SSL troubles....

Help
crusty
2004-11-17
2012-09-19
  • crusty

    crusty - 2004-11-17

    Could anyone give me a hint how to address the
    MySQLdb.connect function with SSL ?

    In the _mysql.c source I saw that "ssl" variable
    is parsed to get the ca, capath, cert and key values.

    What kind/type of variable is that ssl ?

    I've tried something like:

    ssl = {}
    ssl["ca"] = "path_to_cert\cacert.pem"
    ssl["capath"] = "path_to_cert"
    ssl["cert"] = "path_to_cert\client-cert.pem"
    ssl["key"] = "path_to_cert\client-key.pem"
    

    But without success =(

     
    • Andy Dustman

      Andy Dustman - 2004-11-17

      http://dev.mysql.com/doc/mysql/en/Secure_connections.html
      http://dev.mysql.com/doc/mysql/en/mysql_ssl_set.html

      key is the pathname to the key file.

      cert is the pathname to the certificate file.

      ca is the pathname to the certificate authority file.

      capath is the pathname to a directory that contains trusted SSL CA certificates in pem format.

      cipher is a list of allowable ciphers to use for SSL encryption.

      You don't really say what kind of problem you are having, but here are some additional hints:

      1) Your server must be configured for SSL. This includes getting or generating a certificate for it.

      2) The server's certificate must be signed by one of the CA certificates in capath, or by the the certificate in ca.

      3) Your client certificate must be specified in the GRANT for that user.

      http://dev.mysql.com/doc/mysql/en/Secure_GRANT.html

      I believe you must specify: key, cert, and either ca or capath.

      I would not bother with SSL unless you have to have access over a WAN link, i.e. you almost certainly don't need it in your LAN.

       
    • crusty

      crusty - 2004-11-18

      >http://dev.mysql.com/doc/mysql/en/Secure_connections.html
      >http://dev.mysql.com/doc/mysql/en/mysql_ssl_set.html
      >http://dev.mysql.com/doc/mysql/en/Secure_GRANT.html
      >

      I've already consulted these pages....

      >
      ># key is the pathname to the key file.
      ># cert is the pathname to the certificate file.
      ># ca is the pathname to the certificate authority file.
      ># capath is the pathname to a directory that contains trusted SSL CA certificates in pem format.
      ># cipher is a list of allowable ciphers to use for SSL encryption.
      >

      that's how I tried it... =(

      >You don't really say what kind of problem you are having, but here are some additional hints:
      >
      >1) Your server must be configured for SSL. This includes getting or generating a certificate for it.
      >

      It has SSL support, and I can connect with a normal MySQL Client (Unix (FreeBSD) System)

      >2) The server's certificate must be signed by one of the CA certificates in capath, or by the the certificate in ca.
      >
      >3) Your client certificate must be specified in the GRANT for that user.
      >

      I'm only using SSL = any, cause I'm authentificating through un/pw. And it doe's work with a normal MySQL client (SSL options set through --defaults-file=).
      The connection is Secured, because SHOW STATUS LIKE 'Ssl_cipher' results in the possabily used ciphers. (All these testes were done on the FreeBSD system)

      >
      >I believe you must specify: key, cert, and either ca or capath.
      >

      nothing works at all =/

      >I would not bother with SSL unless you have to have access over a WAN link, i.e. you almost certainly don't need it in your LAN.

      Till now, I've used MySQLdb in a LAN, now with the new soft release, I would like to use it over WAN. That's why I'm bothering a lot with that stuff.

      My Client side is always on windows system, so I'm using the 1.0.0 binary version of MySQLdb.
      (probably that's the pitfall =(

      My Script looks like this:

      ssl_test.py

      import MySQLdb

      path_to_application = "D:\SIM\"

      config_db = "test_db"
      config_ip = "10.0.0.81"
      config_user = "test"
      config_pw = ""
      config_port = "3306"

      default_file = path_to_application + "SQL.conf"

      test_ssl = {}
      test_ssl["ca"] = path_to_application + "cacert.pem"
      test_ssl["capath"] = path_to_application
      test_ssl["cert"] = path_to_application + "client-cert.pem"
      test_ssl["key"] = path_to_application + "client-key.pem"
      test_ssl["cipher"] = "DHE-RSA-AES256-SHA"

      self.db = MySQLdb.connect(db=config_db, host=config_ip, user=config_user, passwd=config_pw, port=int(config_port), compress=1, read_default_file=default_file, ssl=test_ssl)

      D:\SIM\SQL.config

      [client]
      ssl-ca=D:\SIM\cacert.pem
      ssl-cert=D:\SIM\client-cert.pem
      ssl-key=D:\SIM\client-key.pem

      strange is:
      if I set the path_to_application variable to a nonexisting value (incorrect path), I don't get an error, probabely indicating the ssl routines are not up at all....

      Is the WINDOWS binary dist compiled against OpenSSL ? Which libraries (dlls) would be used ?
      If not, is there a howto for compiling MySQLdb on a windows system ?

      I've also tried to copy the OpenSSL lib's to the MySQLdb site-package folder, without success...

      I'm realy suck in that problem... If I could recompile the MySQLdb for windows with ssl support it would be a great help.

      Thanxs for any help in advace,

      Cheers, now I need a beer.....

       
      • Andy Dustman

        Andy Dustman - 2004-11-18

        It is entirely possible that the Windows binary package does not have support for SSL compiled in. In the 1.1.x series, you will get an exception if SSL is requested and not available in the client.

        If you're setting SSL parameters in the default file (which is the better way to do it), you probably shouldn't pass the ssl parameter at all; it probably is overriding your defaults.

         
        • crusty

          crusty - 2004-11-18

          I've tried my posted script on the FreeBSD machine, and it worked fine with that dictionary test_ssl variable....

          With your hint in mind that the 1.0.0 windows dist does not provide an SSL error if not supportet, I think that's it's just not linked against OpenSSL.

          I'll trie to recompile the stable 1.0.0 version with OpenSSL support... might take a while, but it's worth (if I succeed =)

          thanxs to you adustman,
          one question: are you the guy who compiled the
          1.0.0 windows version ?

          greeting from cold Switzerland

           
          • Andy Dustman

            Andy Dustman - 2004-11-18

            I recommend 1.1.7 instead; it should be released as 1.2.0 with very minimal changes.

            And re: the Windows binary, you must be new here, or haven't read README carefully...

             

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks