipher, but I remember I had clear problems when SSL replication was not working. Claudio 2010/11/10 Paul Nowosielski paulnowosiel...@yahoo.com Hey can anyone tell me is my slave is utilizing SSL? I am unsure why the Master SSL Cipher is not listed under show slave status. Here's some info: mysql show slave status\G *** 1. row *** Slave_IO_State: Waiting for master to send event Master_Host: host Master_User: rep Master_Port: 3306 Connect_Retry: 60 Master_Log_File: mysql-bin.38 Read_Master_Log_Pos: 74709312 Relay_Log_File: slave-relay.000577 Relay_Log_Pos: 8579562 Relay_Master_Log_File: mysql-bin.38 Slave_IO_Running: Yes Slave_SQL_Running: Yes Replicate_Do_DB: crm Replicate_Ignore_DB: Replicate_Do_Table: Replicate_Ignore_Table: Replicate_Wild_Do_Table: Replicate_Wild_Ignore_Table: Last_Errno: 0 Last_Error: Skip_Counter: 0 Exec_Master_Log_Pos: 74709312 Relay_Log_Space: 8579562 Until_Condition: None Until_Log_File: Until_Log_Pos: 0 Master_SSL_Allowed: Yes Master_SSL_CA_File: /etc/mysql/ssl/ca-cert.pem Master_SSL_CA_Path: /etc/mysql/ssl/ Master_SSL_Cert: /etc/mysql/ssl/client-cert.pem Master_SSL_Cipher: Master_SSL_Key: /etc/mysql/ssl/client-key.pem Seconds_Behind_Master: 0 1 row in set (0.00 sec) mysql SHOW VARIABLES LIKE 'have_ssl'; +---+---+ | Variable_name | Value | +---+---+ | have_ssl | YES | +---+---+ 1 row in set (0.01 sec) mysql SHOW STATUS LIKE 'Ssl_cipher'; +---++ | Variable_name | Value | +---++ | Ssl_cipher| DHE-RSA-AES256-SHA | +---++ 1 row in set (0.00 sec) Thank you, Paul -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=claudio.na...@gmail.com -- Claudio
MySQL replication SSL
Dear All, I'm trying to get SSL connections for all mysql slave and masters. I have one box that will not use SSL for some reason. When I start this slave it can not connect because it's not using SSL. show slave status\G *** 1. row *** Slave_IO_State: Connecting to master Master_Host: myhost Master_User: rep_user Master_Port: 3306 Connect_Retry: 60 Master_Log_File: mysql-bin.95 Read_Master_Log_Pos: 1095 Relay_Log_File: slave-relay.04 Relay_Log_Pos: 98 Relay_Master_Log_File: mysql-bin.95 Slave_IO_Running: No Slave_SQL_Running: Yes Replicate_Do_DB: crm Replicate_Ignore_DB: Replicate_Do_Table: Replicate_Ignore_Table: Replicate_Wild_Do_Table: Replicate_Wild_Ignore_Table: Last_Errno: 0 Last_Error: Skip_Counter: 0 Exec_Master_Log_Pos: 1095 Relay_Log_Space: 98 Until_Condition: None Until_Log_File: Until_Log_Pos: 0 Master_SSL_Allowed: No --- Master_SSL_CA_File: Master_SSL_CA_Path: Master_SSL_Cert: Master_SSL_Cipher: Master_SSL_Key: Seconds_Behind_Master: NULL Here is a portion of my.cnf. [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock user=mysql # Default to using old password format for compatibility with mysql 3.x # clients (those using the mysqlclient10 compatibility package). old_passwords=1 max_connections=500 max_connect_errors = 0 # replication server-id = 1 replicate-same-server-id = 0 auto-increment-increment =3 auto-increment-offset =1 master-host = myHost master-user = rep_user master-password = rep_passwd master-connect-retry = 60 replicate-do-db = crm log-bin= /var/log/mysql/mysql-bin.log binlog-do-db = crm relay-log = /var/lib/mysql/slave-relay.log relay-log-index = /var/lib/mysql/slave-relay-log.index expire_logs_days = 10 max_binlog_size = 500M # end replication # SSL for replication ssl ssl-key=/etc/mysql/ssl/server-key.pem ssl-cert=/etc/mysql/ssl/server-cert.pem ssl-ca=/etc/mysql/ssl/ca-cert.pem ssl-capath=/etc/mysql/ssl/ ssl-cipher=DHE-RSA-AES256-SHA [client] ssl port = 3306 socket = /var/lib/mysql/mysql.sock ssl-ca=/etc/mysql/ssl/ca-cert.pem ssl-key=/etc/mysql/ssl/client-key.pem ssl-cert=/etc/mysql/ssl/client-cert.pem ssl-cipher=DHE-RSA-AES256-SHA Anyone see any issues with this? Thank you, Paul -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Verify replication slave is using SSL
Dear All, I just want to verify my rep slave is using ssl. When I run this command mysql \s I get: mysql \s -- mysql Ver 14.12 Distrib 5.0.77, for redhat-linux-gnu (x86_64) using readline 5.1 Connection id: 5 Current database: Current user: r...@localhost SSL:Cipher in use is DHE-RSA-AES256-SHA Current pager: stdout Using outfile: '' Using delimiter:; Server version: 5.0.77-log Source distribution Protocol version: 10 Connection: Localhost via UNIX socket Server characterset:latin1 Db characterset:latin1 Client characterset:latin1 Conn. characterset:latin1 UNIX socket:/var/lib/mysql/mysql.sock Uptime: 9 min 48 sec And I can see the Cipher. But when I run a show slave status I don't see a cipher key: mysql show slave status\G *** 1. row *** Slave_IO_State: Waiting for master to send event Master_Host: my.sql.host Master_User: replicate Master_Port: 3306 Connect_Retry: 60 Master_Log_File: mysql-bin.36 Read_Master_Log_Pos: 186677 Relay_Log_File: slave-relay.74 Relay_Log_Pos: 186814 Relay_Master_Log_File: mysql-bin.36 Slave_IO_Running: Yes Slave_SQL_Running: Yes Replicate_Do_DB: sugarcrm Replicate_Ignore_DB: Replicate_Do_Table: Replicate_Ignore_Table: Replicate_Wild_Do_Table: Replicate_Wild_Ignore_Table: Last_Errno: 0 Last_Error: Skip_Counter: 0 Exec_Master_Log_Pos: 186677 Relay_Log_Space: 186814 Until_Condition: None Until_Log_File: Until_Log_Pos: 0 Master_SSL_Allowed: Yes Master_SSL_CA_File: /etc/mysql/ssl/ca-cert.pem Master_SSL_CA_Path: /etc/mysql/ssl/ Master_SSL_Cert: /etc/mysql/ssl/client-cert.pem Master_SSL_Cipher: Master_SSL_Key: /etc/mysql/ssl/client-key.pem Seconds_Behind_Master: 0 1 row in set (0.00 sec) Can any tell me if SSL is functioning or not please? Thank you, Paul -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: How to use SSL? (SSL is enabled but not used)
On 8/17/2010 6:02 PM, Anders Kaseorg wrote: On Wed, 2010-08-11 at 14:23 -0400, Shawn Green (MySQL) wrote: On 8/9/2010 5:27 PM, Yves Goergen wrote: What's that supposed to mean? If there's no way to force the connection into SSL, it is entirely useless. Anyone on the wire could simply pretend that the server doesn't support SSL and so deny the encryption and the client wouldn't even care... If you don't want to require SSL on the local connections then don't set the flag on the @localhost account. If you want the SSL required on the other connections, then set it on the @'...' version of the account that the remote users login through. Excuse me, but isn’t Yves exactly right here? None of the client-side options (I tried --ssl, --ssl-ca=…, --ssl-verify-server-cert, --ssl-key=…, --ssl-cipher=…) can currently be used to force an SSL connection to be used. And requiring SSL from the server side does nothing to stop man-in-the-middle attacks. (Suppose Bob the SQL server grants some privileges to Alice the user with SSL required. Now Alice can log in with her password over SSL and gets denied over non-SSL. Great. But now Mallory comes along and intercepts a connection from Alice intended for Bob. Even if Bob would have claimed that he requires SSL, nothing stops Mallory from claiming that she doesn’t require SSL. Because Alice cannot force the use of SSL from the client side, Alice will make a successful unencrypted connection to Mallory. Then Mallory can accept the connection, ignoring Alice’s authentication, and steal Alice’s data; or Mallory can make a separate SSL connection to Bob, forward Alice’s authentication over it, then take over and issue evil commands to Bob.) This same issue was reported back in 2004 and ignored: http://bugs.mysql.com/bug.php?id=3138 I think this is a serious security problem that demands more attention than dismissal as documented behavior. To solve it, there needs to be a way to force the use of SSL from the client side. Anders If the server specifies REQUIRES SSL then that client cannot connect without going through the full SSL validation process. This means that Mallory would need to present the same security credentials that Alice has in order to qualify as a secure user (the same certs, same password, login from the correct host, etc). Your redirect has pointed out to me what I missed in Yves's first post. In order for the client to require an SSL connection, you have to designate a certificate for it to use for the connection. From the same page but a few lines above the line he quoted ## This option is not sufficient in itself to cause an SSL connection to be used. You must also specify the --ssl-ca option, and possibly the --ssl-cert and --ssl-key options. ## So you can see that using just the --ssl option by itself is not specific enough to designate which certificate a client is designated to use. You can specify these options either on the command line or in the configuration file used by the client (put them in the [mysql] section). In your simulated MITM attack, if Alice was using the specific --ssl-* options on her connection attempt, then Mallory would need to hold the server-side equivalents in order to pose as the server. Since the likelihood of this is small (except in the case of a physical hack of the server's cert files which no amount of digital manipulation can really avoid) then Mallory would be unable to pose as Bob and the intercept would fail. Does this help close the security hole you perceived in our SSL implementation? -- Shawn Green MySQL Principal Technical Support Engineer Oracle USA, Inc. Office: Blountville, TN -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: How to use SSL? (SSL is enabled but not used)
On 8/17/2010 6:13 PM, Yves Goergen wrote: ... snip ... (Oh look, the MySQL guy already has an oracle.com e-mail address...) And for a for about two years before that, I had a sun.com email address, too. MySQL has not been an independent company for quite a while. Google it if you don't believe me. Sun made many headlines when they bought MySQL for one billion (10) US Dollars. I still work for MySQL (the combined products) even if there no longer is a MySQL, Inc. (the company). -- Shawn Green MySQL Principal Technical Support Engineer Oracle USA, Inc. Office: Blountville, TN -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: How to use SSL? (SSL is enabled but not used)
On Wed, 18 Aug 2010, Shawn Green (MySQL) wrote: If the server specifies REQUIRES SSL then that client cannot connect without going through the full SSL validation process. This means that Mallory would need to present the same security credentials that Alice has in order to qualify as a secure user (the same certs, same password, login from the correct host, etc). Mallory got the username and hashed password from Alice over the unencrypted connection, and we assume that Mallory, like any good MITM, has the ability to intercept and forge traffic for arbitrary hosts. So this attack goes through against anyone using passwords over SSL. This already constitutes a vulnerability. Setting up client certificates does help to prevent this form of attack where Mallory tries to issue evil commands to Bob. It does not, however, prevent the attack where Mallory ignores Bob, and uses only the unencrypted connection to steal data from Alice or poison her with false data. This also constitutes a vulnerability, which, as far as I can see, cannot be prevented in any way with the current MySQL software. Your redirect has pointed out to me what I missed in Yves's first post. In order for the client to require an SSL connection, you have to designate a certificate for it to use for the connection. No, that doesn’t work either! Against a server with SSL disabled: $ mysql --ssl --ssl-verify-server-cert \ --ssl-ca=/etc/ssl/certs/ca-certificates.crt \ --ssl-cert=Private/andersk.pem \ --ssl-key=Private/andersk.pem \ -h MY-SERVER Welcome to the MySQL monitor. Commands end with ; or \g. … mysql \s -- mysql Ver 14.14 Distrib 5.1.49, for debian-linux-gnu (x86_64) using readline 6.1 … SSL:Not in use From the same page but a few lines above the line he quoted ## This option is not sufficient in itself to cause an SSL connection to be used. You must also specify the --ssl-ca option, and possibly the --ssl-cert and --ssl-key options. ## This documentation appears to be wrong. Anders -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: How to use SSL? (SSL is enabled but not used)
On 8/18/2010 2:22 PM, Anders Kaseorg wrote: On Wed, 18 Aug 2010, Shawn Green (MySQL) wrote: If the server specifies REQUIRES SSL then that client cannot connect without going through the full SSL validation process. This means that Mallory would need to present the same security credentials that Alice has in order to qualify as a secure user (the same certs, same password, login from the correct host, etc). Mallory got the username and hashed password from Alice over the unencrypted connection, and we assume that Mallory, like any good MITM, has the ability to intercept and forge traffic for arbitrary hosts. So this attack goes through against anyone using passwords over SSL. This already constitutes a vulnerability. Setting up client certificates does help to prevent this form of attack where Mallory tries to issue evil commands to Bob. It does not, however, prevent the attack where Mallory ignores Bob, and uses only the unencrypted connection to steal data from Alice or poison her with false data. This also constitutes a vulnerability, which, as far as I can see, cannot be prevented in any way with the current MySQL software. Your redirect has pointed out to me what I missed in Yves's first post. In order for the client to require an SSL connection, you have to designate a certificate for it to use for the connection. No, that doesn’t work either! Against a server with SSL disabled: $ mysql --ssl --ssl-verify-server-cert \ --ssl-ca=/etc/ssl/certs/ca-certificates.crt \ --ssl-cert=Private/andersk.pem \ --ssl-key=Private/andersk.pem \ -h MY-SERVER Welcome to the MySQL monitor. Commands end with ; or \g. … mysql \s -- mysql Ver 14.14 Distrib 5.1.49, for debian-linux-gnu (x86_64) using readline 6.1 … SSL:Not in use From the same page but a few lines above the line he quoted ## This option is not sufficient in itself to cause an SSL connection to be used. You must also specify the --ssl-ca option, and possibly the --ssl-cert and --ssl-key options. ## This documentation appears to be wrong. Anders Excellent logic. I have updated bug #3138 with a private comment to explain your presentation of the vulnerability. http://bugs.mysql.com/bug.php?id=3138 -- Shawn Green MySQL Principal Technical Support Engineer Oracle USA, Inc. Office: Blountville, TN -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: How to use SSL? (SSL is enabled but not used)
