Re: SSL Connections
Hi Andy, I used the same user. I list the steps that I made: on the server MySQL (10.43.249.17) I created the user: GRANT ALL PRIVILEGES ON *.* TO 'pippo'@'%' IDENTIFIED BY '*'; then, on the same server: mysql --ssl-ca=/root/openssl/cacert.pem -u pippo -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1872 Server version: 5.0.45 Source distribution on the another server : mysql --ssl-ca=/root/openssl/cacert.pem -u pippo -h 10.43.249.17 -p Enter password: ERROR 2026 (HY000): SSL connection error mysql --ssl-ca=/root/openssl/cacert.pem --ssl-cert=/root/openssl/ client-cert.pem --ssl-key=/root/openssl/client-key.pem -u pippo -h 10.43.249.17 -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1884 Server version: 5.0.45 Source distribution I believe that to be asked the certification to client but I wish it was not the case. Thanks. Ing. Stefano Elmopi Gruppo Darco - Area ICT Sistemi Via Ostiense 131/L Corpo B, 00154 Roma cell. 3466147165 tel. 0657060500 email:stefano.elm...@sociale.it Il giorno 30/mar/09, alle ore 22:39, Andy Shellam ha scritto: Hi Stefano, I'm guessing your remote (non-local) server is using a different user account than your local server. r...@localhost r...@% r...@somehost.com are all different users. If your remote host, or wildhost user account has the REQUIRE X509 flag (user must be certified) but your local one doesn't, that would explain it. What are your MySQL versions on both your server and remote client? What errors do you get on your client? Regards, Andy Stefano Elmopi wrote: Hi, I'm trying to make connections ssl. I followed the MySQL guide and I've configured the server then I created a normal user, without the REQUIRE SSL. On the same server can connect with the only option: mysql --ssl-ca=cacert.pem -u Pluto -p but if I try to connect from another host, I must, forcibly, also specify the options: --ssl-cert=client-cert.pem --ssl-key=client-key.pem Why ?? The guide says that even from another host, on a normal user, you can use the only option: --ssl-ca but it is not, I am forced to certify the client. Something wrong? Thanks Ing. Stefano Elmopi Gruppo Darco - Area ICT Sistemi Via Ostiense 131/L Corpo B, 00154 Roma cell. 3466147165 tel. 0657060500 email:stefano.elm...@sociale.it -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
SSL Connections
Hi, I'm trying to make connections ssl. I followed the MySQL guide and I've configured the server then I created a normal user, without the REQUIRE SSL. On the same server can connect with the only option: mysql --ssl-ca=cacert.pem -u Pluto -p but if I try to connect from another host, I must, forcibly, also specify the options: --ssl-cert=client-cert.pem --ssl-key=client-key.pem Why ?? The guide says that even from another host, on a normal user, you can use the only option: --ssl-ca but it is not, I am forced to certify the client. Something wrong? Thanks Ing. Stefano Elmopi Gruppo Darco - Area ICT Sistemi Via Ostiense 131/L Corpo B, 00154 Roma cell. 3466147165 tel. 0657060500 email:stefano.elm...@sociale.it -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: SSL Connections
Hi Stefano, I'm guessing your remote (non-local) server is using a different user account than your local server. r...@localhost r...@% r...@somehost.com are all different users. If your remote host, or wildhost user account has the REQUIRE X509 flag (user must be certified) but your local one doesn't, that would explain it. What are your MySQL versions on both your server and remote client? What errors do you get on your client? Regards, Andy Stefano Elmopi wrote: Hi, I'm trying to make connections ssl. I followed the MySQL guide and I've configured the server then I created a normal user, without the REQUIRE SSL. On the same server can connect with the only option: mysql --ssl-ca=cacert.pem -u Pluto -p but if I try to connect from another host, I must, forcibly, also specify the options: --ssl-cert=client-cert.pem --ssl-key=client-key.pem Why ?? The guide says that even from another host, on a normal user, you can use the only option: --ssl-ca but it is not, I am forced to certify the client. Something wrong? Thanks Ing. Stefano Elmopi Gruppo Darco - Area ICT Sistemi Via Ostiense 131/L Corpo B, 00154 Roma cell. 3466147165 tel. 0657060500 email:stefano.elm...@sociale.it -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: Need a Brief Overview - SSL Connections
