You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Naveen Rawat <na...@otssolutions.com> on 2007/04/25 14:46:16 UTC
SSL-enabled interaction with MySQL
Hi there,
[I did not get any response :-( on this issue on user's forum so putting it
here. Please help me on this.]
1. Primarily I wanted to know, if it is possible for an apache
(--enable-mods-shared=all --enable-ssl=shared --enable-so) module to
interact with a SSL-enabled MySQL (--with-openssl=<DIR>)?
2. If yes, then considering that I have got required keys/certificates for
both the client, server and the CA, what are the apache-end APIs that would
be needed to make this SSL session possible?
Thanks in advance.
Warm Regards,
Naveen Rawat
[PROPOSAL] add a sslport option
Posted by Guenter Knauf <fu...@apache.org>.
Hi all,
I would like to have the SSL port also be setable as with the standard port;
Win32 has already a hack in, but I would also like to add such for Linux and NetWare....
here's my patch:
http://people.apache.org/~fuankg/diffs/sslport.diff
I believe it should work on Linux too, but would like that some Linux guru checks that;
have tested successfully on NetWare; and change for Win32 is minimal, and should work too.
Is there some agreement that I commit this?
greets, Guenter.
Re: where do the APR(-UTIL) backports go?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Guenter Knauf wrote:
> Hi all,
>> First, don't ask here, these folks wouldn't have your answer (har har)
>
>> Really - discuss apr at dev@apr.
>
>> Secondly, we rarely bother, it's CTR. Usually a ping to the list just
>> to be polite about a more complex change. And no breaking ABI in 0.9,
>> no adding features to 1.2.x (1.3.0 picks up next-additions).
>
> ok. I've some NetWare patches which I would like to bring into APR 1.2.x which are already for months in 1.3.x; these are almost makefile changes only - the only C file touched is .\apr-util\dbd\apr_dbd.c with a small ifdef'd change for NetWare, and \apr-util\include\apu.hnw with a define.
Build fixes would be terrific. Since 1.2 just was released, we -already-
have an issue with Mac OS/X size detection. So sometime in the next mo
or so another (perhaps final?) apr 1.2.x bump would be goodness.
Hopefully we shift gears from touchup to having 1.3.0 (trunk) ready to
ship; but summer is slow to get enough eyeballs on the code :)
> If nobody objects I will soon start and commit these changes....
Please do!
Re: where do the APR(-UTIL) backports go?
Posted by Guenter Knauf <fu...@apache.org>.
Hi all,
> First, don't ask here, these folks wouldn't have your answer (har har)
> Really - discuss apr at dev@apr.
> Secondly, we rarely bother, it's CTR. Usually a ping to the list just
> to be polite about a more complex change. And no breaking ABI in 0.9,
> no adding features to 1.2.x (1.3.0 picks up next-additions).
ok. I've some NetWare patches which I would like to bring into APR 1.2.x which are already for months in 1.3.x; these are almost makefile changes only - the only C file touched is .\apr-util\dbd\apr_dbd.c with a small ifdef'd change for NetWare, and \apr-util\include\apu.hnw with a define.
If nobody objects I will soon start and commit these changes....
Guenter.
Re: where do the APR(-UTIL) backports go?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Guenter Knauf wrote:
> Hi,
> just looked at the APR(-UTIL) 1.2.x STATUS file, but dont see there any backport proposals....
> I've also few build system related (NetWare) backport proposals, where should I put them in?
First, don't ask here, these folks wouldn't have your answer (har har)
Really - discuss apr at dev@apr.
Secondly, we rarely bother, it's CTR. Usually a ping to the list just
to be polite about a more complex change. And no breaking ABI in 0.9,
no adding features to 1.2.x (1.3.0 picks up next-additions).
Bill
where do the APR(-UTIL) backports go?
Posted by Guenter Knauf <fu...@apache.org>.
Hi,
just looked at the APR(-UTIL) 1.2.x STATUS file, but dont see there any backport proposals....
I've also few build system related (NetWare) backport proposals, where should I put them in?
greets, Guenter.
Re: STATUS viewer script
Posted by Ruediger Pluem <rp...@apache.org>.
On 06/28/2007 11:22 PM, Guenter Knauf wrote:
> Hi all,
> in order to review all the backport proposals a little bit easier I've just hacked a PHP script which creates links so that one can directly check the mentioned revisions and PRs.
> The script doesnt yet catch them all, but most...
>
> http://www.gknw.net/apstatus/
>
> http://www.gknw.net/apstatus/?version=20
>
This is pretty cool.
Regards
Rüdiger
STATUS viewer script
Posted by Guenter Knauf <fu...@apache.org>.
Hi all,
in order to review all the backport proposals a little bit easier I've just hacked a PHP script which creates links so that one can directly check the mentioned revisions and PRs.
The script doesnt yet catch them all, but most...
http://www.gknw.net/apstatus/
http://www.gknw.net/apstatus/?version=20
greets, Guenter.
Re: Question about httpd / APR version relationship
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Guenter Knauf wrote:
> Hi,
>> On 5/9/07, Guenter Knauf <fu...@apache.org> wrote:
>>> Apache 2.0.x -> has to use APR 0.9.x
>>> Apache 2.2.x -> has to use APR 1.2.x
>>> Apache 2.3.x -> has to use APR 1.3.x
>>>
>>> is this now a mandatory relationship, or is it valid to:
>>>
>>> build Apache 2.2.x with APR 1.3.x
>
>> This would likely work, but I wouldn't recommend it for official
>> builds. You wouldn't want module authors to start depending on new
>> functionality in APR 1.3.x when most versions of Apache 2.2.x don't
>> have that.