On Aug 18, 2010, at 1:34 PM, Shawn Green (MySQL) wrote: On 8/18/2010 2:22 PM, Anders Kaseorg wrote: On Wed, 18 Aug 2010, Shawn Green (MySQL) wrote: If the server specifies REQUIRES SSL then that client cannot connect without going through the full SSL validation process. This means that Mallory would need to present the same security credentials that Alice has in order to qualify as a secure user (the same certs, same password, login from the correct host, etc). Mallory got the username and hashed password from Alice over the unencrypted connection, and we assume that Mallory, like any good MITM, has the ability to intercept and forge traffic for arbitrary hosts. So this attack goes through against anyone using passwords over SSL. This already constitutes a vulnerability. Setting up client certificates does help to prevent this form of attack where Mallory tries to issue evil commands to Bob. It does not, however, prevent the attack where Mallory ignores Bob, and uses only the unencrypted connection to steal data from Alice or poison her with false data. This also constitutes a vulnerability, which, as far as I can see, cannot be prevented in any way with the current MySQL software. Your redirect has pointed out to me what I missed in Yves's first post. In order for the client to require an SSL connection, you have to designate a certificate for it to use for the connection. No, that doesn’t work either! Against a server with SSL disabled: $ mysql --ssl --ssl-verify-server-cert \ --ssl-ca=/etc/ssl/certs/ca-certificates.crt \ --ssl-cert=Private/andersk.pem \ --ssl-key=Private/andersk.pem \ -h MY-SERVER Welcome to the MySQL monitor. Commands end with ; or \g. … mysql \s -- mysql Ver 14.14 Distrib 5.1.49, for debian-linux-gnu (x86_64) using readline 6.1 … SSL: Not in use From the same page but a few lines above the line he quoted ## This option is not sufficient in itself to cause an SSL connection to be used. You must also specify the --ssl-ca option, and possibly the --ssl-cert and --ssl-key options. ## This documentation appears to be wrong. Anders Excellent logic. I have updated bug #3138 with a private comment to explain your presentation of the vulnerability. http://bugs.mysql.com/bug.php?id=3138 Shawn, Anders, Yves, For what it's worth, the MySQL JDBC driver has had client-side SSL require (i.e. requireSSL=true) since 2003 and the ADO.Net driver has had SSL Mode=Required since 2009. -Mark -- Mark Matthews Principal Software Developer - MySQL Enterprise Tools Oracle http://www.mysql.com/products/enterprise/monitor.html -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: How to use SSL? (SSL is enabled but not used)
On 18.08.2010 20:42 CE(S)T, Mark Matthews wrote: For what it's worth, the MySQL JDBC driver has had client-side SSL require (i.e. requireSSL=true) since 2003 and the ADO.Net driver has had SSL Mode=Required since 2009. Cool, so would it be possible to also have this in the MySQL Workbench client which seems to be .NET-based? -- Yves Goergen LonelyPixel nospam.l...@unclassified.de Visit my web laboratory at http://beta.unclassified.de -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: How to use SSL? (SSL is enabled but not used)
On Wed, 2010-08-11 at 14:23 -0400, Shawn Green (MySQL) wrote: On 8/9/2010 5:27 PM, Yves Goergen wrote: What's that supposed to mean? If there's no way to force the connection into SSL, it is entirely useless. Anyone on the wire could simply pretend that the server doesn't support SSL and so deny the encryption and the client wouldn't even care... If you don't want to require SSL on the local connections then don't set the flag on the @localhost account. If you want the SSL required on the other connections, then set it on the @'...' version of the account that the remote users login through. Excuse me, but isn’t Yves exactly right here? None of the client-side options (I tried --ssl, --ssl-ca=…, --ssl-verify-server-cert, --ssl-key=…, --ssl-cipher=…) can currently be used to force an SSL connection to be used. And requiring SSL from the server side does nothing to stop man-in-the-middle attacks. (Suppose Bob the SQL server grants some privileges to Alice the user with SSL required. Now Alice can log in with her password over SSL and gets denied over non-SSL. Great. But now Mallory comes along and intercepts a connection from Alice intended for Bob. Even if Bob would have claimed that he requires SSL, nothing stops Mallory from claiming that she doesn’t require SSL. Because Alice cannot force the use of SSL from the client side, Alice will make a successful unencrypted connection to Mallory. Then Mallory can accept the connection, ignoring Alice’s authentication, and steal Alice’s data; or Mallory can make a separate SSL connection to Bob, forward Alice’s authentication over it, then take over and issue evil commands to Bob.) This same issue was reported back in 2004 and ignored: http://bugs.mysql.com/bug.php?id=3138 I think this is a serious security problem that demands more attention than dismissal as documented behavior. To solve it, there needs to be a way to force the use of SSL from the client side. Anders -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: How to use SSL? (SSL is enabled but not used)
On 18.08.2010 00:02 CE(S)T, Anders Kaseorg wrote: This same issue was reported back in 2004 and ignored: http://bugs.mysql.com/bug.php?id=3138 Oh dear, 2004... I think this is a serious security problem that demands more attention than dismissal as documented behavior. To solve it, there needs to be a way to force the use of SSL from the client side. I have another suggestion: remove SSL support from MySQL alltogether and declare the protocol as unsafe and only use it over secure networks like VPN. Since MySQL is now Oracle and it's not Oracle's main business, regarding recent bad news about Oracle, we can imagine what will happen this time. Exactly! Nothing. (Oh look, the MySQL guy already has an oracle.com e-mail address...) -- Yves Goergen LonelyPixel nospam.l...@unclassified.de Visit my web laboratory at http://beta.unclassified.de -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: How to use SSL? (SSL is enabled but not used)
On Wed, 18 Aug 2010, Yves Goergen wrote: Since MySQL is now Oracle […] Yves, I think we should be treating this security issue seriously, and working with Shawn and the MySQL team towards solving it constructively, instead of just taking potshots at their new company. Anders -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: How to use SSL? (SSL is enabled but not used)
On 8/9/2010 5:27 PM, Yves Goergen wrote: Does anybody know how to use SSL-secured connections to a MySQL server? Has anybody done that at all? In the manual I have now found the following statement: http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html Note that use of --ssl does not require an SSL connection. For example, if the server or client is compiled without SSL support, a normal unencrypted connection is used. What's that supposed to mean? If there's no way to force the connection into SSL, it is entirely useless. Anyone on the wire could simply pretend that the server doesn't support SSL and so deny the encryption and the client wouldn't even care... I don't want to use REQUIRE SSL for an account that is regularly used locally and doesn't need SSL. SSL should really be selected by the client per connection when connecting from some other untrusted network. The whole SSL thing looks pretty unfinished like that. If you don't want to require SSL on the local connections then don't set the flag on the @localhost account. If you want the SSL required on the other connections, then set it on the @'...' version of the account that the remote users login through. All MySQL accounts are tripartate. They consist of: 1) a login (user), 2) a host designation (or wildcard pattern), and 3) a password. Use that host portion of the account to make the distinction between local and remote logins. More about how the MySQL authentication works is available in the manual: http://dev.mysql.com/doc/refman/5.1/en/user-account-management.html -- Shawn Green MySQL Principal Technical Support Engineer Oracle USA, Inc. Office: Blountville, TN -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: How to use SSL? (SSL is enabled but not used)
Does anybody know how to use SSL-secured connections to a MySQL server? Has anybody done that at all? In the manual I have now found the following statement: http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html Note that use of --ssl does not require an SSL connection. For example, if the server or client is compiled without SSL support, a normal unencrypted connection is used. What's that supposed to mean? If there's no way to force the connection into SSL, it is entirely useless. Anyone on the wire could simply pretend that the server doesn't support SSL and so deny the encryption and the client wouldn't even care... I don't want to use REQUIRE SSL for an account that is regularly used locally and doesn't need SSL. SSL should really be selected by the client per connection when connecting from some other untrusted network. The whole SSL thing looks pretty unfinished like that. -- Yves Goergen LonelyPixel nospam.l...@unclassified.de Visit my web laboratory at http://beta.unclassified.de -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
How to use SSL? (SSL is enabled but not used)
Hello, I have setup a MySQL 5.1 server on Ubuntu Linux 10.4 and created an SSL certificate and key. I updated the MySQL configuration to point to the SSL files. There's no error message at startup in MySQL's error log. (Before I granted the process access to the SSL files through AppArmor, there was an error message that it couldn't get the SSL files, so I assume MySQL really reads the file now.) In MySQL Workbench 5.2.25 I enabled the use of SSL for the connection, but the statement show variables like '%ssl%' doesn't show a value for ssl_cipher. Here's the entire output: have_opensslYES have_sslYES ssl_ca ssl_capath ssl_cert/etc/ssl/private/cert-.de ssl_cipher ssl_key /etc/ssl/private/cert-.de From the wording in the client, I believe that the SSL option is pretty much useless. It reads that it will use SSL if it's available [in the client library]. It probably wouldn't use it too if the server didn't support it. So in the end, it may or may not use SSL to its own liking. Where's the switch where I can force the use of SSL? I don't want to send my authentication data in plain text over the network before I can even verify that SSL is in use? And still why doesn't it use SSL in my case? -- Yves Goergen LonelyPixel nospam.l...@unclassified.de Visit my web laboratory at http://beta.unclassified.de -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: Setting Up MySSQL replication with SSL on Ubuntu and Windows
Hi! a.sm...@ukgrid.net schrieb: According to this you must install OpenSSL then compile MySQL from source http://dev.mysql.com/doc/refman/5.0/en/secure-basics.html You cannot (in general) assume that some hint you find somewhere for MySQL 5.0 still applies to MySQL 5.1. Specifically if the source is the MySQL manual, there is absolutely no reason to use the 5.0 manual when you are dealing with 5.1, there is a 5.1 manual available. Would be nice if someone on the list with prior experience would comment Discussing SSL: it is included with current versions of MySQL 5.1 on Windows. Sadly, 5.1.46 is a special case: When testing it, there was trouble on the machines, so the SSL tests were not attempted. Definitely, both 5.1.45 and 5.1.47 include SSL and passed the tests. My hint to Neil: Try to run the MySQL test suite on your machine, it includes SSL tests. If these pass, your server (and client) does include SSL. Quoting Tompkins Neil neil.tompk...@googlemail.com: Hi I found this documentation. However, I need more information on setting up SSL on Windows ? I don't deal with Windows, so I can't help with this. Regards, Jörg -- Joerg Bruehe, MySQL Build Team, joerg.bru...@sun.com (+49 30) 417 01 487 ORACLE Deutschland B.V. Co. KG, Komturstrasse 18a, D-12099 Berlin Geschaeftsfuehrer: Juergen Kunz, Marcel v.d. Molen, Alexander v.d. Ven Amtsgericht Muenchen: HRA 95603 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Setting Up MySSQL replication with SSL on Ubuntu and Windows
Hi, We are running Ubuntu 10.04 LTS with MySQL 5.1.46 and Windows 2003 with MySQL 5.1.46. Normal master to master replication between the two server is running fine. However, we now want to set-up the replication with SSL to ensure that all data which is replicated both ways between the two servers is encrypted. Currently on the Ubuntu 10.04 server, SSL has been installed and is already working with a existing client connection. My question is how to we get it working for replication over SSL between the two servers. Cheers Neil
Re: Setting Up MySSQL replication with SSL on Ubuntu and Windows
