sunanda menon wrote:
>
> An updated version of the ARC case is being sent out .This includes for
> both MySQL server and for running the testsuite using SSL.
Comments...
> 4.1. Details:
> The MySQL test package (SUNWmysql5*test) provides the required
> sample Certificate Authority(CA) certificates, only for the
> purposes of testing and validating the MySQL server when
> running the standard MySQL test suite.
>
> Installing the mysqltest package does not automatically
> enable the certificates in the server. They will only ever be
> used if you run the test suite, which starts up it's own mysqld
> servers with very specific configuration files - the settings
> of your config file in /etc/mysql/* is not used, updated,
> edited, or any way affected by running the test suite.
Now that the purpose of this case has been clarified, I'd just remove
the above two paragraphs entirely. The fact that there's some tests
which exercise this newly-enabled functionality is great, but not
relevant to an ARC review.
> MySQL test package also provides the client key(client-key.pem)
> and certificate files(client-cert.pem) or the server will reject
> any SSL connection initiated.
Same goes for this paragraph, just remove.
Then, it's useful to note the CLI options which now become relevant,
but add a short note with some context, for example:
On the client side, the /usr/bin/mysql CLI will now be able to
make use of the following options. Note these options have been
part of mysql CLI all along so technically this case does not
introduce them. However, until this case integrates, using these
options will simply fail.
> * --ssl-ca identifies the Certificate Authority
> (CA) certificate.
> * --ssl-cert identifies the server public key.
> This can be sent to the client and authenticated against the
> CA certificate that it has.
> * --ssl-key identifies the server private key.
I realize you're just cut & pasting this from MySQL docs but it is
confusing since the section talks about the mysql CLI (/usr/bin/mysql)
but -ssl-cert talks of server public key (and that text should say
server cert anyway).
So instead, I'd reword the above to something like (edit to taste):
> * --ssl-ca Identifies the Certificate Authority (CA) certificate.
> * --ssl-cert Identifies the client certificate (optional, only
if client cert authentication required)
> * --ssl-key Identifies the client private key associated with
the client cert above (optional, only
if client cert authentication required)
Then, on the server side, how does one provide these option to start
the server? Are these set as smf attributes? Add a section documenting
how it works.
> 4.3. Interfaces:
>
> we do NOT add any new command line option.
I'd write this something like:
As noted in s.4.1, this case enables the functionality behing the
pre-existing ssl options.
> 4.3.1 Imported Interfaces
>
> NAME STABILITY
> -----------------------------------------------------------
> OpenSSL External/Volatile
You need to list the case you're importing it from.
NAME STABILITY IMPORTED FROM
-----------------------------------------------------------
OpenSSL External/Volatile PSARC/2003/500
--
Jyri J. Virkki - jyri.virkki at sun.com - Sun Microsystems
