I installed mysql-5.0.18 and decided to play around with non-localhost connections today. First, I was not able to connect with a useraccount that has only rights to connect via SSL connections. After reading in the mysql manual, I got this hint: | To check whether a running mysqld server supports OpenSSL, examine the value of | the have_openssl system variable: | | mysql> SHOW VARIABLES LIKE 'have_openssl'; I did so: mysql> SHOW VARIABLES LIKE 'have_openssl'; +---------------+----------+ | Variable_name | Value | +---------------+----------+ | have_openssl | DISABLED | +---------------+----------+ But I activated SSL in USE: # emerge -pv mysql [ebuild R ] dev-db/mysql-5.0.18 +berkdb -big-tables -cluster +debug -extraengine -max-idx-128 -minimal -perl (-selinux) +ssl -static +utf8 0 kB That does not fit together.
verified on 5.0.19
Created attachment 82212 [details] create_cert.sh have_ssl=DISABLED does not mean it's not compiled in, read upstream docs [1]. And change your my.cnf accordingly [2]. The attached bash script, is a gentoo adapted version of the upstream one [1] . Move cacert.pem, client-cert.pem, client-key.pem in /etc/mysql/ and restart the server. have_openssl YES [1] http://dev.mysql.com/doc/refman/5.0/en/ssl-options.html http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.html [2] example: [client] ssl ssl-ca=/cacert.pem ssl-cert=/client-cert.pem ssl-key=/client-key.pem [mysqld] ssl ssl-ca=/cacert.pem ssl-cert=/server-cert.pem ssl-key=/server-key.pem
CHTEKK, what about to add something that creates the certificates at build time ?
I'd actually be against generating certificates at build time... Full for adding correct, easy to read doc for this, and maybe a little script to help along, but not let it generate automatically at build-time, since not many will use SSL with MySQL and even when you use it, SSL is delicate, 90% of the time you don't really follow or do a certificate exactly the same way (duration, key strenght, etc.). I'd also suggest a easier script than the one you proposed, that possibly works all inside /etc/ssl (creates a new /etc/ssl/mysql dir eventually), and that doesn't actually modify or create a modifed my.cnf but only outputs what you'd have to change, take a look for an example at the section that generates the SSL certs for SysCP ( line 549+ of http://svn.gnqs.org/projects/gentoo-syscp-overlay/browser/experimental/www-apps/syscp/syscp-1.2.13.ebuild ). That, a little modified naturally, plus a specific little doc, into /usr/share/${PF} should solve this in an acceptable manner, and maybe a little message that this exists in pkg_postinst() if USE=ssl enabled... Ideas? Comments? Best regards, CHTEKK.
Comment on attachment 82212 [details] create_cert.sh If anything, we should use ssl-cert.eclass for this.
When SSL usage with MySQL becomes more common, I'll revisit this with the eclass, but not until then.