Hi Seth, I implemented SSL successfully just a couple of weeks ago on 5.1.30, and I too found some aspects confusing. Here's my answers from my own experience so please forgive me if they're inaccurate. 1) On the server side, I believe ssl-ca, ssl-cert and ssl-key are all required to establish the server's identity. On the client side, I believe a user can still login without encryption/SSL unless REQUIRE SSL is set on their account. From what I can tell, a client can also login using SSL with just ssl-ca (the server's certification authority certificate.) To verify that the client is who they say they are, then you set REQUIRE X509 on their account, and the client has to connect using ssl-ca, ssl-cert and ssl-key with a valid certificate and private key. 2) I also don't understand all concepts of SSL - I'm used to just providing a certificate request to a trusted partner (e.g. Verisign) and for them to send me back my certificate. However I presume that the trusted CA certificates (e.g. Verisign, Thawte etc) are present on all browsers/e-mail clients and that's why we don't need to worry about it for these types of applications. I believe that MySQL is allowing you to effectively issue your own certificates, and as such the client needs the CA certificate to verify the server's issuing authority (yourself.) The first step the MySQL manual takes you through is creating a private key and a certificate which will become your CA certificate (and is the file needed for ssl-ca/ssl-capath.) This is a different private key and certificate to both the server's and the client's (unless your server/client is the same box, then they can share the same certificate/key but will be different from the CA cert/key.) 3) I followed the instructions in the manual to the letter and I had no issues whatsoever. In my client (Navicat) I do get an SSL connection error - invalid parameter if one of the certificates are missing, but that may be coming from Navicat not the MySQL library. It'll be interesting to see what happens in some situations, for example, what happens when the client certificate or the CA certificate expires? Interestingly I can also still connect using SSL when the CA certificate is invalid (ie. non-existent or a private key file instead of a certificate file.) Hope this helps some! I do agree it wasn't the clearest of things to get my head around. Andy Seth Willits wrote: Howdy, I've read through all of the MySQL docs on SSL and I just need a brief overview of a few things to understand some things that aren't crystal clear to me since I'm not very familiar with SSL. 1) Which SSL options are *required*? It seems that only ssl-key is _always_ required for the client to connect to the server. If REQUIRE X509 is set, then ssl-cert is required as well in order to authenticate who the actual client is, right? 2) The options I don't understand are ssl-ca/ssl-capath. Why would the client specify a certificate authority? Is this the authority (or authorities) that's used to authenticate the server's certificate? Is there a platform default for this value? I'm not used to having to specify a list of authorities for other programs to validate certificates (such as with email). 3) How does I know if the server/client authentication (validating the certificate against given authorities) failed? Do I just get a vague SSL connection error back from MySQL and that's it? I think that's mostly it. Thanks, -- Seth Willits -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Need a Brief Overview - SSL Connections
Howdy, I've read through all of the MySQL docs on SSL and I just need a brief overview of a few things to understand some things that aren't crystal clear to me since I'm not very familiar with SSL. 1) Which SSL options are *required*? It seems that only ssl-key is _always_ required for the client to connect to the server. If REQUIRE X509 is set, then ssl-cert is required as well in order to authenticate who the actual client is, right? 2) The options I don't understand are ssl-ca/ssl-capath. Why would the client specify a certificate authority? Is this the authority (or authorities) that's used to authenticate the server's certificate? Is there a platform default for this value? I'm not used to having to specify a list of authorities for other programs to validate certificates (such as with email). 3) How does I know if the server/client authentication (validating the certificate against given authorities) failed? Do I just get a vague SSL connection error back from MySQL and that's it? I think that's mostly it. Thanks, -- Seth Willits -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql?unsub=arch...@jab.org
Re: SSL Connections Feature?
Ah well, got it done on my own. This might help someone else trying to do this: http://homepage.mac.com/kelleherk/iblog/C711669388/E20061121141451/ index.html On Nov 21, 2006, at 11:41 AM, Kieran Kelleher wrote: We have been doing onsite replication for a few years and now we want to enable client connections over SSL to support secure offsite replication, however it seems the prebuilt binaries do not have the SSL option built in. So I guess I need to build MySQL from source with the SSL option. I have not found too much in the MySQL Manual or via Google, Has anyone got a recipe for MySQL 4.1 build procedure on Mac OS X Tiger? Regards, Kieran -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/mysql? [EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Mysql with SSL connections
Hello. The fact is that I cant start mysql with ssl support using the /etc/ec/d/init.d/mysql script. But the interesting thing is that if I copy First of all, you should find the error log. See: http://dev.mysql.com/doc/refman/4.1/en/error-log.html Israel Fern$ndez Cabrera [EMAIL PROTECTED] wrote: Hi folk! I'm new to mysql and to databases... I'm using Fedora Core 4 with mysql 4.1.11-2 I need some application clients to connect the server using SSL connections. I've created and tested x509 certificates using the way mysql documentation explain, I've modified the /etc/my.cnf [mysqld] and [client] sections with the certificates that are located in /etc/pki (I've made some test with the certificates in /usr/pki too). The fact is that I cant start mysql with ssl support using the /etc/ec/d/init.d/mysql script. But the interesting thing is that if I copy the same script to any different folder it works. If it is in the init.dfolder I always get an SSL connection error. running mysqld, mysqld_safe by hand work perfectly and SSL works too. This is annoying I'll appreciate any help in respect. thanks in advance and best regards... -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Mysql with SSL connections
Hi folk! I'm new to mysql and to databases... I'm using Fedora Core 4 with mysql 4.1.11-2 I need some application clients to connect the server using SSL connections. I've created and tested x509 certificates using the way mysql documentation explain, I've modified the /etc/my.cnf [mysqld] and [client] sections with the certificates that are located in /etc/pki (I've made some test with the certificates in /usr/pki too). The fact is that I cant start mysql with ssl support using the /etc/ec/d/init.d/mysql script. But the interesting thing is that if I copy the same script to any different folder it works. If it is in the init.dfolder I always get an SSL connection error. running mysqld, mysqld_safe by hand work perfectly and SSL works too. This is annoying I'll appreciate any help in respect. thanks in advance and best regards... -- Israel Fdez. Cabrera [EMAIL PROTECTED]
Fwd: Mysql with SSL connections
Well I've done more than that I wrote a custom init script with the simplest possible start function containig just the following line: /usr/bin/mysqld_safe and SSL does not work eather... please help... best regards Israel -- Forwarded message -- From: RedRed!com IT Department [EMAIL PROTECTED] Date: Oct 13, 2005 10:16 AM Subject: Re: Mysql with SSL connections To: Israel Fernández Cabrera [EMAIL PROTECTED] Israel Fernández Cabrera wrote: Hi folk! I'm new to mysql and to databases... I'm using Fedora Core 4 with mysql 4.1.11-2 I need some application clients to connect the server using SSL connections. I've created and tested x509 certificates using the way mysql documentation explain, I've modified the /etc/my.cnf [mysqld] and [client] sections with the certificates that are located in /etc/pki (I've made some test with the certificates in /usr/pki too). The fact is that I cant start mysql with ssl support using the /etc/ec/d/init.d/mysql script. But the interesting thing is that if I copy the same script to any different folder it works. If it is in the init.dfolder I always get an SSL connection error. running mysqld, mysqld_safe by hand work perfectly and SSL works too. This is annoying I'll appreciate any help in respect. thanks in advance and best regards... -- Israel Fdez. Cabrera [EMAIL PROTECTED] You might want to check the mysql init.d script to make sure that all of the paths in there are correct. Sean -- Israel Fdez. Cabrera [EMAIL PROTECTED]
Re: Fwd: Mysql with SSL connections
I'm using the default Fedora Core 4 Linux mysql RPM package... I just create x509 certificates and modify the /etc/my.cnf file to use these certificates. The default mysqld init script doesn't work in its normal' location, just moving it to a different folder make it works. MySQL daemon runs by the way, but without SSL support, mysqladmin tests return SSL connection error too... On 10/13/05, RedRed!com IT Department [EMAIL PROTECTED] wrote: Israel Fernández Cabrera wrote: Well I've done more than that I wrote a custom init script with the simplest possible start function containig just the following line: /usr/bin/mysqld_safe and SSL does not work eather... please help... best regards Israel Are you sure your starting the correct binary? When you installed mysql did you install to the default /usr/local or did you specifically tell it to install to /usr ? If you look in the error file in /usr/var or /usr/local/var, does it give you any useful information? It may have a reason for the failure in there. I'm not an expert, but those are some of the steps that I would take to figure this out. Sean -- Israel Fdez. Cabrera [EMAIL PROTECTED]
View SSL connections ?
Is there anyway to see what connection threads are using ssl and which ones are not ? ex: when i type mysql status; one of the returned lines is SSL:Cipher in use is DHE-RSA-AES256-SHA is there any way to see the status of other treads like this? or is there anyway the 'show processlist;' command can display what threads are encrypted and which ones aren't? thanks aaron __ __ __ __ -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
mysqld crashes with certain SSL connections
Description:
mysqld (4.0.16) built with SSL support (--with-vio --with-openssl)
crashes if both of the following conditions are met:
1. Permissions for a user have been set with GRANT...REQUIRE SUBJECT
or GRANT...REQUIRE ISSUER.