Google? http://dev.mysql.com/doc/refman/5.0/en/replication-solutions-ssl.html This is for MySQL 5.1, I imagine its probably the same in 5.1 but another little google should be able to confirm that for you Quoting Tompkins Neil neil.tompk...@googlemail.com: Hi, We are running Ubuntu 10.04 LTS with MySQL 5.1.46 and Windows 2003 with MySQL 5.1.46. Normal master to master replication between the two server is running fine. However, we now want to set-up the replication with SSL to ensure that all data which is replicated both ways between the two servers is encrypted. Currently on the Ubuntu 10.04 server, SSL has been installed and is already working with a existing client connection. My question is how to we get it working for replication over SSL between the two servers. Cheers Neil -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: Setting Up MySSQL replication with SSL on Ubuntu and Windows
Hi I found this documentation. However, I need more information on setting up SSL on Windows ? Neil On Wed, Jul 21, 2010 at 3:39 PM, a.sm...@ukgrid.net wrote: Google? http://dev.mysql.com/doc/refman/5.0/en/replication-solutions-ssl.html This is for MySQL 5.1, I imagine its probably the same in 5.1 but another little google should be able to confirm that for you Quoting Tompkins Neil neil.tompk...@googlemail.com: Hi, We are running Ubuntu 10.04 LTS with MySQL 5.1.46 and Windows 2003 with MySQL 5.1.46. Normal master to master replication between the two server is running fine. However, we now want to set-up the replication with SSL to ensure that all data which is replicated both ways between the two servers is encrypted. Currently on the Ubuntu 10.04 server, SSL has been installed and is already working with a existing client connection. My question is how to we get it working for replication over SSL between the two servers. Cheers Neil
Re: Setting Up MySSQL replication with SSL on Ubuntu and Windows
According to this you must install OpenSSL then compile MySQL from source http://dev.mysql.com/doc/refman/5.0/en/secure-basics.html Would be nice if someone on the list with prior experience would comment Quoting Tompkins Neil neil.tompk...@googlemail.com: Hi I found this documentation. However, I need more information on setting up SSL on Windows ? Neil -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: ssl questions
We are looking to install on windows. Sent from my iPod On 11 Oct 2009, at 18:02, muhammad subair msub...@gmail.com wrote: Hi, Maybe, first you can check MySQL documentation [0], [1] [0] http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html [1] http://dev.mysql.com/doc/refman/5.0/en/secure-basics.html -- Muhammad Subair On Thu, Oct 8, 2009 at 6:03 PM, Tompkins Neil neil.tompk...@googlemail.com wrote: Hi I wondered how you are getting on with installing SSL for mysql 5.1 server. We are looking to install it too. Do you have any pointers/ recommendations ? Regards Neil On Tue, Sep 8, 2009 at 11:36 PM, qt4x11 qt4...@gmail.com wrote: I'm trying to set up my mysql 5.1 server to work over ssl, I'm following the directions at http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html. I've confirmed that my server supports ssl mysql SHOW VARIABLES LIKE 'have_ssl'; +---+---+ | Variable_name | Value | +---+---+ | have_ssl | YES | +---+---+
Re: ssl questions
Hi, Maybe, first you can check MySQL documentation [0], [1] [0] http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html [1] http://dev.mysql.com/doc/refman/5.0/en/secure-basics.html -- Muhammad Subair On Thu, Oct 8, 2009 at 6:03 PM, Tompkins Neil neil.tompk...@googlemail.comwrote: Hi I wondered how you are getting on with installing SSL for mysql 5.1 server. We are looking to install it too. Do you have any pointers/recommendations ? Regards Neil On Tue, Sep 8, 2009 at 11:36 PM, qt4x11 qt4...@gmail.com wrote: I'm trying to set up my mysql 5.1 server to work over ssl, I'm following the directions at http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html. I've confirmed that my server supports ssl mysql SHOW VARIABLES LIKE 'have_ssl'; +---+---+ | Variable_name | Value | +---+---+ | have_ssl | YES | +---+---+
Re: ssl questions
Hi I wondered how you are getting on with installing SSL for mysql 5.1 server. We are looking to install it too. Do you have any pointers/recommendations ? Regards Neil On Tue, Sep 8, 2009 at 11:36 PM, qt4x11 qt4...@gmail.com wrote: I'm trying to set up my mysql 5.1 server to work over ssl, I'm following the directions at http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html. I've confirmed that my server supports ssl mysql SHOW VARIABLES LIKE 'have_ssl'; +---+---+ | Variable_name | Value | +---+---+ | have_ssl | YES | +---+---+ set up certs according to http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.html bash-3.2# ls -l newcerts/ total 20 -rwxrwxrwx 1 root root 1761 Sep 8 14:01 ca-cert.pem -rwxrwxrwx 1 root root 1675 Sep 8 14:00 ca-key.pem -rwxrwxrwx 1 root root 1371 Sep 8 14:02 server-cert.pem -rwxrwxrwx 1 root root 1675 Sep 8 14:01 server-key.pem -rwxrwxrwx 1 root root 1094 Sep 8 14:01 server-req.pem and that mysql is started with the appropriate --ssl-xxx options (I set 777 permissions on the newcerts directory to insure that permissions wouldn't be a problem during testing but was planning on tightening permissions once I got ssl working) bash-3.2# ps aux | grep mysql root 13326 0.0 0.2 63848 1332 pts/0S15:25 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/mysql.example.com.pid --ssl-ca=/var/lib/mysql/newcerts/ca-cert.pem --ssl-cert=/var/lib/mysql/newcerts/server-cert.pem --ssl-key=/var/lib/mysql/newcerts/server-key.pem mysql13399 0.1 3.4 138488 17676 pts/0Sl 15:25 0:00 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --ssl-ca=/var/lib/mysql/newcerts/ca-cert.pem --ssl-cert=/var/lib/mysql/newcerts/server-cert.pem --ssl-key=/var/lib/mysql/newcerts/server-key.pem --log-error=/var/lib/mysql/mysql.example.com.err --pid-file=/var/lib/mysql/mysql.example.com.pid root 13430 0.0 0.1 61164 768 pts/0R+ 15:25 0:00 grep mysql I'm also following documentation http://www.stunnel.org/examples/mysql.htmlhere to set up mysql with ssl support over stunnel. My stunnel.conf looks like cert = /etc/stunnel/stunnel.pem pid = /tmp/stunnel.pid debug = 7 output = stunnel.log [mysqls] accept = 3307 connect = 3306 I've confirmed that my server is listening on 3307 [u...@mysql.example.com ~]$ netstat -anF | grep 3306 tcp0 0 0.0.0.0:33060.0.0.0:* LISTEN [u...@mysql.example.com ~]$ netstat -anF | grep 3307 tcp0 0 0.0.0.0:33070.0.0.0:* LISTEN and that I can connect successfully over 3306 mysql -u user -p -h mysql.example.com -P 3306 but when I try to connect over port 3307, mysql -u user -p -h mysql.example.com -P 3307 it fails to connect (my graphical client gives an error message that reads 'connection reset'). I'm not sure what's wrong. My mysql user was created without any specific SSL requirements, so I'm thinking I should be able to connect over either port without specifying any --ssl-xxx options on the client side. I'd like the user to be able to connect either way. I tried looking at the mysql error log but it didn't provide any useful information - is there a way to increase the log level to get at the source of the problem? Any tips would be appreciated. Thanks.
ssl questions
I'm trying to set up my mysql 5.1 server to work over ssl, I'm following the directions at http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html. I've confirmed that my server supports ssl mysql SHOW VARIABLES LIKE 'have_ssl'; +---+---+ | Variable_name | Value | +---+---+ | have_ssl | YES | +---+---+ set up certs according to http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.html bash-3.2# ls -l newcerts/ total 20 -rwxrwxrwx 1 root root 1761 Sep 8 14:01 ca-cert.pem -rwxrwxrwx 1 root root 1675 Sep 8 14:00 ca-key.pem -rwxrwxrwx 1 root root 1371 Sep 8 14:02 server-cert.pem -rwxrwxrwx 1 root root 1675 Sep 8 14:01 server-key.pem -rwxrwxrwx 1 root root 1094 Sep 8 14:01 server-req.pem and that mysql is started with the appropriate --ssl-xxx options (I set 777 permissions on the newcerts directory to insure that permissions wouldn't be a problem during testing but was planning on tightening permissions once I got ssl working) bash-3.2# ps aux | grep mysql root 13326 0.0 0.2 63848 1332 pts/0S15:25 0:00 /bin/sh /usr/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/var/lib/mysql/mysql.example.com.pid --ssl-ca=/var/lib/mysql/newcerts/ca-cert.pem --ssl-cert=/var/lib/mysql/newcerts/server-cert.pem --ssl-key=/var/lib/mysql/newcerts/server-key.pem mysql13399 0.1 3.4 138488 17676 pts/0Sl 15:25 0:00 /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql --ssl-ca=/var/lib/mysql/newcerts/ca-cert.pem --ssl-cert=/var/lib/mysql/newcerts/server-cert.pem --ssl-key=/var/lib/mysql/newcerts/server-key.pem --log-error=/var/lib/mysql/mysql.example.com.err --pid-file=/var/lib/mysql/mysql.example.com.pid root 13430 0.0 0.1 61164 768 pts/0R+ 15:25 0:00 grep mysql I'm also following documentation http://www.stunnel.org/examples/mysql.htmlhere to set up mysql with ssl support over stunnel. My stunnel.conf looks like cert = /etc/stunnel/stunnel.pem pid = /tmp/stunnel.pid debug = 7 output = stunnel.log [mysqls] accept = 3307 connect = 3306 I've confirmed that my server is listening on 3307 [u...@mysql.example.com ~]$ netstat -anF | grep 3306 tcp0 0 0.0.0.0:33060.0.0.0:* LISTEN [u...@mysql.example.com ~]$ netstat -anF | grep 3307 tcp0 0 0.0.0.0:33070.0.0.0:* LISTEN and that I can connect successfully over 3306 mysql -u user -p -h mysql.example.com -P 3306 but when I try to connect over port 3307, mysql -u user -p -h mysql.example.com -P 3307 it fails to connect (my graphical client gives an error message that reads 'connection reset'). I'm not sure what's wrong. My mysql user was created without any specific SSL requirements, so I'm thinking I should be able to connect over either port without specifying any --ssl-xxx options on the client side. I'd like the user to be able to connect either way. I tried looking at the mysql error log but it didn't provide any useful information - is there a way to increase the log level to get at the source of the problem? Any tips would be appreciated. Thanks.
SSL Logs in MySQL
Hello there, I am getting connected to MySQL through SSL. I want to see the logs of SSL getting trigerred when someone access MySQL database from any application or URL. Where do I need to modify or edit the configuration, in order to see the SSL logs? I can only see the query logs as of now Thanks a lot in advance Sharath
MySql SSL Error
Hello there, I have setup SSL for MySql server. I can login into mysql by mentioning the root CA cert. On the other side, I have a Directory Server URL, which is trying to access the MySQL. I have updated the query logs. Wherever a connection happens from the directory server to the MySQL database, the query logs get updated. The directory server has the root CA cert of the MySQL in the directory server's Truststore. I want to see if the connection to MySQL from the directory server is happenning in a secured way I don't see any kind of SSL logs in the log file of mysql Do I need to enable anything in my.cnf file specifically to see the logs about ssl connection Thanks in Advance Sharath
problem with ssl connection
Hi, Is there someone who is able to connect to an MySQL instance connection via ssl, from a client located on a different server than where is the MySQL instance, using the only option --ssl-ca ? I'm not able, I can only connect if I use the options --ssl-ca, --ssl- cert and --ssl-key even if the user that I use was created without any REQUIRE ! thanks. Ing. Stefano Elmopi Gruppo Darco - Area ICT Sistemi Via Ostiense 131/L Corpo B, 00154 Roma cell. 3466147165 tel. 0657060500 email:stefano.elm...@sociale.it
Re: SSL Connections
Hi Andy, I used the same user. I list the steps that I made: on the server MySQL (10.43.249.17) I created the user: GRANT ALL PRIVILEGES ON *.* TO 'pippo'@'%' IDENTIFIED BY '*'; then, on the same server: mysql --ssl-ca=/root/openssl/cacert.pem -u pippo -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1872 Server version: 5.0.45 Source distribution on the another server : mysql --ssl-ca=/root/openssl/cacert.pem -u pippo -h 10.43.249.17 -p Enter password: ERROR 2026 (HY000): SSL connection error mysql --ssl-ca=/root/openssl/cacert.pem --ssl-cert=/root/openssl/ client-cert.pem --ssl-key=/root/openssl/client-key.pem -u pippo -h 10.43.249.17 -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1884 Server version: 5.0.45 Source distribution I believe that to be asked the certification to client but I wish it was not the case. Thanks. Ing. Stefano Elmopi Gruppo Darco - Area ICT Sistemi Via Ostiense 131/L Corpo B, 00154 Roma cell. 3466147165 tel. 0657060500 email:stefano.elm...@sociale.it Il giorno 30/mar/09, alle ore 22:39, Andy Shellam ha scritto: Hi Stefano, I'm guessing your remote (non-local) server is using a different user account than your local server. r...@localhost r...@% r...@somehost.com are all different users. If your remote host, or wildhost user account has the REQUIRE X509 flag (user must be certified) but your local one doesn't, that would explain it. What are your MySQL versions on both your server and remote client? What errors do you get on your client? Regards, Andy Stefano Elmopi wrote: Hi, I'm trying to make connections ssl. I followed the MySQL guide and I've configured the server then I created a normal user, without the REQUIRE SSL. On the same server can connect with the only option: mysql --ssl-ca=cacert.pem -u Pluto -p but if I try to connect from another host, I must, forcibly, also specify the options: --ssl-cert=client-cert.pem --ssl-key=client-key.pem Why ?? The guide says that even from another host, on a normal user, you can use the only option: --ssl-ca but it is not, I am forced to certify the client. Something wrong? Thanks Ing. Stefano Elmopi Gruppo Darco - Area ICT Sistemi Via Ostiense 131/L Corpo B, 00154 Roma cell. 3466147165 tel. 0657060500 email:stefano.elm...@sociale.it -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
SSL Connections
Hi, I'm trying to make connections ssl. I followed the MySQL guide and I've configured the server then I created a normal user, without the REQUIRE SSL. On the same server can connect with the only option: mysql --ssl-ca=cacert.pem -u Pluto -p but if I try to connect from another host, I must, forcibly, also specify the options: --ssl-cert=client-cert.pem --ssl-key=client-key.pem Why ?? The guide says that even from another host, on a normal user, you can use the only option: --ssl-ca but it is not, I am forced to certify the client. Something wrong? Thanks Ing. Stefano Elmopi Gruppo Darco - Area ICT Sistemi Via Ostiense 131/L Corpo B, 00154 Roma cell. 3466147165 tel. 0657060500 email:stefano.elm...@sociale.it -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: SSL Connections
Hi Stefano, I'm guessing your remote (non-local) server is using a different user account than your local server. r...@localhost r...@% r...@somehost.com are all different users. If your remote host, or wildhost user account has the REQUIRE X509 flag (user must be certified) but your local one doesn't, that would explain it. What are your MySQL versions on both your server and remote client? What errors do you get on your client? Regards, Andy Stefano Elmopi wrote: Hi, I'm trying to make connections ssl. I followed the MySQL guide and I've configured the server then I created a normal user, without the REQUIRE SSL. On the same server can connect with the only option: mysql --ssl-ca=cacert.pem -u Pluto -p but if I try to connect from another host, I must, forcibly, also specify the options: --ssl-cert=client-cert.pem --ssl-key=client-key.pem Why ?? The guide says that even from another host, on a normal user, you can use the only option: --ssl-ca but it is not, I am forced to certify the client. Something wrong? Thanks Ing. Stefano Elmopi Gruppo Darco - Area ICT Sistemi Via Ostiense 131/L Corpo B, 00154 Roma cell. 3466147165 tel. 0657060500 email:stefano.elm...@sociale.it -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: Need a Brief Overview - SSL Connections
Hi Seth, I implemented SSL successfully just a couple of weeks ago on 5.1.30, and I too found some aspects confusing. Here's my answers from my own experience so please forgive me if they're inaccurate. 1) On the server side, I believe ssl-ca, ssl-cert and ssl-key are all required to establish the server's identity. On the client side, I believe a user can still login without encryption/SSL unless REQUIRE SSL is set on their account. From what I can tell, a client can also login using SSL with just ssl-ca (the server's certification authority certificate.) To verify that the client is who they say they are, then you set REQUIRE X509 on their account, and the client has to connect using ssl-ca, ssl-cert and ssl-key with a valid certificate and private key. 2) I also don't understand all concepts of SSL - I'm used to just providing a certificate request to a trusted partner (e.g. Verisign) and for them to send me back my certificate. However I presume that the trusted CA certificates (e.g. Verisign, Thawte etc) are present on all browsers/e-mail clients and that's why we don't need to worry about it for these types of applications. I believe that MySQL is allowing you to effectively issue your own certificates, and as such the client needs the CA certificate to verify the server's issuing authority (yourself.) The first step the MySQL manual takes you through is creating a private key and a certificate which will become your CA certificate (and is the file needed for ssl-ca/ssl-capath.) This is a different private key and certificate to both the server's and the client's (unless your server/client is the same box, then they can share the same certificate/key but will be different from the CA cert/key.) 3) I followed the instructions in the manual to the letter and I had no issues whatsoever. In my client (Navicat) I do get an SSL connection error - invalid parameter if one of the certificates are missing, but that may be coming from Navicat not the MySQL library. It'll be interesting to see what happens in some situations, for example, what happens when the client certificate or the CA certificate expires? Interestingly I can also still connect using SSL when the CA certificate is invalid (ie. non-existent or a private key file instead of a certificate file.) Hope this helps some! I do agree it wasn't the clearest of things to get my head around. Andy Seth Willits wrote: Howdy, I've read through all of the MySQL docs on SSL and I just need a brief overview of a few things to understand some things that aren't crystal clear to me since I'm not very familiar with SSL. 1) Which SSL options are *required*? It seems that only ssl-key is _always_ required for the client to connect to the server. If REQUIRE X509 is set, then ssl-cert is required as well in order to authenticate who the actual client is, right? 2) The options I don't understand are ssl-ca/ssl-capath. Why would the client specify a certificate authority? Is this the authority (or authorities) that's used to authenticate the server's certificate? Is there a platform default for this value? I'm not used to having to specify a list of authorities for other programs to validate certificates (such as with email). 3) How does I know if the server/client authentication (validating the certificate against given authorities) failed? Do I just get a vague SSL connection error back from MySQL and that's it? I think that's mostly it. Thanks, -- Seth Willits -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Need a Brief Overview - SSL Connections
Howdy, I've read through all of the MySQL docs on SSL and I just need a brief overview of a few things to understand some things that aren't crystal clear to me since I'm not very familiar with SSL. 1) Which SSL options are *required*? It seems that only ssl-key is _always_ required for the client to connect to the server. If REQUIRE X509 is set, then ssl-cert is required as well in order to authenticate who the actual client is, right? 2) The options I don't understand are ssl-ca/ssl-capath. Why would the client specify a certificate authority? Is this the authority (or authorities) that's used to authenticate the server's certificate? Is there a platform default for this value? I'm not used to having to specify a list of authorities for other programs to validate certificates (such as with email). 3) How does I know if the server/client authentication (validating the certificate against given authorities) failed? Do I just get a vague SSL connection error back from MySQL and that's it? I think that's mostly it. Thanks, -- Seth Willits -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Trying again, SSL between client and server using SslOption/mysql_ssl_set ( C++/C )
I have a few questions about the parameters for SslOption/mysql_ssl_set ( C++/C ) and about SSL in general between the server and the client. I do understand what a certificate, a private key, and a public key is in general but I am having trouble understandng how they work in MySql. 1) Are the first three parameters just the file name portions of the full file specifications for the private key, public key, and certificate respectively ? The documentation suggets that they can be file paths, but then the fourth parameter would seem redundant. 2) Is the fourth parameter the file path for all of the first three file names ? If this is so and the path is the current directory, can this be 0 ? 3) What determines a valid cipher name, and where is that specified in MySql SSL in general ? Is there a way to say that all ciphers are valid with this parameter ? When SSL goes between the client and the server, using the same certificate authority certificate, is there one set of public-private keys where the server's private key is the client's public key and the server's public key is the client's private key ? Or are there actually two distinct sets of public-private keys, one each for the client and the server ? The former seems logically correct but maybe I am missing something about how this works in SSL. If someone can explain this to me it would be appreciated. The MySql manual does not explain it. In general the documentation for MySql SSL in section 5.5.7 of the MySql manual is pretty abysmal, which makes me think that either no one ever uses SSL in MySql, MySql is an inadequate database for SSL, or that no one cares to actually explain how SSL works under MySql. I am hoping that someone know how this works from the programming point of view and can explain it adequately to me or actually point me to documentation/examples which does explain it. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
SSL between client and server using SslOption/mysql_ssl_set ( C++/C )
I have a few questions about the parameters for SslOption/mysql_ssl_set ( C++/C ) and about SSL in general between the server and the client. I do understand what a certificate, a private key, and a public key is in general but I am having trouble understandng how they work in MySql. 1) Are the first three parameters just the file name portions of the full file specifications for the private key, public key, and certificate respectively ? The documentation suggets that they can be file paths, but then the fourth parameter would seem redundant. 2) Is the fourth parameter the file path for all of the first three file names ? If this is so and the path is the current directory, can this be 0 ? 3) What determines a valid cipher name, and where is that specified in MySql SSL in general ? Is there a way to say that all ciphers are valid with this parameter ? When SSL goes between the client and the server, using the same certificate authority certificate, is there one set of public-private keys where the server's private key is the client's public key and the server's public key is the client's private key ? Or are there actually two distinct sets of public-private keys, one each for the client and the server ? The former seems logically correct but maybe I am missing something about how this works in SSL. If someone can explain this to me it would be appreciated. The MySql manual does not explain it. In general the documentation for MySql SSL in section 5.5.7 of the MySql manual is pretty abysmal, which makes me think that either no one ever uses SSL in MySql, MySql is an inadequate database for SSL, or that no one cares to actually explain how SSL works under MySql. I am hoping that someone know how this works from the programming point of view and can explain it adequately to me or actually point me to documentation/examples which does explain it. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Building MySql for Windows with SSL
In the MySql manual section 5.5.7.2 it specifies how to build MySql on a Unix/Linux platform with SSL by using 'configure'. I need to build MySql for Windows with SSL support. In section 2.4.15.6.1 for building MySql for Windows itr specifies the available options for using win/configure, but SSL is not among them. How then can I build MySql for Windows with SSL support ? -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: About combine ssl with mysql.
can you please share how you have solved that? Did u use mysql -u root -p --ssl when connecting? Regards, Chandru www.mafiree.com On Fri, Dec 12, 2008 at 1:15 PM, Moon's Father yueliangdao0...@gmail.comwrote: I have solved this problem. ^_^ On Fri, Dec 12, 2008 at 10:54 AM, Moon's Father yueliangdao0...@gmail.comwrote: Hi. I want to know how to connect mysqld with ssl encryption from windows or linux system. Any reply will be appreciated. Here is my status. mysql status -- /usr/local/mysql-ytt/bin/mysql Ver 14.14 Distrib 5.1.30, for pc-linux-gnu (i686) using EditLine wrapper Connection id: 4 Current database: Current user: r...@localhost SSL:Cipher in use is DHE-RSA-AES256-SHA Current pager: stdout Using outfile: '' Using delimiter:; Server version: 5.1.30-log Source distribution Protocol version: 10 Connection: Localhost via UNIX socket Server characterset:latin1 Db characterset:latin1 Client characterset:latin1 Conn. characterset:latin1 UNIX socket:/tmp/mysql3309.sock Uptime: 1 hour 2 min 4 sec Threads: 2 Questions: 15 Slow queries: 0 Opens: 15 Flush tables: 1 Open tables: 8 Queries per second avg: 0.4 -- mysql show variables like '%ssl%'; +---+---+ | Variable_name | Value | +---+---+ | have_openssl | YES | | have_ssl | YES | | ssl_ca| /home/david_yeung/ssl/openssl/cacert.pem | | ssl_capath| | | ssl_cert | /home/david_yeung/ssl/openssl/server-cert.pem | | ssl_cipher| | | ssl_key | /home/david_yeung/ssl/openssl/server-key.pem | +---+---+ 7 rows in set (0.00 sec) Here is my.cnf. [mysqld] # SSL options. ssl-ca=/home/david_yeung/ssl/openssl/cacert.pem ssl-cert=/home/david_yeung/ssl/openssl/server-cert.pem ssl-key=/home/david_yeung/ssl/openssl/server-key.pem [client] # SSL options. ssl-ca=/home/david_yeung/ssl/openssl/cacert.pem ssl-cert=/home/david_yeung/ssl/openssl/client-cert.pem ssl-key=/home/david_yeung/ssl/openssl/client-key.pem Here is my user. mysql show grants for root@'%'; +--+ | Grants for r...@% | +--+ | GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY PASSWORD '*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9' REQUIRE SSL | +--+ 1 row in set (0.00 sec) -- I'm a MySQL DBA in china. More about me just visit here: http://yueliangdao0608.cublog.cn -- I'm a MySQL DBA in china. More about me just visit here: http://yueliangdao0608.cublog.cn
Re: About combine ssl with mysql.
