MySQL v5 and SSL connection

In this forum we will discuss things relating the ZEOSLib 6.6.x stable versions

Moderators: gto, EgonHugeist

Post Reply
ManUtdFans
Fresh Boarder
Fresh Boarder
Posts: 23
Joined: 23.06.2010, 05:33

MySQL v5 and SSL connection

Post by ManUtdFans »

Is there a property of the TZConnection can be set to connect the MySQL version 5 database server via SSL?

Thanks
guidoaerts
Senior Boarder
Senior Boarder
Posts: 93
Joined: 01.07.2009, 16:07

Post by guidoaerts »

No, there isn't. If you are in charge of the server, you can use stunnel (opensource, easy). Or openssl (opensource, not so easy). There is also lNet for lazarus.
Guido

CORRECTION : yes there is (sorry!) :

Properties.Strings = (
'MYSQL_SSL=TRUE'
'MYSQL_SSL_CA=D:/mysql/certs/ca-cert.pem'
'MYSQL_SSL_CERT=D:/mysql/certs/client-cert.pem'
'MYSQL_SSL_KEY=D:/mysql/certs/client-key.pem')

also see the article:
http://zeos.firmos.at/viewtopic.php?t=1 ... =ssl+mysql
and the attached file parameters.pdf
You do not have the required permissions to view the files attached to this post.
ManUtdFans
Fresh Boarder
Fresh Boarder
Posts: 23
Joined: 23.06.2010, 05:33

Post by ManUtdFans »

Hi,

Does the Zeos connection component send encypted username and password across network to MySQL server?
User avatar
mdaems
Zeos Project Manager
Zeos Project Manager
Posts: 2766
Joined: 20.09.2005, 15:28
Location: Brussels, Belgium
Contact:

Post by mdaems »

Actually,
Zeos doesn't send anything across the network. That's all done by libmysql.dll internally, exactly the way it is done with the mysql command line client. I have no idea about the way it is done internally by the mysql client, but I guess the pasword will be encrypted.
Actually, when I think about it : the connection is encrypted itself (that's what ssl is about, isn't it?) so the password IS sent encrypted.

Mark
Image
ManUtdFans
Fresh Boarder
Fresh Boarder
Posts: 23
Joined: 23.06.2010, 05:33

Post by ManUtdFans »

Hi guidoaerts,

I have asked our administrator to create the 3 files for me as you suggested and in the pdf file:
ca-cert.pem
client-cert.pem
client-key.pem

Firstly he did not have idea why the client needs certificate in client pc. Then he looks at the mySQL link below:

http://dev.mysql.com/doc/refman/5.1/en/ ... certs.html

It describes the way for:
Create CA certificate and
Create client certificate

But any idea how about the client-key.pem ?

He showed me in the server the 'certificate' in a long string, is the key embedded inside?
ManUtdFans
Fresh Boarder
Fresh Boarder
Posts: 23
Joined: 23.06.2010, 05:33

Post by ManUtdFans »

Arg, just noticed the link says:
# Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem > ca-cert.pem

# Create client certificate
shell> openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout client-key.pem > client-req.pem
shell> openssl x509 -req -in client-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem


ca-key.pem will be CA file.
ca-cert.pem will be the Key file.
client-cert.pem will be the client cert.
User avatar
mdaems
Zeos Project Manager
Zeos Project Manager
Posts: 2766
Joined: 20.09.2005, 15:28
Location: Brussels, Belgium
Contact:

Post by mdaems »

ManUtdFans,

Did you get the SSL connection working?

Mark
Image
ManUtdFans
Fresh Boarder
Fresh Boarder
Posts: 23
Joined: 23.06.2010, 05:33

Post by ManUtdFans »

Hi,

As I am still waiting for my sys admin to create the cert files for me.
He does not understand why the client needs cert on client pc. He took an example from browser when visiting and SSL website, the client browser does not have cert file on pc. Any idea?
User avatar
mdaems
Zeos Project Manager
Zeos Project Manager
Posts: 2766
Joined: 20.09.2005, 15:28
Location: Brussels, Belgium
Contact:

Post by mdaems »

Yes, I do have an idea.
Your web browser requests the public certificate from the server and can use that to decrypt/encrypt all communication.
Probably the mysql client tools are not equiped to do a similar trick. Actually, I'd think distributing these keys by hand adds another level of security. Doesn't it?

Mark
Image
Post Reply