Summary: | php + mysql_real_connect using SSL | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | petre rodan (RETIRED) <kaiowas> |
Component: | [OLD] Development | Assignee: | PHP Bugs <php-bugs> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | wschlich |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | my.cnf reader |
Description
petre rodan (RETIRED)
2004-03-31 03:10:19 UTC
Created attachment 28436 [details, diff]
my.cnf reader
coredumb: what's your take on this? I haven't played with SSL connections to MySQL before. I haven't found any help on this subject on the net :( Well, basically one should follow the mysql docs in order to create the certificates on both the server and the client, issue a special grant on the server (with REQUIRE misc ssl options), and then modify the my.cnf files on both machines. http://www.mysql.com/doc/en/Secure_basics.html http://www.mysql.com/doc/en/Secure_requirements.html http://www.mysql.com/doc/en/Secure_create_certs.html http://www.mysql.com/doc/en/Secure_GRANT.html the grant must contain 'subject' and 'issuer' fileds exactly as shown by `openssl x509 -in client-cert.pem -subject` and `openssl x509 -in client-cert.pem -issuer` and not like the example from the mysql docs. a good grant example is here: grant all privileges on database.* to 'gogu'@'peter.sunspire.org' identified by 'gigi' require subject '/C=RO/ST=NA/L=Bucharest/O=Tehnosistem SA/CN=generic client/emailAddress=petre.rodan@tehnosistem.ro' and issuer '/C=RO/ST=NA/L=Bucharest/O=Tehnosistem SA/OU=Certificate Authority/CN=Tehnosistem CA/emailAddress=ca@tehnosistem.ro'; the my.cnf file on the client (that has php and/or mod_php) should contain: [client] ssl-ca = /etc/ssl/mysql/cacert.pem ssl-cert = /etc/ssl/mysql/client-cert.pem ssl-key = /etc/ssl/mysql/client-key.pem on the server: [mysqld] ssl-ca = /etc/ssl/mysql/cacert.pem ssl-cert = /etc/ssl/mysql/server-cert.pem ssl-key = /etc/ssl/mysql/server-key.pem my patch will read the '[client]' configurations before making the actual connection to the server. ssl will be used automagically once the connection is made. authentication is successfull. without the patch, ssl REQUIRE is detected, the server certificate is sent by the remote machine, but the php client doesn't have any information regarding the location of certificate files and authentication will always fail. my php knowledge is almost 0, but I thought maybe my solution would be of some help to others. bye, peter ssl support in mysql is buggy. it miraculously stopped working with no obvious reason 3 days after this bug was posted. I'd better close this with INVALID before anyone else looses his sanity over this issue =) |