ssl questions

--000e0cd5f7eee2f1980473189993
Content-Type: text/plain; charset=ISO-8859-1

I'm trying to set up my mysql 5.1 server to work over ssl, I'm following the
directions at http://dev.mysql.com/doc/refman/5.0/en/secure-connections.ht ml.
I've confirmed that my server supports ssl

mysql> SHOW VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl | YES |
+---------------+-------+

set up certs according to
http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.h tml

bash-3.2# ls -l newcerts/
total 20
-rwxrwxrwx 1 root root 1761 Sep 8 14:01 ca-cert.pem
-rwxrwxrwx 1 root root 1675 Sep 8 14:00 ca-key.pem
-rwxrwxrwx 1 root root 1371 Sep 8 14:02 server-cert.pem
-rwxrwxrwx 1 root root 1675 Sep 8 14:01 server-key.pem
-rwxrwxrwx 1 root root 1094 Sep 8 14:01 server-req.pem

and that mysql is started with the appropriate --ssl-xxx options (I set 777
permissions on the newcerts directory to insure that permissions wouldn't be
a problem during testing but was planning on tightening permissions once I
got ssl working)

bash-3.2# ps aux | grep mysql
root 13326 0.0 0.2 63848 1332 pts/0 S 15:25 0:00 /bin/sh
/usr/bin/mysqld_safe --datadir=/var/lib/mysql
--pid-file=/var/lib/mysql/mysql.example.com.pid
--ssl-ca=/var/lib/mysql/newcerts/ca-cert.pem
--ssl-cert=/var/lib/mysql/newcerts/server-cert.pem
--ssl-key=/var/lib/mysql/newcerts/server-key.pem
mysql 13399 0.1 3.4 138488 17676 pts/0 Sl 15:25 0:00
/usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql
--ssl-ca=/var/lib/mysql/newcerts/ca-cert.pem
--ssl-cert=/var/lib/mysql/newcerts/server-cert.pem
--ssl-key=/var/lib/mysql/newcerts/server-key.pem
--log-error=/var/lib/mysql/mysql.example.com.err
--pid-file=/var/lib/mysql/mysql.example.com.pid
root 13430 0.0 0.1 61164 768 pts/0 R+ 15:25 0:00 grep mysql
I'm also following documentation
http://www.stunnel.org/examples/mysql.htmlhere to set up mysql with
ssl support over stunnel. My stunnel.conf looks
like

cert = /etc/stunnel/stunnel.pem
pid = /tmp/stunnel.pid
debug = 7
output = stunnel.log
[mysqls]
accept = 3307
connect = 3306

I've confirmed that my server is listening on 3307

[user@mysql.example.com ~]$ netstat -anF | grep 3306
tcp 0 0 0.0.0.0:3306 0.0.0.0:*
LISTEN
[user@mysql.example.com ~]$ netstat -anF | grep 3307
tcp 0 0 0.0.0.0:3307 0.0.0.0:*
LISTEN

and that I can connect successfully over 3306

mysql -u user -p -h mysql.example.com -P 3306

but when I try to connect over port 3307,

mysql -u user -p -h mysql.example.com -P 3307

it fails to connect (my graphical client gives an error message that reads
'connection reset').

I'm not sure what's wrong. My mysql user was created without any specific
SSL requirements, so I'm thinking I should be able to connect over either
port without specifying any --ssl-xxx options on the client side. I'd like
the user to be able to connect either way. I tried looking at the mysql
error log but it didn't provide any useful information - is there a way to
increase the log level to get at the source of the problem? Any tips would
be appreciated.

Thanks.

--000e0cd5f7eee2f1980473189993--

Re: ssl questions

--001485f775568c5aed04756a6b77
Content-Type: text/plain; charset=ISO-8859-1

Hi

I wondered how you are getting on with installing SSL for mysql 5.1 server.
We are looking to install it too. Do you have any pointers/recommendations
?

Regards
Neil

On Tue, Sep 8, 2009 at 11:36 PM, qt4x11 wrote:

> I'm trying to set up my mysql 5.1 server to work over ssl, I'm following
> the
> directions at
> http://dev.mysql.com/doc/refman/5.0/en/secure-connections.ht ml.
> I've confirmed that my server supports ssl
>
> mysql> SHOW VARIABLES LIKE 'have_ssl';
> +---------------+-------+
> | Variable_name | Value |
> +---------------+-------+
> | have_ssl | YES |
> +---------------+-------+
>
> set up certs according to
> http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.h tml
>
> bash-3.2# ls -l newcerts/
> total 20
> -rwxrwxrwx 1 root root 1761 Sep 8 14:01 ca-cert.pem
> -rwxrwxrwx 1 root root 1675 Sep 8 14:00 ca-key.pem
> -rwxrwxrwx 1 root root 1371 Sep 8 14:02 server-cert.pem
> -rwxrwxrwx 1 root root 1675 Sep 8 14:01 server-key.pem
> -rwxrwxrwx 1 root root 1094 Sep 8 14:01 server-req.pem
>
> and that mysql is started with the appropriate --ssl-xxx options (I set 777
> permissions on the newcerts directory to insure that permissions wouldn't
> be
> a problem during testing but was planning on tightening permissions once I
> got ssl working)
>
> bash-3.2# ps aux | grep mysql
> root 13326 0.0 0.2 63848 1332 pts/0 S 15:25 0:00 /bin/sh
> /usr/bin/mysqld_safe --datadir=/var/lib/mysql
> --pid-file=/var/lib/mysql/mysql.example.com.pid
> --ssl-ca=/var/lib/mysql/newcerts/ca-cert.pem
> --ssl-cert=/var/lib/mysql/newcerts/server-cert.pem
> --ssl-key=/var/lib/mysql/newcerts/server-key.pem
> mysql 13399 0.1 3.4 138488 17676 pts/0 Sl 15:25 0:00
> /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql
> --ssl-ca=/var/lib/mysql/newcerts/ca-cert.pem
> --ssl-cert=/var/lib/mysql/newcerts/server-cert.pem
> --ssl-key=/var/lib/mysql/newcerts/server-key.pem
> --log-error=/var/lib/mysql/mysql.example.com.err
> --pid-file=/var/lib/mysql/mysql.example.com.pid
> root 13430 0.0 0.1 61164 768 pts/0 R+ 15:25 0:00 grep mysql
> I'm also following documentation
> http://www.stunnel.org/examples/mysql.htmlhere to set up mysql with
> ssl support over stunnel. My stunnel.conf looks
> like
>
> cert = /etc/stunnel/stunnel.pem
> pid = /tmp/stunnel.pid
> debug = 7
> output = stunnel.log
> [mysqls]
> accept = 3307
> connect = 3306
>
> I've confirmed that my server is listening on 3307
>
> [user@mysql.example.com ~]$ netstat -anF | grep 3306
> tcp 0 0 0.0.0.0:3306 0.0.0.0:*
> LISTEN
> [user@mysql.example.com ~]$ netstat -anF | grep 3307
> tcp 0 0 0.0.0.0:3307 0.0.0.0:*
> LISTEN
>
> and that I can connect successfully over 3306
>
> mysql -u user -p -h mysql.example.com -P 3306
>
> but when I try to connect over port 3307,
>
> mysql -u user -p -h mysql.example.com -P 3307
>
> it fails to connect (my graphical client gives an error message that reads
> 'connection reset').
>
> I'm not sure what's wrong. My mysql user was created without any specific
> SSL requirements, so I'm thinking I should be able to connect over either
> port without specifying any --ssl-xxx options on the client side. I'd like
> the user to be able to connect either way. I tried looking at the mysql
> error log but it didn't provide any useful information - is there a way to
> increase the log level to get at the source of the problem? Any tips would
> be appreciated.
>
> Thanks.
>

--001485f775568c5aed04756a6b77--

Re: ssl questions

--000e0cd48b9cd8562b0475abc5ca
Content-Type: text/plain; charset=ISO-8859-1

Hi,

Maybe, first you can check MySQL documentation [0], [1]

[0] http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html
[1] http://dev.mysql.com/doc/refman/5.0/en/secure-basics.html

--
Muhammad Subair

On Thu, Oct 8, 2009 at 6:03 PM, Tompkins Neil
wrote:

> Hi
>
> I wondered how you are getting on with installing SSL for mysql 5.1 server.
> We are looking to install it too. Do you have any pointers/recommendations
> ?
>
> Regards
> Neil
>
> On Tue, Sep 8, 2009 at 11:36 PM, qt4x11 wrote:
>
> > I'm trying to set up my mysql 5.1 server to work over ssl, I'm following
> > the
> > directions at
> > http://dev.mysql.com/doc/refman/5.0/en/secure-connections.ht ml.
> > I've confirmed that my server supports ssl
> >
> > mysql> SHOW VARIABLES LIKE 'have_ssl';
> > +---------------+-------+
> > | Variable_name | Value |
> > +---------------+-------+
> > | have_ssl | YES |
> > +---------------+-------+
> >
>

--000e0cd48b9cd8562b0475abc5ca--

Re: ssl questions

--Apple-Mail-1-5714020
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes

We are looking to install on windows.


Sent from my iPod

On 11 Oct 2009, at 18:02, muhammad subair wrote:

> Hi,
>
> Maybe, first you can check MySQL documentation [0], [1]
>
> [0] http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html
> [1] http://dev.mysql.com/doc/refman/5.0/en/secure-basics.html
>
> --
> Muhammad Subair
>
> On Thu, Oct 8, 2009 at 6:03 PM, Tompkins Neil > > wrote:
> Hi
>
> I wondered how you are getting on with installing SSL for mysql 5.1
> server.
> We are looking to install it too. Do you have any pointers/
> recommendations
> ?
>
> Regards
> Neil
>
> On Tue, Sep 8, 2009 at 11:36 PM, qt4x11 wrote:
>
> > I'm trying to set up my mysql 5.1 server to work over ssl, I'm
> following
> > the
> > directions at
> > http://dev.mysql.com/doc/refman/5.0/en/secure-connections.ht ml.
> > I've confirmed that my server supports ssl
> >
> > mysql> SHOW VARIABLES LIKE 'have_ssl';
> > +---------------+-------+
> > | Variable_name | Value |
> > +---------------+-------+
> > | have_ssl | YES |
> > +---------------+-------+
> >

--Apple-Mail-1-5714020--