>
># key is the pathname to the key file.
># cert is the pathname to the certificate file.
># ca is the pathname to the certificate authority file.
># capath is the pathname to a directory that contains trusted SSL CA certificates in pem format.
># cipher is a list of allowable ciphers to use for SSL encryption.
>
that's how I tried it... =(
>You don't really say what kind of problem you are having, but here are some additional hints:
>
>1) Your server must be configured for SSL. This includes getting or generating a certificate for it.
>
It has SSL support, and I can connect with a normal MySQL Client (Unix (FreeBSD) System)
>2) The server's certificate must be signed by one of the CA certificates in capath, or by the the certificate in ca.
>
>3) Your client certificate must be specified in the GRANT for that user.
>
I'm only using SSL = any, cause I'm authentificating through un/pw. And it doe's work with a normal MySQL client (SSL options set through --defaults-file=).
The connection is Secured, because SHOW STATUS LIKE 'Ssl_cipher' results in the possabily used ciphers. (All these testes were done on the FreeBSD system)
>
>I believe you must specify: key, cert, and either ca or capath.
>
nothing works at all =/
>I would not bother with SSL unless you have to have access over a WAN link, i.e. you almost certainly don't need it in your LAN.
Till now, I've used MySQLdb in a LAN, now with the new soft release, I would like to use it over WAN. That's why I'm bothering a lot with that stuff.
My Client side is always on windows system, so I'm using the 1.0.0 binary version of MySQLdb.
(probably that's the pitfall =(
strange is:
if I set the path_to_application variable to a nonexisting value (incorrect path), I don't get an error, probabely indicating the ssl routines are not up at all....
Is the WINDOWS binary dist compiled against OpenSSL ? Which libraries (dlls) would be used ?
If not, is there a howto for compiling MySQLdb on a windows system ?
I've also tried to copy the OpenSSL lib's to the MySQLdb site-package folder, without success...
I'm realy suck in that problem... If I could recompile the MySQLdb for windows with ssl support it would be a great help.
Thanxs for any help in advace,
Cheers, now I need a beer.....
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It is entirely possible that the Windows binary package does not have support for SSL compiled in. In the 1.1.x series, you will get an exception if SSL is requested and not available in the client.
If you're setting SSL parameters in the default file (which is the better way to do it), you probably shouldn't pass the ssl parameter at all; it probably is overriding your defaults.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've tried my posted script on the FreeBSD machine, and it worked fine with that dictionary test_ssl variable....
With your hint in mind that the 1.0.0 windows dist does not provide an SSL error if not supportet, I think that's it's just not linked against OpenSSL.
I'll trie to recompile the stable 1.0.0 version with OpenSSL support... might take a while, but it's worth (if I succeed =)
thanxs to you adustman,
one question: are you the guy who compiled the
1.0.0 windows version ?
greeting from cold Switzerland
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Could anyone give me a hint how to address the
MySQLdb.connect function with SSL ?
In the _mysql.c source I saw that "ssl" variable
is parsed to get the ca, capath, cert and key values.
What kind/type of variable is that ssl ?
I've tried something like:
ssl = {} ssl["ca"] = "path_to_cert\cacert.pem" ssl["capath"] = "path_to_cert" ssl["cert"] = "path_to_cert\client-cert.pem" ssl["key"] = "path_to_cert\client-key.pem"But without success =(
http://dev.mysql.com/doc/mysql/en/Secure_connections.html
http://dev.mysql.com/doc/mysql/en/mysql_ssl_set.html
key is the pathname to the key file.
cert is the pathname to the certificate file.
ca is the pathname to the certificate authority file.
capath is the pathname to a directory that contains trusted SSL CA certificates in pem format.
cipher is a list of allowable ciphers to use for SSL encryption.
You don't really say what kind of problem you are having, but here are some additional hints:
1) Your server must be configured for SSL. This includes getting or generating a certificate for it.
2) The server's certificate must be signed by one of the CA certificates in capath, or by the the certificate in ca.
3) Your client certificate must be specified in the GRANT for that user.
http://dev.mysql.com/doc/mysql/en/Secure_GRANT.html
I believe you must specify: key, cert, and either ca or capath.
I would not bother with SSL unless you have to have access over a WAN link, i.e. you almost certainly don't need it in your LAN.
>http://dev.mysql.com/doc/mysql/en/Secure_connections.html
>http://dev.mysql.com/doc/mysql/en/mysql_ssl_set.html
>http://dev.mysql.com/doc/mysql/en/Secure_GRANT.html
>
I've already consulted these pages....
>
># key is the pathname to the key file.
># cert is the pathname to the certificate file.
># ca is the pathname to the certificate authority file.
># capath is the pathname to a directory that contains trusted SSL CA certificates in pem format.
># cipher is a list of allowable ciphers to use for SSL encryption.
>
that's how I tried it... =(
>You don't really say what kind of problem you are having, but here are some additional hints:
>
>1) Your server must be configured for SSL. This includes getting or generating a certificate for it.
>
It has SSL support, and I can connect with a normal MySQL Client (Unix (FreeBSD) System)
>2) The server's certificate must be signed by one of the CA certificates in capath, or by the the certificate in ca.
>
>3) Your client certificate must be specified in the GRANT for that user.
>
I'm only using SSL = any, cause I'm authentificating through un/pw. And it doe's work with a normal MySQL client (SSL options set through --defaults-file=).
The connection is Secured, because SHOW STATUS LIKE 'Ssl_cipher' results in the possabily used ciphers. (All these testes were done on the FreeBSD system)
>
>I believe you must specify: key, cert, and either ca or capath.
>
nothing works at all =/
>I would not bother with SSL unless you have to have access over a WAN link, i.e. you almost certainly don't need it in your LAN.
Till now, I've used MySQLdb in a LAN, now with the new soft release, I would like to use it over WAN. That's why I'm bothering a lot with that stuff.
My Client side is always on windows system, so I'm using the 1.0.0 binary version of MySQLdb.
(probably that's the pitfall =(
My Script looks like this:
ssl_test.py
import MySQLdb
path_to_application = "D:\SIM\"
config_db = "test_db"
config_ip = "10.0.0.81"
config_user = "test"
config_pw = ""
config_port = "3306"
default_file = path_to_application + "SQL.conf"
test_ssl = {}
test_ssl["ca"] = path_to_application + "cacert.pem"
test_ssl["capath"] = path_to_application
test_ssl["cert"] = path_to_application + "client-cert.pem"
test_ssl["key"] = path_to_application + "client-key.pem"
test_ssl["cipher"] = "DHE-RSA-AES256-SHA"
self.db = MySQLdb.connect(db=config_db, host=config_ip, user=config_user, passwd=config_pw, port=int(config_port), compress=1, read_default_file=default_file, ssl=test_ssl)
D:\SIM\SQL.config
[client]
ssl-ca=D:\SIM\cacert.pem
ssl-cert=D:\SIM\client-cert.pem
ssl-key=D:\SIM\client-key.pem
strange is:
if I set the path_to_application variable to a nonexisting value (incorrect path), I don't get an error, probabely indicating the ssl routines are not up at all....
Is the WINDOWS binary dist compiled against OpenSSL ? Which libraries (dlls) would be used ?
If not, is there a howto for compiling MySQLdb on a windows system ?
I've also tried to copy the OpenSSL lib's to the MySQLdb site-package folder, without success...
I'm realy suck in that problem... If I could recompile the MySQLdb for windows with ssl support it would be a great help.
Thanxs for any help in advace,
Cheers, now I need a beer.....
It is entirely possible that the Windows binary package does not have support for SSL compiled in. In the 1.1.x series, you will get an exception if SSL is requested and not available in the client.
If you're setting SSL parameters in the default file (which is the better way to do it), you probably shouldn't pass the ssl parameter at all; it probably is overriding your defaults.
I've tried my posted script on the FreeBSD machine, and it worked fine with that dictionary test_ssl variable....
With your hint in mind that the 1.0.0 windows dist does not provide an SSL error if not supportet, I think that's it's just not linked against OpenSSL.
I'll trie to recompile the stable 1.0.0 version with OpenSSL support... might take a while, but it's worth (if I succeed =)
thanxs to you adustman,
one question: are you the guy who compiled the
1.0.0 windows version ?
greeting from cold Switzerland
I recommend 1.1.7 instead; it should be released as 1.2.0 with very minimal changes.
And re: the Windows binary, you must be new here, or haven't read README carefully...