Well, feel free to yourself. I don't get around to testing APR 1.2 until
late in the ready-to-tag-and-roll phase of things, I like my APR 1.3 :)
That said, don't use APR 1.3 features. And the binaries then REQUIRE APR
1.3 to be installed because we do sinister things such as glob all apr
exported symbols (yuck). So don't package with 1.3
>>> build Apache 2.3.x with APR 1.2.x
>
>> That /might/ work, unless Apache is depending on new functionality in
>> APR 1.3.x, which it very well might be. One of those "YMMV, if it
>> breaks you get to keep both pieces" kind of situations.
>
> ok, that's exactly what I thought too - thanks for confirming....
Take this a step further, anyone's free to start picking up APR 1.3 features
on trunk, it's an open ended development cycle. Don't be surprised if apr
1.3 does become required.
> So how about the future? Will this relationship continue?
> Means will we ship Apache 2.4.x with APR 1.4.x? and will APRUTIL also keep in sync with APR version?
> If so that would make a check easier since then I only would have to check if the minor release numbers of httpd, apr, and apr-util are all equal, and bail out if one of apr / apr-util is less than the httpd one, and warn if one of apr / apr-util is higher...(or even bail out there too).
Not likely, APR 1.3 will probably be all the features we can add before the
list surrenders and dumps all the deprecated interfaces. So the "Next httpd"
is likely to demand either apr 1.3, or apr 2.0.
If you stay on apr trunk you are fine for now.
Re: Question about httpd / APR version relationship
Posted by Ian Holsman <li...@holsman.net>.
Guenter Knauf wrote:
> Hi,
>
>> On 5/9/07, Guenter Knauf <fu...@apache.org> wrote:
>>
>>> Apache 2.0.x -> has to use APR 0.9.x
>>> Apache 2.2.x -> has to use APR 1.2.x
>>> Apache 2.3.x -> has to use APR 1.3.x
>>>
>>> is this now a mandatory relationship, or is it valid to:
>>>
>>> build Apache 2.2.x with APR 1.3.x
>>>
>
>
>> This would likely work, but I wouldn't recommend it for official
>> builds. You wouldn't want module authors to start depending on new
>> functionality in APR 1.3.x when most versions of Apache 2.2.x don't
>> have that.
>>
>
>
>>> build Apache 2.3.x with APR 1.2.x
>>>
>
>
>> That /might/ work, unless Apache is depending on new functionality in
>> APR 1.3.x, which it very well might be. One of those "YMMV, if it
>> breaks you get to keep both pieces" kind of situations.
>>
>
> ok, that's exactly what I thought too - thanks for confirming....
>
> So how about the future? Will this relationship continue?
>
there is no guarantee of this. APR might slow down it's development and
2.4 might ship with APR 1.3. it really depends on what new versions of
httpd require from the portability layer.
regards
Ian
> thanks, Guenter.
>
>
>
>
>
Re: Question about httpd / APR version relationship
Posted by Guenter Knauf <fu...@apache.org>.
Hi,
> On 5/9/07, Guenter Knauf <fu...@apache.org> wrote:
>> Apache 2.0.x -> has to use APR 0.9.x
>> Apache 2.2.x -> has to use APR 1.2.x
>> Apache 2.3.x -> has to use APR 1.3.x
>>
>> is this now a mandatory relationship, or is it valid to:
>>
>> build Apache 2.2.x with APR 1.3.x
> This would likely work, but I wouldn't recommend it for official
> builds. You wouldn't want module authors to start depending on new
> functionality in APR 1.3.x when most versions of Apache 2.2.x don't
> have that.
>> build Apache 2.3.x with APR 1.2.x
> That /might/ work, unless Apache is depending on new functionality in
> APR 1.3.x, which it very well might be. One of those "YMMV, if it
> breaks you get to keep both pieces" kind of situations.
ok, that's exactly what I thought too - thanks for confirming....
So how about the future? Will this relationship continue?
Means will we ship Apache 2.4.x with APR 1.4.x? and will APRUTIL also keep in sync with APR version?
If so that would make a check easier since then I only would have to check if the minor release numbers of httpd, apr, and apr-util are all equal, and bail out if one of apr / apr-util is less than the httpd one, and warn if one of apr / apr-util is higher...(or even bail out there too).
BTW. how (after which logic) does the configure process check for this? (sorry, had no time yet to check this on a Linux box...)
thanks, Guenter.
Re: Question about httpd / APR version relationship
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 5/9/07, Guenter Knauf <fu...@apache.org> wrote:
> Hi all,
> currently from what I see we use:
>
> Apache 2.0.x -> has to use APR 0.9.x
> Apache 2.2.x -> has to use APR 1.2.x
> Apache 2.3.x -> has to use APR 1.3.x
>
> is this now a mandatory relationship, or is it valid to:
>
> build Apache 2.2.x with APR 1.3.x
This would likely work, but I wouldn't recommend it for official
builds. You wouldn't want module authors to start depending on new
functionality in APR 1.3.x when most versions of Apache 2.2.x don't
have that.
> build Apache 2.3.x with APR 1.2.x
That /might/ work, unless Apache is depending on new functionality in
APR 1.3.x, which it very well might be. One of those "YMMV, if it
breaks you get to keep both pieces" kind of situations.
-garrett
Question about httpd / APR version relationship
Posted by Guenter Knauf <fu...@apache.org>.
Hi all,
currently from what I see we use:
Apache 2.0.x -> has to use APR 0.9.x
Apache 2.2.x -> has to use APR 1.2.x
Apache 2.3.x -> has to use APR 1.3.x
is this now a mandatory relationship, or is it valid to:
build Apache 2.2.x with APR 1.3.x
build Apache 2.3.x with APR 1.2.x
I assume on Linux the configure magic checks for that, but on NetWare and Win32 one could mix up....
I ask because I think of a makefile hack to avoid non-valid builds....
greets, Guenter.
RE: SSL-enabled interaction with MySQL
Posted by Guenter Knauf <fu...@apache.org>.
Hi Naveen,
> Followed your last mail. Still getting the same 'SSL connection error' in
> the logs.
Ueli, the module author, did also test, and told me that he couldnt get it working with the MYSQL_OPT_SSL_VERIFY_SERVER_CERT have set; so he added another directive for that, and by default this part is now not used anymore but optional...
however without that option set he was able to establish a SSL connection....
did you also test with self created certs? Tried the shell script?
updated source at my place:
http://svwe10.itex.at/downloads/mod_auth_mysql/
greets, Guenter.
RE: SSL-enabled interaction with MySQL
Posted by Naveen Rawat <na...@otssolutions.com>.
Hi,
Followed your last mail. Still getting the same 'SSL connection error' in
the logs.
------------------
[Tue May 01 16:16:48 2007] [error] [client 192.168.1.17] MOD_AUTH_MYSQL:
MYSQL ERROR: SSL connection error :: connect to DB
[Tue May 01 16:16:48 2007] [error] [client 192.168.1.17] host
(localhost.localdomain) not found in db
[Tue May 01 16:16:48 2007] [crit] [client 192.168.1.17] configuration error:
couldn't check user. No user file?: /
------------------
Thanks and regards,
Naveen
RE: SSL-enabled interaction with MySQL
Posted by Guenter Knauf <fu...@apache.org>.
Hi,
> Huge regards for your efforts. I am wee bit taking more time as I am also
> looking out for other options like using some SSL-supportive
> intermediaries;
hehe, you wanted a solution for the future, and I contacted already the author;
he will add this extension to the module once we have verified that it works fine...
but he is in same situation as I, and doesnt have a SSL-enabled mysql server yet, so will now see that I get mysql compiled on a test box so that I can self test.
> I used the updated source and now the error has become SSL connection
> specific.
well, that sounds good....., one step closer...
> I am still using the same box to for mysql server and my accessing code.
> Moreover I am using my box's IP in conf->db_host.
> conf->db_host = "192.168.x.x";
> Will not this allow a TCPIP connection?
yes, from the code I guess so - at least the SSL part seems invoked for you - otherwise MySQL couldnt return the SSL error.
> What would you suggest, should I really have to access mysql from some
> other host?
as long as you use the host's IP I think you force to use TCPIP.
> The updates contain 5 new directives for SSL and ciphers. How these new
> directives can be set in httpd.conf like other AuthMySql* directives ?
yes, see INSTALL. The three cert directives are mandatory if you want to use SSL, cipher is optional and can be left unset (at least I think so from what I've read in the client docs).
As it currently is you can set every directive anywhere - however I believe that in reality this cant work from the code, at least not when keepalive is on because then the mysql_handle is re-used; but what if the connection data is set per directory from .htaccess..? I think the connection data should be set at common server-level only....; however at the moment this doesnt affect if it works or not as long as you use only one setting for one directory to secure.
>> and then I found a bug report related to this option:
>> http://bugs.mysql.com/bug.php?id=24121
> I suppose this fixing at my end would need me to recompile my mysql. AM I
> RIGHT HERE?
yes, but I think this is not so important; it should work also without the mysql_options() call; only latest mysql 5.0.x and 5.1.x have the MYSQL_OPT_SSL_VERIFY_SERVER_CERT option in the headers - but all mysql versions from 4.0.x and up have mysql_ssl_set(), so it should really be possible to establish a SSL connection without that; probably even that setting now is the problem?? Take a look at the code - there I've blocked this part already so that it gets only compiled with latest mysql headers; just surround it with '#if 0 / #endif' to block it completely, re-compile and test again...
Guenter.
RE: SSL-enabled interaction with MySQL
Posted by Naveen Rawat <na...@otssolutions.com>.
Hi,
Huge regards for your efforts. I am wee bit taking more time as I am also
looking out for other options like using some SSL-supportive intermediaries;
> http://svwe10.itex.at/downloads/mod_auth_mysql/
I used the updated source and now the error has become SSL connection
specific.
--------------
[Tue May 01 11:15:58 2007] [error] [client 192.168.1.17] MOD_AUTH_MYSQL:
MYSQL ERROR: SSL connection error :: connect to DB
[Tue May 01 11:15:58 2007] [error] [client 192.168.1.17] host
(localhost.localdomain) not found in db
[Tue May 01 11:15:58 2007] [crit] [client 192.168.1.17] configuration error:
couldn't check user. No user file?: /
--------------
> I'm just also hacking in the module, and I see this few lines above the
> mysql connect:
>
> if (!conf->db_host || strcmp(conf->db_host,"localhost") == 0 ||
> strcmp(conf->db_host,"127.0.0.1") == 0) {
> db_host = NULL;
> db_port = 0;
> } else {
> db_host = conf->db_host;
> db_port = conf->db_port;
> }
>
>
> I think its now mandatory that you access the mysql server from another
> host than localhost to make sure you really establish a TCPIP
> connection...
I am still using the same box to for mysql server and my accessing code.
Moreover I am using my box's IP in conf->db_host.
conf->db_host = "192.168.x.x";
Will not this allow a TCPIP connection? What about skipping this part of the
code at least for now?
What would you suggest, should I really have to access mysql from some other
host?
The updates contain 5 new directives for SSL and ciphers. How these new
directives can be set in httpd.conf like other AuthMySql* directives ?
> and then I found a bug report related to this option:
> http://bugs.mysql.com/bug.php?id=24121
I suppose this fixing at my end would need me to recompile my mysql. AM I
RIGHT HERE?
Thanks again,
Naveen
RE: SSL-enabled interaction with MySQL
Posted by Guenter Knauf <fu...@apache.org>.