I have solved this problem. ^_^ On Fri, Dec 12, 2008 at 10:54 AM, Moon's Father yueliangdao0...@gmail.comwrote: Hi. I want to know how to connect mysqld with ssl encryption from windows or linux system. Any reply will be appreciated. Here is my status. mysql status -- /usr/local/mysql-ytt/bin/mysql Ver 14.14 Distrib 5.1.30, for pc-linux-gnu (i686) using EditLine wrapper Connection id: 4 Current database: Current user: r...@localhost SSL:Cipher in use is DHE-RSA-AES256-SHA Current pager: stdout Using outfile: '' Using delimiter:; Server version: 5.1.30-log Source distribution Protocol version: 10 Connection: Localhost via UNIX socket Server characterset:latin1 Db characterset:latin1 Client characterset:latin1 Conn. characterset:latin1 UNIX socket:/tmp/mysql3309.sock Uptime: 1 hour 2 min 4 sec Threads: 2 Questions: 15 Slow queries: 0 Opens: 15 Flush tables: 1 Open tables: 8 Queries per second avg: 0.4 -- mysql show variables like '%ssl%'; +---+---+ | Variable_name | Value | +---+---+ | have_openssl | YES | | have_ssl | YES | | ssl_ca| /home/david_yeung/ssl/openssl/cacert.pem | | ssl_capath| | | ssl_cert | /home/david_yeung/ssl/openssl/server-cert.pem | | ssl_cipher| | | ssl_key | /home/david_yeung/ssl/openssl/server-key.pem | +---+---+ 7 rows in set (0.00 sec) Here is my.cnf. [mysqld] # SSL options. ssl-ca=/home/david_yeung/ssl/openssl/cacert.pem ssl-cert=/home/david_yeung/ssl/openssl/server-cert.pem ssl-key=/home/david_yeung/ssl/openssl/server-key.pem [client] # SSL options. ssl-ca=/home/david_yeung/ssl/openssl/cacert.pem ssl-cert=/home/david_yeung/ssl/openssl/client-cert.pem ssl-key=/home/david_yeung/ssl/openssl/client-key.pem Here is my user. mysql show grants for root@'%'; +--+ | Grants for r...@% | +--+ | GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY PASSWORD '*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9' REQUIRE SSL | +--+ 1 row in set (0.00 sec) -- I'm a MySQL DBA in china. More about me just visit here: http://yueliangdao0608.cublog.cn -- I'm a MySQL DBA in china. More about me just visit here: http://yueliangdao0608.cublog.cn
SSL Connection and emty SSL_CIPHER
Hello, I just started playing around with SSL enabled connections to the MySQL server, and so far I got everything working except that the SSL_CIPHER variable always stays empty. First I created a CA cert+key pair, then both a MySQL Server and Client cert+key pair, both signed by the CA cert. I configured ca-cert, ssl-cert and ssl-key for the Server at /etc/mysql/my.cnf and restarted the server. Now I checked whether SSL support was enabled: mysql SHOW VARIABLES LIKE '%SSL%'; +---++ | Variable_name | Value | +---++ | have_openssl | YES| | have_ssl | YES| | ssl_ca| /etc/ssl/certs/ca.crt | | ssl_capath|| | ssl_cert | /etc/ssl/private/mysql-server.crt | | ssl_cipher|| | ssl_key | /etc/ssl/private/mysql-server.key | +---++ Now I limited MySQL remote connections for user 'jonas' to SSL: mysql GRANT ALL ON *.* TO jonas REQUIRE SUBJECT '...' AND ISSUER '...'; After first getting errors because of slightly wrong subject and issuer strings, that one worked as well: $ mysql -u jonas -p --host=mysql-host --skip-ssl Enter password: ERROR 1045 (28000): Access denied for user 'jonas'@'localhost' (using password: YES) $ mysql -u jonas -p --host=mysql-host --ssl-ca=ca.crt --ssl-key=mysql-client.key --ssl-cert=mysql-client.crt Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 389 Server version: 5.0.51a-12-log (Debian) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. So far everything works great. But for some reason, the SSL connection doesn't have a Cipher set: mysql SHOW VARIABLES LIKE '%SSL%'; +---++ | Variable_name | Value | +---++ | have_openssl | YES| | have_ssl | YES| | ssl_ca| /etc/ssl/certs/ca.crt | | ssl_capath|| | ssl_cert | /etc/ssl/private/mysql-server.crt | | ssl_cipher|| | ssl_key | /etc/ssl/private/mysql-server.key | +---++ 7 rows in set (0.01 sec) Do you have any suggestions why that could be? I also tried setting the cipher manually with --ssl-cipher=DHE-RSA-AES256-SHA, but that doesn't help either. To be honest, I've no idea why the cipher is empty. Thanks in advance for any help :-) greetings, jonas PS: please Cc me on replies as I'm not subscribed to the list. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
mysql 5.0.51b and ssl
hi all... i just installed openssl 0.9.8h and trying to build mysql 5.0.51b with it on a freebsd 7 machine. i get this: /usr/bin/ld: /usr/local/ssl/lib/libssl.a(t1_srvr.o): relocation R_X86_64_32 can not be used when making a shared object; recompile with -fPIC /usr/local/ssl/lib/libssl.a: could not read symbols: Bad value any ideas? thanks... -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: mysql 5.0.51b and ssl
from what i understand this is not uncommon. and it goes back to 2005. and it has to do with the fact that the machine identifies itself as amd64 even though it's an intel machine. what's not clear is what needs to be recompiled whit -fPIC?! my guess is openssl needs to. why? are there any flags i can change in the Makefile for the mysql build? does it have to be a 'shared'? static?! thanks... kalin m wrote: hi all... i just installed openssl 0.9.8h and trying to build mysql 5.0.51b with it on a freebsd 7 machine. i get this: /usr/bin/ld: /usr/local/ssl/lib/libssl.a(t1_srvr.o): relocation R_X86_64_32 can not be used when making a shared object; recompile with -fPIC /usr/local/ssl/lib/libssl.a: could not read symbols: Bad value any ideas? thanks... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Clarification on SSL options needed
Hello, I'm trying to set up SSL for my MySQL server. As my understanding of SSL is still a bit shaky and the MySQL documentation on the subject a bit terse, I thought I'd ask a few questions to make sure I haven't misunderstood anything: 1. Is the --ssl-ca option to mysqld the public key used by the server to verify the identity of clients? In that case, is --ssl-ca unnecessary if the server doesn't need to verify client identifies? If it is always necessary, then what is it used for in case the server doesn't verify client identities? 2. Is the argument of the client's --ssl-ca option the public key used to verify the certificate received from the server? If the server is registered with a CA, Is it meant to be the public key of the CA the server is registered with? 3. What is the minimal number of certificates/keys that need to be generated/distributed in case the server doesn't need to verify client identities? If I've understood SSL correctly, it should just be a private key and a certificate (that contains the public key and is signed with the CA's private key) for the server, as well as the CA's public key for the client. Any help/clarification appreciated, Ulf Magnusson -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: SSL Problem with outdated zertificates
Actually I fixed the problem by generating a whole new set of SSL certificates! Thanks for the help! Regards, Samy [EMAIL PROTECTED] schrieb: Hey, This morning the default timespan of ssl certificates took my servers down... Everything was running fine, but this morning the SSL encrypted MySQL connections stopped working! Then I realized that the Problem was, that the certificates ran out this morning. The first solution that I found on the Internet was: openssl x509 -days 365 -in cacert.pem -out new.pem -signkey server-key.pem After this moving new.pem in place of cacert.pem. This worked fine and the certifcate is now shown to run one year from now. But still I get an SSL connection error up on connect, just like before: ERROR 2026 (HY000): SSL connection error I'm testing this with an local connection! Could anybody give me a hint? Regards, Samy -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
SSL Problem with outdated zertificates
Hey, This morning the default timespan of ssl certificates took my servers down... Everything was running fine, but this morning the SSL encrypted MySQL connections stopped working! Then I realized that the Problem was, that the certificates ran out this morning. The first solution that I found on the Internet was: openssl x509 -days 365 -in cacert.pem -out new.pem -signkey server-key.pem After this moving new.pem in place of cacert.pem. This worked fine and the certifcate is now shown to run one year from now. But still I get an SSL connection error up on connect, just like before: ERROR 2026 (HY000): SSL connection error I'm testing this with an local connection! Could anybody give me a hint? Regards, Samy
Re: 5.1.14-beta with ssl build failure
Chris White wrote: Duncan Hutty wrote: I attempted to build 5.1.14-beta with ssl support and it failed (output below). It builds quite happily on this system without the ssl support parameter to configure. Since it appears to fail in an area (timezone system) that to me seems rather unrelated, I wondered if something odd was afoot. x86-suse9.3, openssl-0.9.8d, gcc-3.4.6 (or gcc-4.1.1) using: CFLAGS=-O3 CXX=gcc \ CXXFLAGS=-O3 -felide-constructors \ -fno-exceptions -fno-rtti \ Kill all this and try changing -O3 to -O2 as -O3 optimizations can get dicey sometimes, especially when it comes into C++ oddities. ./configure --with-ndbcluster \ --with-ssl=/usr/local/openssl \ --enable-assembler make Also, it seems to be failing during the linking stage, so take a look at throwing out --enable-assembler and see what happens. Thanks for the suggestions, but they didn't change the result. -- Duncan Hutty System Administrator, ECE Carnegie Mellon University Please use informative subject lines -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: 5.1.14-beta with ssl build failure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It is unfortunate that mysql does not offer a binary version with ssl support for Linux. Does anyone know why? It can't be for export reasons, as they do offer a windows version with SSL support. Aaron Cannon - -- Skype: cannona MSN/Windows Messenger: [EMAIL PROTECTED] (don't send email to the hotmail address.) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (MingW32) - GPGrelay v0.959 Comment: Key available from all major key servers. iD8DBQFFnniYI7J99hVZuJcRApGtAKD73Z3nSn4viL5mulFj0ijNjZWaOgCgrN2w JN/foKnc4hmXwzoaiupjbr4= =n7j+ -END PGP SIGNATURE- -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
5.1.14-beta with ssl build failure
I attempted to build 5.1.14-beta with ssl support and it failed (output below). It builds quite happily on this system without the ssl support parameter to configure. Since it appears to fail in an area (timezone system) that to me seems rather unrelated, I wondered if something odd was afoot. x86-suse9.3, openssl-0.9.8d, gcc-3.4.6 (or gcc-4.1.1) using: CFLAGS=-O3 CXX=gcc \ CXXFLAGS=-O3 -felide-constructors \ -fno-exceptions -fno-rtti \ ./configure --with-ndbcluster \ --with-ssl=/usr/local/openssl \ --enable-assembler make Any suggestions? -- Duncan Hutty System Administrator, ECE Carnegie Mellon University gcc -O3 -felide-constructors -fno-exceptions -fno-rtti -fno-implicit-templates -fno-exceptions -fno-rtti -rdynamic -o mysql_tzinfo_to_sql mysql_tzinfo_to_sql.o ../vio/libvio.a ../mysys/libmysys.a ../dbug/libdbug.a ../regex/libregex.a ../strings/libmystrings.a -lz -lpthread -lcrypt -lnsl -lm -lpthread /usr/lib/crt1.o(.text+0x18): In function `_start': ../sysdeps/i386/elf/start.S:115: undefined reference to `main' mysql_tzinfo_to_sql.o(.text+0x3ab): In function `Time_zone_system::TIME_to_gmt_sec(st_mysql_time const*, char*) const': mysql_tzinfo_to_sql.cc: undefined reference to `my_system_gmt_sec' mysql_tzinfo_to_sql.o(.text+0x3ef): In function `Time_zone_system::gmt_sec_to_TIME(st_mysql_time*, long) const': mysql_tzinfo_to_sql.cc: undefined reference to `localtime_to_TIME(st_mysql_time*, tm*)' mysql_tzinfo_to_sql.o(.text+0x45f): In function `Time_zone_utc::gmt_sec_to_TIME(st_mysql_time*, long) const': mysql_tzinfo_to_sql.cc: undefined reference to `localtime_to_TIME(st_mysql_time*, tm*)' mysql_tzinfo_to_sql.o(.text+0x167a): In function `my_tz_find(String const*, st_table_list*)': mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_error(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x1729):mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_error(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x1749):mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_error(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x1764):mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_error(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x1e91):mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_error(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x1fe9):mysql_tzinfo_to_sql.cc: more undefined references to `sql_print_error(char const*, ...)' follow mysql_tzinfo_to_sql.o(.text+0x20e7): In function `my_tz_init(THD*, char const*, char)': mysql_tzinfo_to_sql.cc: undefined reference to `THD::THD()' mysql_tzinfo_to_sql.o(.text+0x2117):mysql_tzinfo_to_sql.cc: undefined reference to `THD::store_globals()' mysql_tzinfo_to_sql.o(.text+0x23c4):mysql_tzinfo_to_sql.cc: undefined reference to `simple_open_n_lock_tables(THD*, st_table_list*)' mysql_tzinfo_to_sql.o(.text+0x24ed):mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_error(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x250e):mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_warning(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x2571):mysql_tzinfo_to_sql.cc: undefined reference to `global_system_variables' mysql_tzinfo_to_sql.o(.text+0x25a6):mysql_tzinfo_to_sql.cc: undefined reference to `close_thread_tables(THD*, bool, bool)' mysql_tzinfo_to_sql.o(.text+0x25d8):mysql_tzinfo_to_sql.cc: undefined reference to `THD::store_globals()' mysql_tzinfo_to_sql.o(.text+0x25f6):mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_error(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x2615):mysql_tzinfo_to_sql.cc: undefined reference to `THR_THD' mysql_tzinfo_to_sql.o(.text+0x262f):mysql_tzinfo_to_sql.cc: undefined reference to `THR_MALLOC' mysql_tzinfo_to_sql.o(.text+0x2645):mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_error(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x268b):mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_error(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x26de):mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_error(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x2748):mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_error(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x2770):mysql_tzinfo_to_sql.cc: undefined reference to `sql_print_error(char const*, ...)' mysql_tzinfo_to_sql.o(.text+0x28cb): In function `my_tz_find_with_opening_tz_tables(THD*, String const*)': mysql_tzinfo_to_sql.cc: undefined reference to `simple_open_n_lock_tables(THD*, st_table_list*)' mysql_tzinfo_to_sql.o(.text+0x28fd):mysql_tzinfo_to_sql.cc: undefined reference to `close_thread_tables(THD*, bool, bool)' collect2: ld returned 1 exit status make[4]: *** [mysql_tzinfo_to_sql] Error 1 make[4]: Leaving directory `/home/dhutty/build/mysql-5.1.14-beta/sql' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/dhutty/build/mysql-5.1.14-beta/sql' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/dhutty/build/mysql-5.1.14-beta/sql
Re: 5.1.14-beta with ssl build failure
Duncan Hutty wrote: I attempted to build 5.1.14-beta with ssl support and it failed (output below). It builds quite happily on this system without the ssl support parameter to configure. Since it appears to fail in an area (timezone system) that to me seems rather unrelated, I wondered if something odd was afoot. x86-suse9.3, openssl-0.9.8d, gcc-3.4.6 (or gcc-4.1.1) using: CFLAGS=-O3 CXX=gcc \ CXXFLAGS=-O3 -felide-constructors \ -fno-exceptions -fno-rtti \ Kill all this and try changing -O3 to -O2 as -O3 optimizations can get dicey sometimes, especially when it comes into C++ oddities. ./configure --with-ndbcluster \ --with-ssl=/usr/local/openssl \ --enable-assembler make Also, it seems to be failing during the linking stage, so take a look at throwing out --enable-assembler and see what happens. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Unable to GRANT REPLICATION REQUIRE X509 and SSL
Is it possible to require both secure connections and x509 verification on a replication user? If so, what's the syntax? I couldn't find references to this use in the manual, lists or bug tracking system. Using mysql 4.1.21 10x, Amit -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
using SSL certificates when connecting to mysqld
Hi. mysql --version mysql Ver 14.7 Distrib 4.1.21, for pc-linux-gnu (i686) using readline 5.1 I'm trying to secure a replication connection between a master and a slave. However, seems to me that the issue I'm facing relates to any SSL client-server connection, so the scenario I'll be specifying relates to connecting a mysql client console to mysqld with SSL. 1. I've created the necessary certificates, as mentioned in http://dev.mysql.com/doc/refman/4.1/en/secure-create-certs.html. 2. I've configured [mysql] and [mysqld] appropriatly to use these files. [mysql] ssl-ca=/var/lib/mysql/cacert.pem ssl-cert=/var/lib/mysql/client-cert.pem ssl-key=/var/lib/mysql/client-key.pem ... [mysqld] ssl-ca=/var/lib/mysql/cacert.pem ssl-cert=/var/lib/mysql/server-cert.pem ssl-key=/var/lib/mysql/server-key.pem 3. Client connects to server securely. Verified this as stipulated in manual: mysql --ssl -p Enter password: ... mysql SHOW STATUS LIKE 'Ssl_cipher'; +---++ | Variable_name | Value | +---++ | Ssl_cipher| DHE-RSA-AES256-SHA | +---++ 4. I then went and trashed the client certificate, as-well as the CA certificate. I get the following: # mysql --ssl -p Enter password: Error when connection to server using SSL:24163:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:399: Unable to get private key from '/var/lib/mysql/client-cert.pem' Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 5 to server version: 4.1.21-log Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql SHOW STATUS LIKE 'Ssl_cipher'; +---++ | Variable_name | Value | +---++ | Ssl_cipher| DHE-RSA-AES256-SHA | +---++ 5. Seems like an SSL connection is established, though certificates apparently weren't validated. 6. More so, I noticed the variable 'Ssl_verify_mode': mysql show status like '%ssl_v%'; +--++ | Variable_name| Value | +--++ | Ssl_verify_depth | 4294967295 | | Ssl_verify_mode | 5 | | Ssl_version | TLSv1 | +--++ I couldn't find any reference to this in mysql's manual. Assuming this is openssl's, I believe 5 is 0x101, i.e. SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE. Is this true? Is there any way to change this mode via MySQL's options? Same issues arise when I setup a replication connection with SSL. Is SSL in MySQL then encrypted, yet-not-secure (in terms of identification)? Thanks, Amit -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: SSL Connections Feature?
