httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guenter Knauf <fua...@apache.org>
Subject RE: SSL-enabled interaction with MySQL
Date Tue, 01 May 2007 09:51:57 GMT
Hi,
> Huge regards for your efforts. I am wee bit taking more time as I am also
> looking out for other options like using some SSL-supportive
> intermediaries;
hehe, you wanted a solution for the future, and I contacted already the author;
he will add this extension to the module once we have verified that it works fine...
but he is in same situation as I, and doesnt have a SSL-enabled mysql server yet, so will
now see that I get mysql compiled on a test box so that I can self test.

> I used the updated source and now the error has become SSL connection
> specific.
well, that sounds good....., one step closer...

> I am still using the same box to for mysql server and my accessing code.
> Moreover I am using my box's IP in conf->db_host.
> 		conf->db_host = "192.168.x.x";
> Will not this allow a TCPIP connection?
yes, from the code I guess so - at least the SSL part seems invoked for you - otherwise MySQL
couldnt return the SSL error.

> What would you suggest, should I really have to access mysql from some
> other host?
as long as you use the host's IP I think you force to use TCPIP.

> The updates contain 5 new directives for SSL and ciphers. How these new
> directives can be set in httpd.conf like other AuthMySql* directives ?
yes, see INSTALL. The three cert directives are mandatory if you want to use SSL, cipher is
optional and can be left unset (at least I think so from what I've read in the client docs).
As it currently is you can set every directive anywhere - however I believe that in reality
this cant work from the code, at least not when keepalive is on because then the mysql_handle
is re-used; but what if the connection data is set per directory from .htaccess..? I think
the connection data should be set at common server-level only....; however at the moment this
doesnt affect if it works or not as long as you use only one setting for one directory to
secure.

>> and then I found a bug report related to this option:
>> http://bugs.mysql.com/bug.php?id=24121


> I suppose this fixing at my end would need me to recompile my mysql. AM I
> RIGHT HERE?
yes, but I think this is not so important; it should work also without the mysql_options()
call; only latest mysql 5.0.x and 5.1.x have the MYSQL_OPT_SSL_VERIFY_SERVER_CERT option in
the headers - but all mysql versions from 4.0.x and up have mysql_ssl_set(), so it should
really be possible to establish a SSL connection without that; probably even that setting
now is the problem?? Take a look at the code - there I've blocked this part already so that
it gets only compiled with latest mysql headers; just surround it with '#if 0 / #endif' to
block it completely, re-compile and test again...

Guenter.



Mime
View raw message