Hi,
again a new complete archive:
http://svwe10.itex.at/downloads/mod_auth_mysql/
mod_auth_mysql.c source for viewing:
http://svwe10.itex.at/downloads/mod_auth_mysql/mod_auth_mysql.c
changes summary:
http://svwe10.itex.at/downloads/mod_auth_mysql/changes.new
shell script from mysql site to create the certs:
http://svwe10.itex.at/downloads/mod_auth_mysql/creacerts.sh
to compile with MySQL SSL support you need to define MYSQL_USE_SSL:
apxs -cia -lmysqlclient -DMYSQL_USE_SSL mod_auth_mysql.c
this version does _not_ try to use SSL if host = localhost | 127.0.0.1 | NULL !
BTW. I've entered a feature request for SSL-enabled MySQL binary dists:
http://bugs.mysql.com/bug.php?id=28146
votes/comments welcome!
Guenter.
RE: SSL-enabled interaction with MySQL
Posted by Guenter Knauf <fu...@apache.org>.
Hi Naveen,
new archive:
http://svwe10.itex.at/downloads/mod_auth_mysql/
replaced exists() with accessible() (also borrowed from htpasswd.c);
so should now also check for read permissions...
Guenter.
RE: SSL-enabled interaction with MySQL
Posted by Guenter Knauf <fu...@apache.org>.
Hi Naveen,
here's what I have hacked so far:
http://svwe10.itex.at/downloads/mod_auth_mysql/
to keep the code more readable I've inserted a new function exists() (borrowed from htpasswd.c) which does for now _only_ check if the certs exists; but should be easily extendable for permission check as you did already. Also I have made all settings configurable for easier testing.
At least I get an error in the error_log when a path is entered wrong - unfortunately I've not had the time to compile a SSL-aware mysql server, so not able to test further at the moment...
just wanted to share the code here;
oh, and I believe also the mysql_init() call is wrong since it takes the mysql_handle and not the mysql_conn which is used for mysql_real_connect()...; fixed that too.
I will also propose it to the author once it works since I know him (see change log where I appear already); then we have a ready solution without patching around...
Guenter.
RE: SSL-enabled interaction with MySQL
Posted by Guenter Knauf <fu...@apache.org>.
Hi Naveen,
another shot:
I'm just also hacking in the module, and I see this few lines above the mysql connect:
if (!conf->db_host || strcmp(conf->db_host,"localhost") == 0 ||
strcmp(conf->db_host,"127.0.0.1") == 0) {
db_host = NULL;
db_port = 0;
} else {
...
I'm not sure, but I guess that the client lib uses a unix socket when passed in NULL for host, and that might not work with SSL at all since its not needed then...
I think its now mandatory that you access the mysql server from another host than localhost to make sure you really establish a TCPIP connection...
then I saw in your previous post that you have set:
static my_bool opt_ssl_verify_server_cert= 0;
why not setting to 1 ?
and then I found a bug report related to this option:
http://bugs.mysql.com/bug.php?id=24121
Guenter.
RE: SSL-enabled interaction with MySQL
Posted by Naveen Rawat <na...@otssolutions.com>.
Hi Guenter,
>> A standalone client is working perfect to provide the SSL layer with the
>> database, and it is using the same client lib (libmysqlclient). I used
>> common ethereal tool to ensure that everything it does is encrypted. I
>> used the same mysql_ssl_set() prior to establishing the connection. I
>> simply did the following :
>>
>> mysql_handle=mysql_init(NULL);
>> static my_bool opt_ssl_verify_server_cert= 0;
>>
>> mysql_ssl_set(mysql_handle, 0, 0, "/root/DIGI_DEPS/newcerts/ca-cert.pem",
>> 0,
>> 0);
>> mysql_options(&mysql_conn,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,(char*)
>> &opt_ssl_verify_server_cert);
>>
>> mysql_handle=mysql_real_connect(&mysql_conn,db_host,
>> conf->db_username,conf->db_password,conf->db_name,db_port,NULL,0);
>> .
> Since everything you posted sounds perfect, here a shot in the dark:
> I see you have a path to the /root directory for the certs. Apache changes
> indentity when starting, and it might be a simple access problem perhaps?
> I would do two things:
> - move the certs below a place you make worldwide readable for testing
> - insert apr_stat() calls before you try to use the certs, and bail out
> and write info to the error log if the certs cant be accessed for whatever
> reason.
You guessed right, the certs were not really read properly from the path I
had specified. So I put them for testing, straight at root '/'. Now the
certs are accessed well which is also verified by the apr_stat() call which
does not brings any error.
But the eventual outcome is no better. Still the apache log gives the same
error.
------------------
[Mon Apr 30 18:57:16 2007] [error] [client 192.168.1.17] MOD_AUTH_MYSQL:
MYSQL ERROR: Access denied for user 'mysql'@'localhost' (using password:
YES) :: connect to DB
[Mon Apr 30 18:57:16 2007] [error] [client 192.168.1.17] host
(localhost.localdomain) not found in db
[Mon Apr 30 18:57:16 2007] [crit] [client 192.168.1.17] configuration error:
couldn't check user. No user file?: /
-------------------
When I go for non-SSL mode (by granting the used 'mysql' user account no
SSL-specific grant). The very bit same code gives no error and runs fine. No
logs as generated above are seen there.
The code fragment for what is done-
--------------------
.
.
