I was tring to use SSL-enabled mysql connections using php and mod_php. The problem was that the libmysql library inside {,mod_}php detects that SSL is needed, but it doesn't know the location of the client certificate. by simply inserting the following line mysql_options(&mysql->conn,MYSQL_READ_DEFAULT_GROUP,"client"); before mysql_real_connect(..) in ext/mysql/php_mysql.c, the my.cnf file is read and all SSL-related configurations are imported from there. If my problem can be solved in another way, please drop me a line :). Until then, please see the attached diff, maybe it can be used in the ebuild. Successfuly tested with php-4.3.4-r4, mod_php-4.3.4-r4, php-5.0_beta1-r1.
Created attachment 28436 [details, diff] my.cnf reader
coredumb: what's your take on this? I haven't played with SSL connections to MySQL before.
I haven't found any help on this subject on the net :( Well, basically one should follow the mysql docs in order to create the certificates on both the server and the client, issue a special grant on the server (with REQUIRE misc ssl options), and then modify the my.cnf files on both machines. http://www.mysql.com/doc/en/Secure_basics.html http://www.mysql.com/doc/en/Secure_requirements.html http://www.mysql.com/doc/en/Secure_create_certs.html http://www.mysql.com/doc/en/Secure_GRANT.html the grant must contain 'subject' and 'issuer' fileds exactly as shown by `openssl x509 -in client-cert.pem -subject` and `openssl x509 -in client-cert.pem -issuer` and not like the example from the mysql docs. a good grant example is here: grant all privileges on database.* to 'gogu'@'peter.sunspire.org' identified by 'gigi' require subject '/C=RO/ST=NA/L=Bucharest/O=Tehnosistem SA/CN=generic client/emailAddress=petre.rodan@tehnosistem.ro' and issuer '/C=RO/ST=NA/L=Bucharest/O=Tehnosistem SA/OU=Certificate Authority/CN=Tehnosistem CA/emailAddress=ca@tehnosistem.ro'; the my.cnf file on the client (that has php and/or mod_php) should contain: [client] ssl-ca = /etc/ssl/mysql/cacert.pem ssl-cert = /etc/ssl/mysql/client-cert.pem ssl-key = /etc/ssl/mysql/client-key.pem on the server: [mysqld] ssl-ca = /etc/ssl/mysql/cacert.pem ssl-cert = /etc/ssl/mysql/server-cert.pem ssl-key = /etc/ssl/mysql/server-key.pem my patch will read the '[client]' configurations before making the actual connection to the server. ssl will be used automagically once the connection is made. authentication is successfull. without the patch, ssl REQUIRE is detected, the server certificate is sent by the remote machine, but the php client doesn't have any information regarding the location of certificate files and authentication will always fail. my php knowledge is almost 0, but I thought maybe my solution would be of some help to others. bye, peter
ssl support in mysql is buggy. it miraculously stopped working with no obvious reason 3 days after this bug was posted. I'd better close this with INVALID before anyone else looses his sanity over this issue =)