2. A client program attempts to connect to the server by calling
mysql_real_connect() with the CLIENT_SSL flag but didn't call
mysql_ssl_set() beforehand.
When these conditions are met, mysqld crashes and logs the following
message to the .err file:
mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.
key_buffer_size=16777216
read_buffer_size=131072
max_used_connections=0
max_connections=100
threads_connected=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_connections = 80383 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.
In the client program, mysql_real_connect() fails with Lost connection
to MySQL server during query.
The crash doesn't occur if permissions were granted with REQUIRE SSL,
REQUIRE X509, or REQUIRE CIPHER -- it occurs only with REQUIRE SUBJECT
or REQUIRE ISSUER. The crash also doesn't occur if mysql_real_connect()
doesn't have the CLIENT_SSL flag set, or if mysql_ssl_set() was called
with valid arguments before mysql_real_connect().
I can consistently reproduce this problem with MySQL 4.0.16 on FreeBSD
4.9 running on a Pentium III (built from the ports collection) and on
Solaris 9 running on a SPARC Ultra 1 (built from source). The compiler
on the FreeBSD box is gcc 2.95.4; the compiler on the Solaris box is
gcc 3.3.2. OpenSSL on both boxes is 0.9.7c.
I've been unable to get a core dump of these crashes. I've added
core-file to the mysqld section of /etc/my.cnf on both machines and
mysqld logs Writing a core file when the crash happens, but no core
file appears to be written. Resource limits on both systems allow
unlimited size for coredumps and I'm running mysqld_safe with the
--core-file-size=100 option, but to no avail. If the developers
are unable to reproduce the bug, then I welcome suggestions on how
to get a core dump for further debugging.
How-To-Repeat:
1. Grant permissions to a test user with a command such as the following:
GRANT USAGE ON * TO testuser IDENTIFIED BY 'password'
REQUIRE SUBJECT '/CN=Test User/[EMAIL PROTECTED]';
2. Compile and run the following program:
Start program
#include stdio.h
#include stdlib.h
#include mysql/mysql.h
int
main(void)
{
const char *host = localhost;
const char *user = testuser;
const char *pass = password;
const char *db = test;
unsigned intport = 0;
const char *sock = NULL;
unsigned long flag = CLIENT_SSL;
MYSQL mysql, *conn;
mysql_init(mysql);
conn = mysql_real_connect(mysql, host, user, pass, db, port, sock, flag);
if (conn == NULL) {
fprintf(stderr, mysql_real_connect: %s\n, mysql_error(mysql));
return EXIT_FAILURE;
}
printf(connection succeeded\n);
mysql_close(mysql);
return EXIT_SUCCESS;
}
End program
Fix:
Unknown.
Submitter-Id: submitter ID
Originator:Michael Fuhr
Organization:
Michael Fuhr
http://www.fuhr.org/~mfuhr/
MySQL support: none
Synopsis: mysqld crashes with certain SSL connections
Severity: serious
Priority: medium
Category: mysql
Class: sw-bug
Release: mysql-4.0.16 (Source distribution)
C compiler:2.95.3
C++ compiler: 2.95.3
Environment:
System: SunOS eeyore.fuhr.org 5.9 Generic_112233-08 sun4u sparc SUNW,Ultra-1
Architecture: sun4
Some paths: /usr/bin/perl /usr/ccs/bin/make /usr/local/bin/gcc
GCC: Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.9/3.3.2/specs
Configured with: ../configure --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld
--disable-nls --disable-libgcj --enable-languages=c,c++ : (reconfigured) ../configure
--with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --disable-nls --disable-libgcj
--enable-languages=c,c++
Thread model: posix
gcc version 3.3.2
Compilation info: CC='gcc' CFLAGS='-Wimplicit -Wreturn-type -Wswitch -Wtrigraphs
-Wcomment -W -Wchar-subscripts -Wformat -Wparentheses -Wsign-compare -Wwrite-strings
-Wunused -mcpu=pentiumpro -O3 -fno-omit-frame-pointer' CXX='ccache gcc'
CXXFLAGS='-Wimplicit -Wreturn-type -Wswitch -Wtrigraphs -Wcomment -W -Wchar-subscripts
-Wformat -Wparentheses -Wsign-compare -Wwrite-strings -Woverloaded-virtual
-Wsign-promo -Wreorder -Wctor-dtor-privacy -Wnon-virtual-dtor -felide-constructors
-fno