.
apr_size_t length;
apr_status_t stat;
char msgbuf[80];
apr_status_t rv;
apr_pool_t *mp;
apr_file_t *fp;
const char *fname="/ca-cert.pem";
apr_finfo_t finfo;
apr_initialize();
apr_pool_create(&mp, NULL);
if ((rv = apr_file_open(&fp, fname, APR_READ, APR_OS_DEFAULT, mp)) !=
APR_SUCCESS) {
ap_log_rerror (APLOG_MARK, APLOG_ERR, 0, r,
"MOD_AUTH_MYSQL: FILE OPEN ERROR:: %s :: %s\n",
mysql_error(&mysql_conn), apr_strerror(rv, msgbuf, sizeof(msgbuf)));
return -1;
}
if ((rv = apr_stat(&finfo, fname, APR_FINFO_NORM, mp)) == APR_INCOMPLETE) {
ap_log_rerror (APLOG_MARK, APLOG_ERR, 0, r,
"MOD_AUTH_MYSQL: FILE READ ERROR: %s :: %s\n",
mysql_error(&mysql_conn), apr_strerror(rv, msgbuf, sizeof(msgbuf)));
return -1;
}
mysql_handle=mysql_init(NULL);
mysql_ssl_set(mysql_handle, 0, 0, finfo.fname, 0, 0);
mysql_handle=mysql_real_connect(&mysql_conn,db_host,
conf->db_username,conf->db_password,conf->db_name,db_port,NULL,0);
.
.
.
--------------------
Thanks in advance.
Best Regards,
Naveen Rawat
RE: SSL-enabled interaction with MySQL
Posted by Guenter Knauf <fu...@apache.org>.
Hi Naveen,
> A standalone client is working perfect to provide the SSL layer with the
> database, and it is using the same client lib (libmysqlclient). I used
> common ethereal tool to ensure that everything it does is encrypted. I
> used
> the same mysql_ssl_set() prior to establishing the connection. I simply
> did
> the following :
> mysql_handle=mysql_init(NULL);
> static my_bool opt_ssl_verify_server_cert= 0;
> mysql_ssl_set(mysql_handle, 0, 0, "/root/DIGI_DEPS/newcerts/ca-cert.pem",
> 0,
> 0);
> mysql_options(&mysql_conn,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,(char*)&opt_ssl
> _v
> erify_server_cert);
> mysql_handle=mysql_real_connect(&mysql_conn,db_host,
> conf->db_username,conf->db_password,conf->db_name,db_port,NULL,0);
> .
Since everything you posted sounds perfect, here a shot in the dark:
I see you have a path to the /root directory for the certs. Apache changes indentity when starting, and it might be a simple access problem perhaps? I would do two things:
- move the certs below a place you make worldwide readable for testing
- insert apr_stat() calls before you try to use the certs, and bail out and write info to the error log if the certs cant be accessed for whatever reason.
good luck! Guenter.
RE: SSL-enabled interaction with MySQL
Posted by Naveen Rawat <na...@otssolutions.com>.
Hi there,
Thanks for the responses.
>>> Does your client library know SSL? Really?)
>>
>> YES. My database (MySQL) is compiled from source and my end
>> libmysqlclient
>> supports SSL and that too very well. This already been tested from a very
>> basic standalone database client + a packet sniffer tool (ethereal).
>
> what I'm currently after is a way to determine _if_ the client lib really
> is SSL-aware; I've not found yet an API call which tells me this piece -
> instead I see in the shipping mysql apps, f.e. in mysqlshow, that simply
> mysql_ssl_set() is called before mysql_real_connect(), and the later just
> bails out if the conection could not be established for whatever reason. I
> would however prefer to make a test if libmysqlclient is really SSL-aware,
> and bail out with a more informative error to the user when not.
> Did you find such perhaps?
A standalone client is working perfect to provide the SSL layer with the
database, and it is using the same client lib (libmysqlclient). I used
common ethereal tool to ensure that everything it does is encrypted. I used
the same mysql_ssl_set() prior to establishing the connection. I simply did
the following :
mysql_init(&mysql);
#ifdef HAVE_OPENSSL
mysql_ssl_set(&mysql, "/root/DIGI_DEPS/newcerts/client-
key.pem","/root/DIGI_DEPS/newcerts/client-cert.pem",
"/root/DIGI_DEPS/newcerts/ca-cert.pem", 0, 0);
#endif
if (!(sock =
mysql_real_connect(&mysql,"127.0.0.1","mysql","mysql","digi_auth_support",33
06,NULL,0)))
The lib is surely SSL-aware and my client supports this. Moreover I am
otherwise not getting any ssl-related linking error.
>> I am using a third party authentication module 'mod_auth_mysql'
>> which will do this task for me. Unlike my requirement this particular
>> module does not provide for SSL encryption when it validates the data
>> (username / password) against my database. This module is having MySQL C
>> APIs usage for talking to the databse.
>> I have generated the musts for SSL - keys/certificates for the
>> database clients, MySQL server and a dummy CA. Grants are well set for
>> the MySQL connecting users compelling them to provide their keys/
>> certificates at the time they connect to the database. These same set of
>> keys/certs. Have been found to be valid as they are working for a basic
>> database client application.
>
>
> this part is just not clear to me: what do you really test here? Did you
>modify the source of mod_auth_mysql and insert the call to mysql_ssl_set()?
The module provides for authenticating users at the browser end when they
fire HTTP/S request for my server.
I want SSL-layer encoding for authenticating such users against their
account in the database. For this I need SSL certificates and keys for both
my module and the MySQL database. The module will connect to the database
using a database user account, which has to be given the grant for
performing a secured (SSL-rich) connection. Without the grant the database
will not be able to enforce that account-user (my module) to provide the
keys and certificates. My perfectly working non-module client is using these
same resources which shows that the issue doesn't lies either with my
certificates or keys.
YES, I have included the call in my module.
> if so I'd suggest that you make your modified code available somewhere to
> us so that those here interested in this can take a look (and sure I am
> since I will soon have a similar requirement); also for me personally the
> next prob is that I coudnt find yet a ready-to-use SSL-aware mysql binary
> distro; so seems for that I would have to compile self first....
> therefore it would help me a lot if you would be willing/able to provide a
> test account on your SSL-aware mysql server so that I could directly start
> with some testing with the module.