Ah well, got it done on my own. This might help someone else trying to do this: http://homepage.mac.com/kelleherk/iblog/C711669388/E20061121141451/ index.html On Nov 21, 2006, at 11:41 AM, Kieran Kelleher wrote: We have been doing onsite replication for a few years and now we want to enable client connections over SSL to support secure offsite replication, however it seems the prebuilt binaries do not have the SSL option built in. So I guess I need to build MySQL from source with the SSL option. I have not found too much in the MySQL Manual or via Google, Has anyone got a recipe for MySQL 4.1 build procedure on Mac OS X Tiger? Regards, Kieran -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql? [EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
SSL on MySQL 5.0.22
Hi, I am using 5.0.22 on Windows. As I read in the reference manual, almost ALL SSL values/options are specific to 5.1.x versions. Do I stand _ANY_ chance to use SSL anyway? Specifically, I want to know exactly HOW I can enable SSL support for MySQL on Windows using which options, variables, etc. Thanks in advance, -- Asif -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
SSL on MySQL 5.0.22
Hi, How can I connect from a Windows client (VB/ODBC Connector) to a MySQL Server 5.0.22, also running on Windows (Max version installed as a service using Local-Service Account) with all tables using InnoDB storage engine USING SSL? Perhaps using OpenSSL on a Linux-based installation would be easier. But mine is a Windows-based MySQL Server. Any hints, comments, help? -- Best regards, Asif -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: How to find out about SSL connection?
Hi Yves, all! Yves Goergen wrote: On 30.05.2006 16:28 (+0100), Joerg Bruehe wrote: To find out whether your server(s) support(s) or not, you need to check the corresponding variables. All this is described in the manual, section 5.9.7. Using Secure Connections: I still think that the client should actually inform me when I select use SSL and it doesn't. By some kind of information / warning after you had selected that button, the client tried, and the connsection did not get established. Yes, I understand that desire. According to your description below, where you got Could not connect ..., you are given this warning if establishing the connection fails. So the remaining case is a client trying to connect to a server which does not support SSL, or does not have it switched on (lacks a certificate). Please check the bugs database for this, and submit a feature request if none such is present yet. Now I think I managed to make MySQL 5 accept SSL connections, at least that have_openssl variable has turned from DISABLED to YES. I added an AIUI, this shows your server does support SSL, and you now successfully switched it on. SSL certificate to the my.cnf file. But now I can only connect to the server from Query Browser without the SSL checkbox. When it's checked, it says Could not connect to the specified instance. MySQL Error Number 0 The ping works fine, without SSL I can connect to the server. I am no SSL expert, but AIUI you need client and server to use the same (or at least somehow related) certificates. Please go back to the manual section I referred to, AFAIR it contains a description of this requirement. Regards, Joerg -- Joerg Bruehe, Senior Production Engineer MySQL AB, www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: How to find out about SSL connection?
On 31.05.2006 10:21 (+0100), Joerg Bruehe wrote: According to your description below, where you got Could not connect ..., you are given this warning if establishing the connection fails. So the remaining case is a client trying to connect to a server which does not support SSL, or does not have it switched on (lacks a certificate). Below was *after* I enabled SSL in the server. *before* there was no warning but an unencrypted connection. Please check the bugs database for this, and submit a feature request if none such is present yet. So I need yet another account for your bug tracker... I am no SSL expert, but AIUI you need client and server to use the same (or at least somehow related) certificates. The client needs what? Since when is it that a client needs a certificate, too, to use an SSL-encrypted connection to a server?! -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de – My web laboratory. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: How to find out about SSL connection?
Hi Yves, all! Yves Goergen wrote: On 31.05.2006 10:21 (+0100), Joerg Bruehe wrote: According to your description below, where you got Could not connect ..., you are given this warning if establishing the connection fails. So the remaining case is a client trying to connect to a server which does not support SSL, or does not have it switched on (lacks a certificate). Below was *after* I enabled SSL in the server. *before* there was no warning but an unencrypted connection. Yes, I got that - so you desire the client to inform you if it has to use an un-encrypted connection, because the server does not support SSL. Please check the bugs database for this, and submit a feature request if none such is present yet. So I need yet another account for your bug tracker... Hmm ... - I do not get why you need yet another account for this, but if you want a feature, you have to ask for it via such a request. I am no SSL expert, but AIUI you need client and server to use the same (or at least somehow related) certificates. The client needs what? Since when is it that a client needs a certificate, too, to use an SSL-encrypted connection to a server?! I said I am no SSL expert, I just go by this quote from the manual: | To establish a secure connection to a MySQL server with yaSSL | support, start a client like this: |shell mysql --ssl-ca=cacert.pem \ | --ssl-cert=client-cert.pem \ | --ssl-key=client-key.pem | | In other words, the options are similar to those used for the server. | Note that the Certificate Authority certificate has to be the same. from: http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html HTH, Joerg -- Joerg Bruehe, Senior Production Engineer MySQL AB, www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: How to find out about SSL connection?
On 31.05.2006 12:47 (+0100), Joerg Bruehe wrote: I said I am no SSL expert, I just go by this quote from the manual: Yes, I saw that. But it doesn't apply on Query Browser because there is no such option available in the UI. Btw, I cannot connect to MySQL5+SSL with Query Browser/Win but I can connect to it with mysql/Linux with the --ssl parameter (through a hostname with a different IP, not a named pipe). But it also doesn't use any SSL, although explicitly specified and offered by the server. Seems like SSL isn't really a production level thing yet. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de – My web laboratory. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: How to find out about SSL connection?
On 31.05.2006 14:46 (+0100), Paul DuBois wrote: --ssl on the client side (mysql) isn't sufficient to enable an SSL connection, as stated in the manual. That's why Joerg indicated the use of the other options. Why do I need to provide the client with a certificate? I don't have one and I also don't want to create one and distribute it to any computer I might want to connect from using SSL. No browser, no FTP client, no MUA needs an SSL cert, so what's up with MySQL? (At least they all don't bug the user with supplying one. I'm no SSL developer either.) And what is that CA thing at all? I don't have anything like that. I only have a certificate (public and private key). All other SSL-enabled services work fine with that. Is there no easy way to say MySQL here's your certificate, and now go do something useful? At least it looks like the MySQL server doesn't require a CA, as opposed to what the doc says. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de – My web laboratory. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: How to find out about SSL connection?
On 21.05.2006 00:16 (+0100), Yves Goergen wrote: Hello, I'm using MySQL Query Browser on Windows XP to connect to a remote MySQL 4.0 and 5.0 database server, both on Linux. In Query Browser, I can check the options Use SSL if available but how do I know if it is available and used? I couldn't find any SQL command to show me the encryption status of connections. What use has an option SSL if you can if I can't find out whether it actually does SSL or not... I simply require it to do and to not connect at all if it can't. So do I see this right that MySQL Query Browser for Windows does *not* support SSL and keeps me confused about whether it does? I really think this is a bug that needs to be fixed, either way. Remove that SSL button or make it work. When I see a feature, I expect it to work. But definitely not to not work *and* not tell me so. Is there any free alternative to Query Browser that does support SSL meanwhile? -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de – My web laboratory. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: How to find out about SSL connection?
Hi Yves, all! Yves Goergen wrote: On 21.05.2006 00:16 (+0100), Yves Goergen wrote: Hello, I'm using MySQL Query Browser on Windows XP to connect to a remote MySQL 4.0 and 5.0 database server, both on Linux. In Query Browser, I can check the options Use SSL if available but how do I know if it is available and used? I couldn't find any SQL command to show me the encryption status of connections. What use has an option SSL if you can if I can't find out whether it actually does SSL or not... I simply require it to do and to not connect at all if it can't. So do I see this right that MySQL Query Browser for Windows does *not* support SSL and keeps me confused about whether it does? I really think this is a bug that needs to be fixed, either way. Remove that SSL button or make it work. When I see a feature, I expect it to work. But definitely not to not work *and* not tell me so. It seems you are mistaken about what is needed for SSL communication. In order to use SSL, you first need both a server and a client that include this feature. As you are running a distributed system, server and client on different platforms, you can easily get into the situation that only one of them does support it. From your description, it seems that your Query Browser can use SSL. But on some platforms, the addition of SSL into the published binaries was quite a recent change - around 5.0.20, AFAIR, please check the announcement mails (or the News section in the manual). So unless you built your own server binaries, it is quite likely that your 4.0 server does not support SSL, and for 5.0 it depends on the exact version. To find out whether your server(s) support(s) or not, you need to check the corresponding variables. All this is described in the manual, section 5.9.7. Using Secure Connections: http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html [[...]] HTH, Joerg Bruehe -- Joerg Bruehe, Senior Production Engineer MySQL AB, www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: How to find out about SSL connection?
On 30.05.2006 16:28 (+0100), Joerg Bruehe wrote: To find out whether your server(s) support(s) or not, you need to check the corresponding variables. All this is described in the manual, section 5.9.7. Using Secure Connections: I still think that the client should actually inform me when I select use SSL and it doesn't. Now I think I managed to make MySQL 5 accept SSL connections, at least that have_openssl variable has turned from DISABLED to YES. I added an SSL certificate to the my.cnf file. But now I can only connect to the server from Query Browser without the SSL checkbox. When it's checked, it says Could not connect to the specified instance. MySQL Error Number 0 The ping works fine, without SSL I can connect to the server. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de – My web laboratory. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: How to find out about SSL connection?
On 21.05.2006 07:35 (+0100), paul rivers wrote: Are you certain? Which version are you running? I don't have it on MySQL 4.0 and on MySQL 5.0 it has the value 0 so I guess it's not connecting through SSL. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de – My web laboratory. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: How to find out about SSL connection?
Why am I suddenly getting huge volumes of mail about SQL? What forum is this, and how do I get out of it? ++ Phil Robbins Auckland New Zealand ++ _ Discover fun and games at @ http://xtramsn.co.nz/kids -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
How to find out about SSL connection?
Hello, I'm using MySQL Query Browser on Windows XP to connect to a remote MySQL 4.0 and 5.0 database server, both on Linux. In Query Browser, I can check the options Use SSL if available but how do I know if it is available and used? I couldn't find any SQL command to show me the encryption status of connections. What use has an option SSL if you can if I can't find out whether it actually does SSL or not... I simply require it to do and to not connect at all if it can't. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de – My web laboratory. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: How to find out about SSL connection?
I've wrestled with the same question. The only options I came up with were: - Do as you suggest and require SSL for the account. - Inspect the 'show status' variable of Ssl_accepts after a connection attempt on an otherwise quiet mysql instance. - Sniff the traffic between client and server, but this is actually non trivial to determine if the traffic is really encrypted, especially if compression is used. If there is another method, I would be interested in hearing it as well. Regards, Paul -Original Message- From: Yves Goergen [mailto:[EMAIL PROTECTED] Sent: Saturday, May 20, 2006 3:17 PM To: List: MySQL Subject: How to find out about SSL connection? Hello, I'm using MySQL Query Browser on Windows XP to connect to a remote MySQL 4.0 and 5.0 database server, both on Linux. In Query Browser, I can check the options Use SSL if available but how do I know if it is available and used? I couldn't find any SQL command to show me the encryption status of connections. What use has an option SSL if you can if I can't find out whether it actually does SSL or not... I simply require it to do and to not connect at all if it can't. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de - My web laboratory. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: How to find out about SSL connection?
And of course just as I send this to a public list, I realize there is also Ssl_version and Ssl_verify_mode, which seem to be session level counters to give us the information we are after here. *sheepish* -Original Message- From: paul rivers [mailto:[EMAIL PROTECTED] Sent: Saturday, May 20, 2006 3:39 PM To: 'Yves Goergen'; 'List: MySQL' Subject: RE: How to find out about SSL connection? I've wrestled with the same question. The only options I came up with were: - Do as you suggest and require SSL for the account. - Inspect the 'show status' variable of Ssl_accepts after a connection attempt on an otherwise quiet mysql instance. - Sniff the traffic between client and server, but this is actually non trivial to determine if the traffic is really encrypted, especially if compression is used. If there is another method, I would be interested in hearing it as well. Regards, Paul -Original Message- From: Yves Goergen [mailto:[EMAIL PROTECTED] Sent: Saturday, May 20, 2006 3:17 PM To: List: MySQL Subject: How to find out about SSL connection? Hello, I'm using MySQL Query Browser on Windows XP to connect to a remote MySQL 4.0 and 5.0 database server, both on Linux. In Query Browser, I can check the options Use SSL if available but how do I know if it is available and used? I couldn't find any SQL command to show me the encryption status of connections. What use has an option SSL if you can if I can't find out whether it actually does SSL or not... I simply require it to do and to not connect at all if it can't. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de - My web laboratory. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: How to find out about SSL connection?
