httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Naveen Rawat" <naveen.ra...@otssolutions.com>
Subject RE: SSL-enabled interaction with MySQL
Date Fri, 27 Apr 2007 14:30:53 GMT

Hi Sander,


Thanks for the response. I took a bit long to responds this, regrets.


>> I tried this (mysql_ssl_set) API but it is really not working from  
>> within a
>> module. It is otherwise working perfect for a standalone client  
>> application.
>> This could be a sort of some core issue. I am ready for an out of box
>> solution to it, if it exists.
>
> OK, here we go.  When you say "is really not working", in what way  
> does this non-working state manifest itself?  Are you getting:
>
> * Prototype errors (need to pull in appropriate .h?)
> * Missing symbols on link (perhaps you need to link against libssl  
> and libcrypt explicitly?)
> * Missing symbols when loading module (link against correct  
> libraries, LD_LIBRARY_PATH? LoadFile? Run ldd on your compiled  
> module, does it find/need/want the SSL libs?)
> * API call fails when running server (how?

None of these, fortunately.

> Does your client library know SSL? Really?)

YES. My database (MySQL) is compiled from source and my end libmysqlclient
supports SSL and that too very well. This already been tested from a very
basic standalone database client + a packet sniffer tool (ethereal). 

> The most important part is HOW does your effort fail? 

Let me tell first what I intend to do. 

I am trying to find an implementation for supporting the universal basic
client authentication functionality for anyone who intends to access my
Apache httpd server. 
	I am using a third party authentication module 'mod_auth_mysql'
which will do this task for me. Unlike my requirement this particular module
does not provide for SSL encryption when it validates the data (username /
password) against my database. This module is having MySQL C APIs usage for
talking to the databse. 
	I have generated the musts for SSL - keys/certificates for the
database clients, MySQL server and a dummy CA. Grants are well set for the
MySQL connecting users compelling them to provide their keys/certificates at
the time they connect to the database. These same set of keys/certs. have
been found to be valid as they are working for a basic database client
application.
 
> WHAT are the error messages you get WHEN?

The http request sent to my (SSL-enabled) apache through a browser yields
this:

	/*
	Internal Server Error
	
	The server encountered an internal error or misconfiguration and was
unable to complete your request.
	*/

And my error_log gives :

[Fri Apr 27 19:41:58 2007] [error] [client 192.168.1.17] MOD_AUTH_MYSQL:
MYSQL ERROR: Access denied for user 'mysql'@'localhost' (using password:
YES) :: connect to DB
[Fri Apr 27 19:41:58 2007] [error] [client 192.168.1.17] host
(localhost.localdomain) not found in db
[Fri Apr 27 19:41:58 2007] [crit] [client 192.168.1.17] configuration error:
couldn't check user.  No user file?: /


For https request the error_log looks like:

[Fri Apr 27 19:42:22 2007] [error] [client 192.168.1.17] MOD_AUTH_MYSQL:
MYSQL ERROR: Access denied for user 'mysql'@'localhost' (using password:
YES) :: connect to DB
[Fri Apr 27 19:42:22 2007] [error] [client 192.168.1.17] host (digi.ots) not
found in db
[Fri Apr 27 19:42:22 2007] [crit] [client 192.168.1.17] configuration error:
couldn't check user.  No user file?: /




[digi.ots being the server name for my https service.]

Having said, I must also say that the same connection-configuration
regarding the data accessed; the user a/c that made it accessed and the
keys/certificates, were used with one standalone client, where it worked
just wonderful.

> As G√ľnter says, you may look at how PHP does it.  That's an out-of- 
> the-box solution, but it's a pretty big box.

I followed it and they seemed to me using more or less no different set of
APIs that MySQL provides for SSL.  



Thanks in advance,


Best Regards,
Naveen Rawat




Mime
View raw message