I am using an openly available mod_auth-mysql1.9.1. I am providing here the
relevant part and specifically the one that enables SSL.
.
.
.
mysql_handle=mysql_init(NULL);
static my_bool opt_ssl_verify_server_cert= 0;
mysql_ssl_set(mysql_handle, 0, 0, "/root/DIGI_DEPS/newcerts/ca-cert.pem", 0,
0);
mysql_options(&mysql_conn,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,(char*)&opt_ssl_v
erify_server_cert);
mysql_handle=mysql_real_connect(&mysql_conn,db_host,
conf->db_username,conf->db_password,conf->db_name,db_port,NULL,0);
.
.
.
The source distro of mod_auth_mysql 1.9.1 also provides the data structures
needed. I regret not being able to provide you an access to it as it being
installed at my work place.
> If you did not modify the mod_auth_mysql module self then I guess you have
> some misunderstanding: you can only secure the connection between
> mod_auth_mysql (if it is modified to use mysql_ssl_set() + libmysqlclient
> is SSL-aware) and the mysql server;
Done the same.
> secure the communication which happens between a client's browser and
> Apache is task of mod_ssl, and has nothing to do with mysql SSL and certs
> etc; instead there only the usual OpenSSL certs which you specify for
> mod_ssl count here - regardless which auth module you might use....
Exactly.
Regarding moving this discussion to other place, I feel for now it is fine
to continue here itself in this common user's forum for other user's
reference and involvement. In case any objection arises, we will seek other
appropriate.
Best Regards,
Naveen Rawat
RE: SSL-enabled interaction with MySQL
Posted by Guenter Knauf <fu...@apache.org>.
Hi Naveen,
>> Does your client library know SSL? Really?)
> YES. My database (MySQL) is compiled from source and my end libmysqlclient
> supports SSL and that too very well. This already been tested from a very
> basic standalone database client + a packet sniffer tool (ethereal).
what I'm currently after is a way to determine _if_ the client lib really is SSL-aware;
I've not found yet an API call which tells me this piece - instead I see in the shipping mysql apps, f.e. in mysqlshow, that simply mysql_ssl_set() is called before mysql_real_connect(), and the later just bails out if the conection could not be established for whatever reason. I would however prefer to make a test if libmysqlclient is really SSL-aware, and bail out with a more informative error to the user when not.
Did you find such perhaps?
> I am using a third party authentication module 'mod_auth_mysql'
> which will do this task for me. Unlike my requirement this particular
> module
> does not provide for SSL encryption when it validates the data (username /
> password) against my database. This module is having MySQL C APIs usage
> for
> talking to the databse.
> I have generated the musts for SSL - keys/certificates for the
> database clients, MySQL server and a dummy CA. Grants are well set for the
> MySQL connecting users compelling them to provide their keys/certificates
> at
> the time they connect to the database. These same set of keys/certs. have
> been found to be valid as they are working for a basic database client
> application.
this part is just not clear to me: what do you really test here? Did you modify the source of mod_auth_mysql and insert the call to mysql_ssl_set() ? if so I'd suggest that you make your modified code available somewhere to us so that those here interested in this can take a look (and sure I am since I will soon have a similar requirement);
also for me personally the next prob is that I coudnt find yet a ready-to-use SSL-aware mysql binary distro; so seems for that I would have to compile self first....
therefore it would help me a lot if you would be willing/able to provide a test account on your SSL-aware mysql server so that I could directly start with some testing with the module.
If you did not modify the mod_auth_mysql module self then I guess you have some misunderstanding: you can only secure the connection between mod_auth_mysql (if it is modified to use mysql_ssl_set() + libmysqlclient is SSL-aware) and the mysql server;
secure the communication which happens between a client's browser and Apache is task of mod_ssl, and has nothing to do with mysql SSL and certs etc; instead there only the usual OpenSSL certs which you specify for mod_ssl count here - regardless which auth module you might use....
greets, Guenter.
Re: SSL-enabled interaction with MySQL
Posted by Plüm,
Rüdiger,
VF-Group <ru...@vodafone.com>.
> -----Ursprüngliche Nachricht-----
> Von: Guenter Knauf
> Gesendet: Freitag, 27. April 2007 18:36
> An: dev@httpd.apache.org
> Betreff: RE: SSL-enabled interaction with MySQL
>
>
> Hi all,
> although some of us might find the thread here interesting,
> some others might object that it doesnt belong to this list because:
> - its mysql-related and has nothing to do with Apache itself
> - we speak here about a third-party module which is also not
> part of Apache
Agreed.
How about moving this to modules-dev@httpd.apache.org?
Regards
Rüdiger
RE: SSL-enabled interaction with MySQL
Posted by Guenter Knauf <fu...@apache.org>.
Hi all,
although some of us might find the thread here interesting, some others might object that it doesnt belong to this list because:
- its mysql-related and has nothing to do with Apache itself
- we speak here about a third-party module which is also not part of Apache
even if we are going to implement SSL database connections in APR DBD its again the wrong place, and should go to the apr list.
Just wanted to mention that I'm aware of these; and want to offer my own forum:
http://www.gknw.net/phpbb/viewforum.php?f=22
where those interested in can continue this discussion (registration required) in case someone objects.
greets, Guenter.
RE: SSL-enabled interaction with MySQL
Posted by Naveen Rawat <na...@otssolutions.com>.
Hi Sander,
Thanks for the response. I took a bit long to responds this, regrets.
>> I tried this (mysql_ssl_set) API but it is really not working from
>> within a
>> module. It is otherwise working perfect for a standalone client
>> application.
>> This could be a sort of some core issue. I am ready for an out of box
>> solution to it, if it exists.