On 21.05.2006 00:38 (+0100), paul rivers wrote: - Inspect the 'show status' variable of Ssl_accepts after a connection attempt on an otherwise quiet mysql instance. I have no such status variable in my server. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de – My web laboratory. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
SSL connection problems with Fedora Core 4
I'm trying to set up SSL connectivity to a Fedora Core 4 server running mysql-server-4.1.16-1.FC4.1 and not having much success. I keep getting ERROR 2026 (HY000): SSL connection error no matter what I do. I followed the directions on http://dev.mysql.com/doc/refman/4.1/en/secure-create-certs.html to the letter, and I've cranked up all the logging possible on the server. I don't see any error messages on the server at all, and SHOW STATUS indicates that mysql is accepting SSL connections ('ssl_accepts' increments). In desperation I tried to strace(1) mysqld, but all I see is it handing the connection to a cloned child thread... and I don't know how to trace into the child (with '-f' it hangs mysqld presumably b/c the parent is wait(2)-ing on the child): select(5, [3 4], NULL, NULL, NULL) = 1 (in [3]) fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 accept(3, {sa_family=AF_INET, sin_port=htons(38973), sin_addr=inet_addr(192.168.0.182)}, [16]) = 47 fcntl64(3, F_SETFL, O_RDWR) = 0 getsockname(47, {sa_family=AF_INET, sin_port=htons(3306), sin_addr=inet_addr(192.168.0.145)}, [16]) = 0 fcntl64(47, F_SETFL, O_RDONLY) = 0 fcntl64(47, F_GETFL)= 0x2 (flags O_RDWR) fcntl64(47, F_SETFL, O_RDWR|O_NONBLOCK) = 0 setsockopt(47, SOL_IP, IP_TOS, [8], 4) = 0 setsockopt(47, SOL_TCP, TCP_NODELAY, [1], 4) = 0 time(NULL) = 1138854239 clone(child_stack=0xb3c244c4, flags=CLONE_VM|CLONE_FS|CLONE_FILES| CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS| CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|CLONE_DETACHED, parent_tidptr=0xb3c24bf8, {entry_number:6, base_addr:0xb3c24bb0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0xb3c24bf8) = 6918 select(5, [3 4], NULL, NULL, NULL Here's my relevant my.cnf snippets: 8 cut here 8 [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock ssl ssl-ca=/etc/mysql/cacert.pem ssl-cert=/etc/mysql/server-cert.pem ssl-key=/etc/mysql/server-key.pem ssl-cipher=ALL log log-error 8 cut here 8 Can anyone help? - Julian -- Julian C. Dunn Systems Administrator e: [EMAIL PROTECTED] p: 416-363-6316 x292 f: 416-363-6102 Devlin eBusiness Architects 185 Frederick St. Toronto, ON M5A 4L4 http://www.devlin.ca/ -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
SSL Overhead
Hi Guys, What sort of overheads am I expecting to get when running MySQL 5.0.18 in SSL mode? I need to decide whether to run MySQL in SSL mode, or use CIPE (on RHEL 3). Thanks, Khalid -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: SSL Overhead
Hello. When running our benchmark tests using secure connections (all data encrypted with internal SSL support) performance was 55% slower than with unencrypted connections. See: http://dev.mysql.com/doc/refman/5.0/en/compile-and-link-options.html Khalid Hanif wrote: Hi Guys, What sort of overheads am I expecting to get when running MySQL 5.0.18 in SSL mode? I need to decide whether to run MySQL in SSL mode, or use CIPE (on RHEL 3). Thanks, Khalid -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
replication with ssl
Hello, I am trying to ensure replication between master and slave is using ssl. I followed the instructions in section 6.4 of the reference guide and simply added REQUIRE SSL to the end of the grant statement when creating the replication user. Replication works when I don't require ssl, so I know the problem is ssl-related. When doing a 'show slave status' on the slave I get these lines: Master_SSL_Allowed: No Master_SSL_CA_File: Master_SSL_CA_Path: Master_SSL_Cert: Master_SSL_Cipher: Master_SSL_Key: How do I turn on Master_SSL_Allowed? I feel sure this is the problem. I've tried starting the slave mysqld with the --ssl options pointing it to the proper certificates and such, and still no luck. Any ideas? Thanks, Chris -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: SSL connection error
Hello. It is a bit confusing for me. Really, MySQL has all permissions for reading those files. Do you have SELinux enabled? Sometimes it is the source of the problems, you should have it properly configured. Israel Fern$ndez Cabrera [EMAIL PROTECTED] wrote: List: MySQL General Discussion« Previous Message From: Israel Fernández Cabrera Date: October 17 2005 10:18pm Subject: SSL connection error Get Plain Text Hi all I'm back with a new subject may be the last one was not attractive :) I'm using mysql 4.1.11-2 in Fedora Core 4. I need to set up mysql connections over SLL I follow the mysql manual instructions, create certificates and keys for the CA, the client and the server and modify the /etc/my.cnf file with the ssl-ca, ssl-cert and ssl-key for the client and the mysqld sections of the my.cnf file. My problem is that mysqld log an error describing that it has no permission to read the certificate file, I've been with this for more than 3 days. I'm attaching ls output, my.cnf file, mysqld.log file and a fragment of the mysqld strace output with the open syscall returning error. Thanks in advance for your time and interest best regards -- Israel Fdez. Cabrera [EMAIL PROTECTED] #ls / | grep etc drwxr-xr-x 83 root root 12288 Oct 15 16:50 etc #ls /etc | grep pki drwxr-xr-x 7 root root4096 Oct 14 17:51 pki #ls /etc/pki total 104 drwxr-xr-x 3 root root 4096 Oct 14 21:46 CA drwxr-xr-x 3 root root 4096 Oct 8 16:54 dovecot -rwxr-xr-x 1 root root 1088 Oct 8 16:54 gencert.sh -rwxr-xr-x 1 root root 1056 Oct 8 16:54 gencert.sh~ -rw-r--r-- 1 root root 236 Oct 8 16:54 index.txt -rw-r--r-- 1 root root 21 Oct 8 16:54 index.txt.attr -rw-r--r-- 1 root root 21 Oct 8 16:54 index.txt.attr.old -rw-r--r-- 1 root root 118 Oct 8 16:54 index.txt.old drwxr-xr-x 2 root root 4096 Oct 8 16:54 newcerts drwxr-xr-x 2 root root 4096 Oct 8 16:54 rpm-gpg -rw-r--r-- 1 root root3 Oct 8 16:54 serial -rw-r--r-- 1 root root3 Oct 8 16:54 serial.old drwxr-xr-x 5 root root 4096 Oct 14 17:51 tls #ls /etc/pki/tls total 40 lrwxrwxrwx 1 root root 19 Oct 8 16:54 cert.pem - certs/ca-bundle.crt drwxr-xr-x 2 root root 4096 Oct 15 14:18 certs drwxr-xr-x 2 root root 4096 Oct 8 16:54 misc -r--r--r-- 1 root root 7998 Oct 14 17:59 openssl.cnf drwxr-xr-x 2 root root 4096 Oct 8 16:54 private #ls /etc/pki/tls/certs total 492 -rw-r--r-- 1 root root 427833 Oct 8 16:54 ca-bundle.crt -rw-r--r-- 1 root root3617 Oct 14 21:46 client-cert.pem -rw-r--r-- 1 root mysql887 Oct 8 16:54 client-key.pem -rw-r--r-- 1 root mysql769 Oct 8 16:54 client-req.pem -rw-r--r-- 1 root root 610 Oct 8 16:54 make-dummy-cert -rw-r--r-- 1 root root2240 Oct 8 16:54 Makefile -rw-r--r-- 1 root root3617 Oct 14 21:46 server-cert.pem -rw-r--r-- 1 root root 887 Oct 14 21:46 server-key.pem -rw-r--r-- 1 root mysql769 Oct 8 16:54 server-req.pem open(/etc/pki/tls/certs/server-cert.pem, O_RDONLY) = -1 EACCES (Permission denied) write(2, Error when connection to server ..., 42) = 42 write(2, 1872:error:0200100D:system libra..., 122) = 122 write(2, 1872:error:20074002:BIO routines..., 70) = 70 write(2, 1872:error:140AD002:SSL routines..., 88) = 88 write(2, Unable to get certificate from \'..., 68) = 68 open(/etc/pki/CA/cacert.pem, O_RDONLY) = -1 EACCES (Permission denied) open(/etc/pki/tls/cert.pem, O_RDONLY) = -1 EACCES (Permission denied) time([1129246383]) = 1129246383 open(/dev/urandom, O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 EACCES (Permission denied) open(/dev/random, O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 EACCES (Permission denied) open(/dev/srandom, O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 ENOENT (No such file or directory) socket(PF_FILE, SOCK_STREAM, 0) = 3 connect(3, {sa_family=AF_FILE, path=/var/run/egd-pool}, 19) = -1 ENOENT (No such file or directory) close(3)= 0 socket(PF_FILE, SOCK_STREAM, 0) = 3 Thread * SSL connection error - Israel Fernández Cabrera, October 17 2005 10:17pm © 1995-2004 MySQL AB. All rights reserved. * MySQL.com Home * Site Map * Contact Us * Privacy Policy * Trademark Info -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: SSL connection error
First of all thanks for you answer... would you like to give me some hinst about what should me condifured in SELinux? best regards Israel On 10/17/05, Gleb Paharenko [EMAIL PROTECTED] wrote: Hello. It is a bit confusing for me. Really, MySQL has all permissions for reading those files. Do you have SELinux enabled? Sometimes it is the source of the problems, you should have it properly configured. Israel Fern$ndez Cabrera [EMAIL PROTECTED] wrote: List: MySQL General Discussion« Previous Message From: Israel Fernández CabreraDate: October 17 2005 10:18pm Subject: SSL connection error Get Plain Text Hi all I'm back with a new subject may be the last one was not attractive :) I'm using mysql 4.1.11-2 in Fedora Core 4. I need to set up mysql connections over SLL I follow the mysql manual instructions, create certificates and keys for the CA, the client and the server and modify the /etc/my.cnf file with the ssl-ca, ssl-cert and ssl-key for the client and the mysqld sections of the my.cnf file. My problem is that mysqld log an error describing that it has no permission to read the certificate file, I've been with this for more than 3 days. I'm attaching ls output, my.cnf file, mysqld.log file and a fragment of the mysqld strace output with the open syscall returning error. Thanks in advance for your time and interest best regards -- Israel Fdez. Cabrera [EMAIL PROTECTED] #ls / | grep etc drwxr-xr-x 83 root root 12288 Oct 15 16:50 etc #ls /etc | grep pki drwxr-xr-x 7 root root4096 Oct 14 17:51 pki #ls /etc/pki total 104 drwxr-xr-x 3 root root 4096 Oct 14 21:46 CA drwxr-xr-x 3 root root 4096 Oct 8 16:54 dovecot -rwxr-xr-x 1 root root 1088 Oct 8 16:54 gencert.sh -rwxr-xr-x 1 root root 1056 Oct 8 16:54 gencert.sh~ -rw-r--r-- 1 root root 236 Oct 8 16:54 index.txt -rw-r--r-- 1 root root 21 Oct 8 16:54 index.txt.attr -rw-r--r-- 1 root root 21 Oct 8 16:54 index.txt.attr.old -rw-r--r-- 1 root root 118 Oct 8 16:54 index.txt.old drwxr-xr-x 2 root root 4096 Oct 8 16:54 newcerts drwxr-xr-x 2 root root 4096 Oct 8 16:54 rpm-gpg -rw-r--r-- 1 root root3 Oct 8 16:54 serial -rw-r--r-- 1 root root3 Oct 8 16:54 serial.old drwxr-xr-x 5 root root 4096 Oct 14 17:51 tls #ls /etc/pki/tls total 40 lrwxrwxrwx 1 root root 19 Oct 8 16:54 cert.pem - certs/ca-bundle.crt drwxr-xr-x 2 root root 4096 Oct 15 14:18 certs drwxr-xr-x 2 root root 4096 Oct 8 16:54 misc -r--r--r-- 1 root root 7998 Oct 14 17:59 openssl.cnf drwxr-xr-x 2 root root 4096 Oct 8 16:54 private #ls /etc/pki/tls/certs total 492 -rw-r--r-- 1 root root 427833 Oct 8 16:54 ca-bundle.crt -rw-r--r-- 1 root root3617 Oct 14 21:46 client-cert.pem -rw-r--r-- 1 root mysql887 Oct 8 16:54 client-key.pem -rw-r--r-- 1 root mysql769 Oct 8 16:54 client-req.pem -rw-r--r-- 1 root root 610 Oct 8 16:54 make-dummy-cert -rw-r--r-- 1 root root2240 Oct 8 16:54 Makefile -rw-r--r-- 1 root root3617 Oct 14 21:46 server-cert.pem -rw-r--r-- 1 root root 887 Oct 14 21:46 server-key.pem -rw-r--r-- 1 root mysql769 Oct 8 16:54 server-req.pem open(/etc/pki/tls/certs/server-cert.pem, O_RDONLY) = -1 EACCES (Permission denied) write(2, Error when connection to server ..., 42) = 42 write(2, 1872:error:0200100D:system libra..., 122) = 122 write(2, 1872:error:20074002:BIO routines..., 70) = 70 write(2, 1872:error:140AD002:SSL routines..., 88) = 88 write(2, Unable to get certificate from \'..., 68) = 68 open(/etc/pki/CA/cacert.pem, O_RDONLY) = -1 EACCES (Permission denied) open(/etc/pki/tls/cert.pem, O_RDONLY) = -1 EACCES (Permission denied) time([1129246383]) = 1129246383 open(/dev/urandom, O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 EACCES (Permission denied) open(/dev/random, O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 EACCES (Permission denied) open(/dev/srandom, O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 ENOENT (No such file or directory) socket(PF_FILE, SOCK_STREAM, 0) = 3 connect(3, {sa_family=AF_FILE, path=/var/run/egd-pool}, 19) = -1 ENOENT (No such file or directory) close(3)= 0 socket(PF_FILE, SOCK_STREAM, 0) = 3 Thread * SSL connection error - Israel Fernández Cabrera, October 17 2005 10:17pm (c) 1995-2004 MySQL AB. All rights reserved. * MySQL.com Home * Site Map * Contact Us * Privacy Policy * Trademark Info -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET
Re: SSL connection error
Hello. First check the contents of /var/log/messages. SELinux usually puts there some notes about what it is doing. I'm not a SELinux expert, but quick search at fedora.redhat.com has shown me that I should use system-config-securitylevel utility for configuring SELinux. Israel Fernández Cabrera wrote: First of all thanks for you answer... would you like to give me some hinst about what should me condifured in SEL= inux? -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
