Is there a property of the TZConnection can be set to connect the MySQL version 5 database server via SSL?
Thanks
MySQL v5 and SSL connection
Moderators: gto, EgonHugeist
-
guidoaerts
- Senior Boarder
- Posts: 93
- Joined: 01.07.2009, 16:07
No, there isn't. If you are in charge of the server, you can use stunnel (opensource, easy). Or openssl (opensource, not so easy). There is also lNet for lazarus.
Guido
CORRECTION : yes there is (sorry!) :
Properties.Strings = (
'MYSQL_SSL=TRUE'
'MYSQL_SSL_CA=D:/mysql/certs/ca-cert.pem'
'MYSQL_SSL_CERT=D:/mysql/certs/client-cert.pem'
'MYSQL_SSL_KEY=D:/mysql/certs/client-key.pem')
also see the article:
http://zeos.firmos.at/viewtopic.php?t=1 ... =ssl+mysql
and the attached file parameters.pdf
Guido
CORRECTION : yes there is (sorry!) :
Properties.Strings = (
'MYSQL_SSL=TRUE'
'MYSQL_SSL_CA=D:/mysql/certs/ca-cert.pem'
'MYSQL_SSL_CERT=D:/mysql/certs/client-cert.pem'
'MYSQL_SSL_KEY=D:/mysql/certs/client-key.pem')
also see the article:
http://zeos.firmos.at/viewtopic.php?t=1 ... =ssl+mysql
and the attached file parameters.pdf
You do not have the required permissions to view the files attached to this post.
-
ManUtdFans
- Fresh Boarder
- Posts: 23
- Joined: 23.06.2010, 05:33
-
mdaems
- Zeos Project Manager
- Posts: 2766
- Joined: 20.09.2005, 15:28
- Location: Brussels, Belgium
- Contact:
Actually,
Zeos doesn't send anything across the network. That's all done by libmysql.dll internally, exactly the way it is done with the mysql command line client. I have no idea about the way it is done internally by the mysql client, but I guess the pasword will be encrypted.
Actually, when I think about it : the connection is encrypted itself (that's what ssl is about, isn't it?) so the password IS sent encrypted.
Mark
Zeos doesn't send anything across the network. That's all done by libmysql.dll internally, exactly the way it is done with the mysql command line client. I have no idea about the way it is done internally by the mysql client, but I guess the pasword will be encrypted.
Actually, when I think about it : the connection is encrypted itself (that's what ssl is about, isn't it?) so the password IS sent encrypted.
Mark
-
ManUtdFans
- Fresh Boarder
- Posts: 23
- Joined: 23.06.2010, 05:33
Hi guidoaerts,
I have asked our administrator to create the 3 files for me as you suggested and in the pdf file:
ca-cert.pem
client-cert.pem
client-key.pem
Firstly he did not have idea why the client needs certificate in client pc. Then he looks at the mySQL link below:
http://dev.mysql.com/doc/refman/5.1/en/ ... certs.html
It describes the way for:
Create CA certificate and
Create client certificate
But any idea how about the client-key.pem ?
He showed me in the server the 'certificate' in a long string, is the key embedded inside?
I have asked our administrator to create the 3 files for me as you suggested and in the pdf file:
ca-cert.pem
client-cert.pem
client-key.pem
Firstly he did not have idea why the client needs certificate in client pc. Then he looks at the mySQL link below:
http://dev.mysql.com/doc/refman/5.1/en/ ... certs.html
It describes the way for:
Create CA certificate and
Create client certificate
But any idea how about the client-key.pem ?
He showed me in the server the 'certificate' in a long string, is the key embedded inside?
-
ManUtdFans
- Fresh Boarder
- Posts: 23
- Joined: 23.06.2010, 05:33
Arg, just noticed the link says:
# Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem > ca-cert.pem
# Create client certificate
shell> openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout client-key.pem > client-req.pem
shell> openssl x509 -req -in client-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
ca-key.pem will be CA file.
ca-cert.pem will be the Key file.
client-cert.pem will be the client cert.
# Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem > ca-cert.pem
# Create client certificate
shell> openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout client-key.pem > client-req.pem
shell> openssl x509 -req -in client-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
ca-key.pem will be CA file.
ca-cert.pem will be the Key file.
client-cert.pem will be the client cert.
-
ManUtdFans
- Fresh Boarder
- Posts: 23
- Joined: 23.06.2010, 05:33
-
mdaems
- Zeos Project Manager
- Posts: 2766
- Joined: 20.09.2005, 15:28
- Location: Brussels, Belgium
- Contact:
Yes, I do have an idea.
Your web browser requests the public certificate from the server and can use that to decrypt/encrypt all communication.
Probably the mysql client tools are not equiped to do a similar trick. Actually, I'd think distributing these keys by hand adds another level of security. Doesn't it?
Mark
Your web browser requests the public certificate from the server and can use that to decrypt/encrypt all communication.
Probably the mysql client tools are not equiped to do a similar trick. Actually, I'd think distributing these keys by hand adds another level of security. Doesn't it?
Mark