>
> OK, here we go. When you say "is really not working", in what way
> does this non-working state manifest itself? Are you getting:
>
> * Prototype errors (need to pull in appropriate .h?)
> * Missing symbols on link (perhaps you need to link against libssl
> and libcrypt explicitly?)
> * Missing symbols when loading module (link against correct
> libraries, LD_LIBRARY_PATH? LoadFile? Run ldd on your compiled
> module, does it find/need/want the SSL libs?)
> * API call fails when running server (how?
None of these, fortunately.
> Does your client library know SSL? Really?)
YES. My database (MySQL) is compiled from source and my end libmysqlclient
supports SSL and that too very well. This already been tested from a very
basic standalone database client + a packet sniffer tool (ethereal).
> The most important part is HOW does your effort fail?
Let me tell first what I intend to do.
I am trying to find an implementation for supporting the universal basic
client authentication functionality for anyone who intends to access my
Apache httpd server.
I am using a third party authentication module 'mod_auth_mysql'
which will do this task for me. Unlike my requirement this particular module
does not provide for SSL encryption when it validates the data (username /
password) against my database. This module is having MySQL C APIs usage for
talking to the databse.
I have generated the musts for SSL - keys/certificates for the
database clients, MySQL server and a dummy CA. Grants are well set for the
MySQL connecting users compelling them to provide their keys/certificates at
the time they connect to the database. These same set of keys/certs. have
been found to be valid as they are working for a basic database client
application.
> WHAT are the error messages you get WHEN?
The http request sent to my (SSL-enabled) apache through a browser yields
this:
/*
Internal Server Error
The server encountered an internal error or misconfiguration and was
unable to complete your request.
*/
And my error_log gives :
[Fri Apr 27 19:41:58 2007] [error] [client 192.168.1.17] MOD_AUTH_MYSQL:
MYSQL ERROR: Access denied for user 'mysql'@'localhost' (using password:
YES) :: connect to DB
[Fri Apr 27 19:41:58 2007] [error] [client 192.168.1.17] host
(localhost.localdomain) not found in db
[Fri Apr 27 19:41:58 2007] [crit] [client 192.168.1.17] configuration error:
couldn't check user. No user file?: /
For https request the error_log looks like:
[Fri Apr 27 19:42:22 2007] [error] [client 192.168.1.17] MOD_AUTH_MYSQL:
MYSQL ERROR: Access denied for user 'mysql'@'localhost' (using password:
YES) :: connect to DB
[Fri Apr 27 19:42:22 2007] [error] [client 192.168.1.17] host (digi.ots) not
found in db
[Fri Apr 27 19:42:22 2007] [crit] [client 192.168.1.17] configuration error:
couldn't check user. No user file?: /
[digi.ots being the server name for my https service.]
Having said, I must also say that the same connection-configuration
regarding the data accessed; the user a/c that made it accessed and the
keys/certificates, were used with one standalone client, where it worked
just wonderful.
> As Günter says, you may look at how PHP does it. That's an out-of-
> the-box solution, but it's a pretty big box.
I followed it and they seemed to me using more or less no different set of
APIs that MySQL provides for SSL.
Thanks in advance,
Best Regards,
Naveen Rawat
Re: SSL-enabled interaction with MySQL
Posted by Sander Temme <sa...@temme.net>.
On Apr 26, 2007, at 5:18 PM, Naveen Rawat wrote:
> I tried this (mysql_ssl_set) API but it is really not working from
> within a
> module. It is otherwise working perfect for a standalone client
> application.
> This could be a sort of some core issue. I am ready for an out of box
> solution to it, if it exists.
OK, here we go. When you say "is really not working", in what way
does this non-working state manifest itself? Are you getting:
* Prototype errors (need to pull in appropriate .h?)
* Missing symbols on link (perhaps you need to link against libssl
and libcrypt explicitly?)
* Missing symbols when loading module (link against correct
libraries, LD_LIBRARY_PATH? LoadFile? Run ldd on your compiled
module, does it find/need/want the SSL libs?)
* API call fails when running server (how? Does your client library
know SSL? Really?)
The most important part is HOW does your effort fail? WHAT are the
error messages you get WHEN?
This is a programmer list. Please speak programmer language or we
will be absolutely unable to help you.
As Günter says, you may look at how PHP does it. That's an out-of-
the-box solution, but it's a pretty big box.
S. (Awake, jet-lagged, no coffee)
--
sander@temme.net http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
RE: SSL-enabled interaction with MySQL
Posted by Naveen Rawat <na...@otssolutions.com>.
Hi,
Thanks for the responses.
>> from what it looks here:
>> http://dev.mysql.com/doc/refman/5.1/en/mysql-ssl-set.html
>> it should be sufficient if you do a call to mysql_ssl_set() before
>> calling mysql_real_connect() - provided your client lib is compiled
>> with OpenSSL support...; its my understanding that then a SSL
>> connection is established instead of a normal one, and after that all
>> other API calls work as usual since they rely only on the connection
>> handle...
>>
>> also you might take a look into the php_mysqli sources; there I see
>> also SSL support, and a call to mysql_ssl_set().
>If anyone test-drives that and can confirm it works, it would be
>great to patch apr_dbd_mysql to support this within Apache DBD.
>>From the mod_dbd perspective, this could be an additional
>optional argument to DBDParams.
>
I tried this (mysql_ssl_set) API but it is really not working from within a
module. It is otherwise working perfect for a standalone client application.
This could be a sort of some core issue. I am ready for an out of box
solution to it, if it exists.
Thanks in advance,
Best Regards,
Naveen Rawat
Re: SSL-enabled interaction with MySQL
Posted by Nick Kew <ni...@webthing.com>.