SSL connection error
Hi all I'm back with a new subject may be the last one was not attractive :) I'm using mysql 4.1.11-2 in Fedora Core 4. I need to set up mysql connections over SLL I follow the mysql manual instructions, create certificates and keys for the CA, the client and the server and modify the /etc/my.cnf file with the ssl-ca, ssl-cert and ssl-key for the client and the mysqld sections of the my.cnf file. My problem is that mysqld log an error describing that it has no permission to read the certificate file, I've been with this for more than 3 days. I'm attaching ls output, my.cnf file, mysqld.log file and a fragment of the mysqld strace output with the open syscall returning error. Thanks in advance for your time and interest best regards -- Israel Fdez. Cabrera [EMAIL PROTECTED] #ls / | grep etc drwxr-xr-x 83 root root 12288 Oct 15 16:50 etc #ls /etc | grep pki drwxr-xr-x 7 root root4096 Oct 14 17:51 pki #ls /etc/pki total 104 drwxr-xr-x 3 root root 4096 Oct 14 21:46 CA drwxr-xr-x 3 root root 4096 Oct 8 16:54 dovecot -rwxr-xr-x 1 root root 1088 Oct 8 16:54 gencert.sh -rwxr-xr-x 1 root root 1056 Oct 8 16:54 gencert.sh~ -rw-r--r-- 1 root root 236 Oct 8 16:54 index.txt -rw-r--r-- 1 root root 21 Oct 8 16:54 index.txt.attr -rw-r--r-- 1 root root 21 Oct 8 16:54 index.txt.attr.old -rw-r--r-- 1 root root 118 Oct 8 16:54 index.txt.old drwxr-xr-x 2 root root 4096 Oct 8 16:54 newcerts drwxr-xr-x 2 root root 4096 Oct 8 16:54 rpm-gpg -rw-r--r-- 1 root root3 Oct 8 16:54 serial -rw-r--r-- 1 root root3 Oct 8 16:54 serial.old drwxr-xr-x 5 root root 4096 Oct 14 17:51 tls #ls /etc/pki/tls total 40 lrwxrwxrwx 1 root root 19 Oct 8 16:54 cert.pem - certs/ca-bundle.crt drwxr-xr-x 2 root root 4096 Oct 15 14:18 certs drwxr-xr-x 2 root root 4096 Oct 8 16:54 misc -r--r--r-- 1 root root 7998 Oct 14 17:59 openssl.cnf drwxr-xr-x 2 root root 4096 Oct 8 16:54 private #ls /etc/pki/tls/certs total 492 -rw-r--r-- 1 root root 427833 Oct 8 16:54 ca-bundle.crt -rw-r--r-- 1 root root3617 Oct 14 21:46 client-cert.pem -rw-r--r-- 1 root mysql887 Oct 8 16:54 client-key.pem -rw-r--r-- 1 root mysql769 Oct 8 16:54 client-req.pem -rw-r--r-- 1 root root 610 Oct 8 16:54 make-dummy-cert -rw-r--r-- 1 root root2240 Oct 8 16:54 Makefile -rw-r--r-- 1 root root3617 Oct 14 21:46 server-cert.pem -rw-r--r-- 1 root root 887 Oct 14 21:46 server-key.pem -rw-r--r-- 1 root mysql769 Oct 8 16:54 server-req.pem open(/etc/pki/tls/certs/server-cert.pem, O_RDONLY) = -1 EACCES (Permission denied) write(2, Error when connection to server ..., 42) = 42 write(2, 1872:error:0200100D:system libra..., 122) = 122 write(2, 1872:error:20074002:BIO routines..., 70) = 70 write(2, 1872:error:140AD002:SSL routines..., 88) = 88 write(2, Unable to get certificate from \'..., 68) = 68 open(/etc/pki/CA/cacert.pem, O_RDONLY) = -1 EACCES (Permission denied) open(/etc/pki/tls/cert.pem, O_RDONLY) = -1 EACCES (Permission denied) time([1129246383]) = 1129246383 open(/dev/urandom, O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 EACCES (Permission denied) open(/dev/random, O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 EACCES (Permission denied) open(/dev/srandom, O_RDONLY|O_NONBLOCK|O_NOCTTY) = -1 ENOENT (No such file or directory) socket(PF_FILE, SOCK_STREAM, 0) = 3 connect(3, {sa_family=AF_FILE, path=/var/run/egd-pool}, 19) = -1 ENOENT (No such file or directory) close(3)= 0 socket(PF_FILE, SOCK_STREAM, 0) = 3 -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Mysql with SSL connections
Hello. The fact is that I cant start mysql with ssl support using the /etc/ec/d/init.d/mysql script. But the interesting thing is that if I copy First of all, you should find the error log. See: http://dev.mysql.com/doc/refman/4.1/en/error-log.html Israel Fern$ndez Cabrera [EMAIL PROTECTED] wrote: Hi folk! I'm new to mysql and to databases... I'm using Fedora Core 4 with mysql 4.1.11-2 I need some application clients to connect the server using SSL connections. I've created and tested x509 certificates using the way mysql documentation explain, I've modified the /etc/my.cnf [mysqld] and [client] sections with the certificates that are located in /etc/pki (I've made some test with the certificates in /usr/pki too). The fact is that I cant start mysql with ssl support using the /etc/ec/d/init.d/mysql script. But the interesting thing is that if I copy the same script to any different folder it works. If it is in the init.dfolder I always get an SSL connection error. running mysqld, mysqld_safe by hand work perfectly and SSL works too. This is annoying I'll appreciate any help in respect. thanks in advance and best regards... -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Mysql with SSL connections
Hi folk! I'm new to mysql and to databases... I'm using Fedora Core 4 with mysql 4.1.11-2 I need some application clients to connect the server using SSL connections. I've created and tested x509 certificates using the way mysql documentation explain, I've modified the /etc/my.cnf [mysqld] and [client] sections with the certificates that are located in /etc/pki (I've made some test with the certificates in /usr/pki too). The fact is that I cant start mysql with ssl support using the /etc/ec/d/init.d/mysql script. But the interesting thing is that if I copy the same script to any different folder it works. If it is in the init.dfolder I always get an SSL connection error. running mysqld, mysqld_safe by hand work perfectly and SSL works too. This is annoying I'll appreciate any help in respect. thanks in advance and best regards... -- Israel Fdez. Cabrera [EMAIL PROTECTED]
Fwd: Mysql with SSL connections
Well I've done more than that I wrote a custom init script with the simplest possible start function containig just the following line: /usr/bin/mysqld_safe and SSL does not work eather... please help... best regards Israel -- Forwarded message -- From: RedRed!com IT Department [EMAIL PROTECTED] Date: Oct 13, 2005 10:16 AM Subject: Re: Mysql with SSL connections To: Israel Fernández Cabrera [EMAIL PROTECTED] Israel Fernández Cabrera wrote: Hi folk! I'm new to mysql and to databases... I'm using Fedora Core 4 with mysql 4.1.11-2 I need some application clients to connect the server using SSL connections. I've created and tested x509 certificates using the way mysql documentation explain, I've modified the /etc/my.cnf [mysqld] and [client] sections with the certificates that are located in /etc/pki (I've made some test with the certificates in /usr/pki too). The fact is that I cant start mysql with ssl support using the /etc/ec/d/init.d/mysql script. But the interesting thing is that if I copy the same script to any different folder it works. If it is in the init.dfolder I always get an SSL connection error. running mysqld, mysqld_safe by hand work perfectly and SSL works too. This is annoying I'll appreciate any help in respect. thanks in advance and best regards... -- Israel Fdez. Cabrera [EMAIL PROTECTED] You might want to check the mysql init.d script to make sure that all of the paths in there are correct. Sean -- Israel Fdez. Cabrera [EMAIL PROTECTED]
Re: Fwd: Mysql with SSL connections
I'm using the default Fedora Core 4 Linux mysql RPM package... I just create x509 certificates and modify the /etc/my.cnf file to use these certificates. The default mysqld init script doesn't work in its normal' location, just moving it to a different folder make it works. MySQL daemon runs by the way, but without SSL support, mysqladmin tests return SSL connection error too... On 10/13/05, RedRed!com IT Department [EMAIL PROTECTED] wrote: Israel Fernández Cabrera wrote: Well I've done more than that I wrote a custom init script with the simplest possible start function containig just the following line: /usr/bin/mysqld_safe and SSL does not work eather... please help... best regards Israel Are you sure your starting the correct binary? When you installed mysql did you install to the default /usr/local or did you specifically tell it to install to /usr ? If you look in the error file in /usr/var or /usr/local/var, does it give you any useful information? It may have a reason for the failure in there. I'm not an expert, but those are some of the steps that I would take to figure this out. Sean -- Israel Fdez. Cabrera [EMAIL PROTECTED]
MySQL win32 and SSL
Dear all, I need SSL support for MySQL. I've checked the documentation and it seems that for windows there is no SSL support in the binaries. In addition the documentation in the examples is for Linux. Has anyone has used MySQL with SSL in windows? If so ... how? How easy is to set it up? What changes need to be done on the client side? I don't really like the idea of compiling it because then I will have to compile again every time I want to updeate it. Another possible solution will be to use tunnels like stunnel.org but I would like to have a connection as direct as possible whenever possible. Thank you in advance. José A. Martínez -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: MySQL win32 and SSL
Even I had the same problem and couldnt use SSL on windows. The developers have legal issues when using SSL on windows. I think there is some development going on using CryptoAPI but I am not too sure. My advice, dont even try on Windows. Atleast it was a big pain in ass for me. Karam --- Jose Antonio [EMAIL PROTECTED] wrote: Dear all, I need SSL support for MySQL. I've checked the documentation and it seems that for windows there is no SSL support in the binaries. In addition the documentation in the examples is for Linux. Has anyone has used MySQL with SSL in windows? If so ... how? How easy is to set it up? What changes need to be done on the client side? I don't really like the idea of compiling it because then I will have to compile again every time I want to updeate it. Another possible solution will be to use tunnels like stunnel.org but I would like to have a connection as direct as possible whenever possible. Thank you in advance. José A. Martínez -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Help using SSL from VB client, using MyODBC
Hello. I'm not a VB expert, but some notes about methods of establishing such connections can be found at: http://dev.mysql.com/doc/mysql/en/Windows_and_SSH.html http://dev.mysql.com/doc/mysql/en/mysql_ssl_set.html William Blair Wagner [EMAIL PROTECTED] wrote: I'm kind of new to the SSL scene. I've read all I can find on MySQL.org about setting up and using SSL. I'm on MySLQ 4.20 and have built mysql after configuring with --use-vio and --use-openssl. HAVE_OPENSSL = YES. I can handle setting up the user talbe and GRANTS to require SSL for users and connections. What I don't know how to do it make my client use SSL with MySQL. Can you help me? or give me some direction? My application runs on M$ Windows. It's written in M$ Visual Basic 6 from Visual Studio 6. I'm using MDAC 2.7 and M$ ADO. I'm using MyODBC 2.50 but can easily and happily upgrade to 3.51 (is 3.51 needed?) I have no idea what to do (set properties?) to cause my VB client to connect to the MySQL DB server using SSL? Any help would be huge! Thanx. -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Help using SSL from VB client, using MyODBC
I'm kind of new to the SSL scene. I've read all I can find on MySQL.org about setting up and using SSL. I'm on MySLQ 4.20 and have built mysql after configuring with --use-vio and --use-openssl. HAVE_OPENSSL = YES. I can handle setting up the user talbe and GRANTS to require SSL for users and connections. What I don't know how to do it make my client use SSL with MySQL. Can you help me? or give me some direction? My application runs on M$ Windows. It's written in M$ Visual Basic 6 from Visual Studio 6. I'm using MDAC 2.7 and M$ ADO. I'm using MyODBC 2.50 but can easily and happily upgrade to 3.51 (is 3.51 needed?) I have no idea what to do (set properties?) to cause my VB client to connect to the MySQL DB server using SSL? Any help would be huge! Thanx. -- William Blair Wagner : Education is not always knowing the answer, [EMAIL PROTECTED] : ...but rather knowing where to look for it! -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
mysql ssl support
Hi All, I'm confused by seemingly conflicting information between the mysql doc, the high performance mysql book, and a mysql press release (http://www.mysql.com/news-and-events/press-release/release_2003_05.html) regarding mysql's SSL support. What's the difference between mysql 4.0's SSL support and 4.1's SSL support? I appreciate anyone's clarification. Thanks, Andrew -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]