Hi.
mysql --version
mysql Ver 14.7 Distrib 4.1.21, for pc-linux-gnu (i686) using readline 5.1
I'm trying to secure a replication connection between a master and a
slave. However, seems to me that the issue I'm facing relates to any SSL
client<->server connection, so the scenario I'll be specifying relates
to connecting a mysql client console to mysqld with SSL.
1. I've created the necessary certificates, as mentioned in
http://dev.mysql.com/doc/refman/4.1/en/secure-create-certs.html.
2. I've configured [mysql] and [mysqld] appropriatly to use these files.
[mysql]
ssl-ca=/var/lib/mysql/cacert.pem
ssl-cert=/var/lib/mysql/client-cert.pem
ssl-key=/var/lib/mysql/client-key.pem
...
[mysqld]
ssl-ca=/var/lib/mysql/cacert.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem
3. Client connects to server securely. Verified this as stipulated in
manual:
mysql --ssl -p
Enter password:
...
mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA |
+---------------+--------------------+
4. I then went and trashed the client certificate, as-well as the CA
certificate. I get the following:
# mysql --ssl -p
Enter password:
Error when connection to server using
SSL:24163:error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch:x509_cmp.c:399:
Unable to get private key from '/var/lib/mysql/client-cert.pem'
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5 to server version: 4.1.21-log
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA |
+---------------+--------------------+
5. Seems like an SSL connection is established, though certificates
apparently weren't validated.
6. More so, I noticed the variable 'Ssl_verify_mode':
mysql> show status like '%ssl_v%';
+------------------+------------+
| Variable_name | Value |
+------------------+------------+
| Ssl_verify_depth | 4294967295 |
| Ssl_verify_mode | 5 |
| Ssl_version | TLSv1 |
+------------------+------------+
I couldn't find any reference to this in mysql's manual. Assuming
this is openssl's, I believe 5 is 0x101, i.e.
SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE. Is this true? Is there any
way to change this mode via MySQL's options?
Same issues arise when I setup a replication connection with SSL.
Is SSL in MySQL then encrypted, yet-not-secure (in terms of
identification)?
Thanks,
Amit
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