On Thu, 26 Apr 2007 13:51:04 +0200
Guenter Knauf <fu...@apache.org> wrote:
> from what it looks here:
> http://dev.mysql.com/doc/refman/5.1/en/mysql-ssl-set.html
> it should be sufficient if you do a call to mysql_ssl_set() before
> calling mysql_real_connect() - provided your client lib is compiled
> with OpenSSL support...; its my understanding that then a SSL
> connection is established instead of a normal one, and after that all
> other API calls work as usual since they rely only on the connection
> handle...
>
> also you might take a look into the php_mysqli sources; there I see
> also SSL support, and a call to mysql_ssl_set().
If anyone test-drives that and can confirm it works, it would be
great to patch apr_dbd_mysql to support this within Apache DBD.
From the mod_dbd perspective, this could be an additional
optional argument to DBDParams.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
RE: SSL-enabled interaction with MySQL
Posted by Guenter Knauf <fu...@apache.org>.
Hi Naveen,
>>> My communication from my module, is database specific (my MySQL is
>>> already
>>> SSL-enabled). So is it only up to the MySQL SSL-specific C API to
>>> provide
>>> SSL (I tried using mysql_ssl_set() with no success) or there has
>>> more to be
>>> done at my module's code end?
>>
>>I have no experience coding against the MySQL client C API, but I
>>guess that this is where the magic happens in your case. I assume
>>your client libraries are SSL-enabled?
>>
> MySQL C has the APIs but the problem is that they are not working from
> within a module. What APIs are available there for a module to talk SSL?
from what it looks here:
http://dev.mysql.com/doc/refman/5.1/en/mysql-ssl-set.html
it should be sufficient if you do a call to mysql_ssl_set() before calling mysql_real_connect() - provided your client lib is compiled with OpenSSL support...; its my understanding that then a SSL connection is established instead of a normal one, and after that all other API calls work as usual since they rely only on the connection handle...
also you might take a look into the php_mysqli sources; there I see also SSL support, and a call to mysql_ssl_set().
HTH, Guenter.
RE: SSL-enabled interaction with MySQL
Posted by Naveen Rawat <na...@otssolutions.com>.
Hi Sander,
>> My communication from my module, is database specific (my MySQL is
>> already
>> SSL-enabled). So is it only up to the MySQL SSL-specific C API to
>> provide
>> SSL (I tried using mysql_ssl_set() with no success) or there has
>> more to be
>> done at my module's code end?
>
>I have no experience coding against the MySQL client C API, but I
>guess that this is where the magic happens in your case. I assume
>your client libraries are SSL-enabled?
>
MySQL C has the APIs but the problem is that they are not working from
within a module. What APIs are available there for a module to talk SSL?
Best Regards,
Naveen Rawat
Re: SSL-enabled interaction with MySQL
Posted by Sander Temme <sa...@temme.net>.
On Apr 25, 2007, at 7:02 AM, Naveen Rawat wrote:
> My communication from my module, is database specific (my MySQL is
> already
> SSL-enabled). So is it only up to the MySQL SSL-specific C API to
> provide
> SSL (I tried using mysql_ssl_set() with no success) or there has
> more to be
> done at my module's code end?
I have no experience coding against the MySQL client C API, but I
guess that this is where the magic happens in your case. I assume
your client libraries are SSL-enabled?
S.
--
sander@temme.net http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
RE: SSL-enabled interaction with MySQL
Posted by Naveen Rawat <na...@otssolutions.com>.
Hi Jorge,
Thanks for the reply,
>
> 1. Primarily I wanted to know, if it is possible for an apache
> (--enable-mods-shared=all --enable-ssl=shared --enable-so) module to
> interact with a SSL-enabled MySQL (--with-openssl=<DIR>)?
>
> 2. If yes, then considering that I have got required keys/certificates for
> both the client, server and the CA, what are the apache-end APIs that
would
> be needed to make this SSL session possible?
>
Sorry for not being more descriptive.
I am trying to find an implementation for supporting the universal basic
client authentication functionality for anyone who intends to access my
Apache httpd server.
I am using a third party authentication module 'mod_myauth' which will do
this task for me. Unfortunate to my specification this particular module
does not provide for SSL encryption when it validates the data (username /
password) against my database on MySQL. This module is having MySQL C APIs
usage for talking to the databse.
My communication from my module, is database specific (my MySQL is already
SSL-enabled). So is it only up to the MySQL SSL-specific C API to provide
SSL (I tried using mysql_ssl_set() with no success) or there has more to be
done at my module's code end?
Thanks in advance,
Best Regards,
Naveen Rawat
Re: SSL-enabled interaction with MySQL
Posted by Jorge Schrauwen <jo...@gmail.com>.
If by interaction you mean access a ssl mysql server from php, asp,
coldfusion...
then no, that would require the php module to be compiled with ssl.
If your talking about modules like mod_auth_mysql then no again since
that specific module would need to support ssl. To my knowledge there
isn't one yet.
IIRC the --with-openssl= option is when you want to compile apache
with mod_ssl and openssl is installed in a non-standard location.
don't take my word on it though. I'm sure If I'm wrong people will
correct me withing minutes.
Jorge
On 4/25/07, Naveen Rawat <na...@otssolutions.com> wrote:
>
>
>
>
> Hi there,
>
>
>
> [I did not get any response L on this issue on user's forum so putting it
> here. Please help me on this.]
>
>
>
> 1. Primarily I wanted to know, if it is possible for an apache
> (--enable-mods-shared=all --enable-ssl=shared --enable-so) module to
> interact with a SSL-enabled MySQL (--with-openssl=<DIR>)?
>
>
>
> 2. If yes, then considering that I have got required keys/certificates for
> both the client, server and the CA, what are the apache-end APIs that would
> be needed to make this SSL session possible?
>
>
>
>
>
> Thanks in advance.
>
>
>
> Warm Regards,
>
> Naveen Rawat
>
>
>
>
--
~Jorge