Page 1 of 1
MySQL v5 and SSL connection
Posted: 15.11.2010, 01:31
by ManUtdFans
Is there a property of the TZConnection can be set to connect the MySQL version 5 database server via SSL?
Thanks
Posted: 15.11.2010, 14:48
by guidoaerts
No, there isn't. If you are in charge of the server, you can use stunnel (opensource, easy). Or openssl (opensource, not so easy). There is also lNet for lazarus.
Guido
CORRECTION : yes there is (sorry!) :
Properties.Strings = (
'MYSQL_SSL=TRUE'
'MYSQL_SSL_CA=D:/mysql/certs/ca-cert.pem'
'MYSQL_SSL_CERT=D:/mysql/certs/client-cert.pem'
'MYSQL_SSL_KEY=D:/mysql/certs/client-key.pem')
also see the article:
http://zeos.firmos.at/viewtopic.php?t=1 ... =ssl+mysql
and the attached file parameters.pdf
Posted: 18.11.2010, 06:52
by ManUtdFans
Hi,
Does the Zeos connection component send encypted username and password across network to MySQL server?
Posted: 19.11.2010, 21:26
by mdaems
Actually,
Zeos doesn't send anything across the network. That's all done by libmysql.dll internally, exactly the way it is done with the mysql command line client. I have no idea about the way it is done internally by the mysql client, but I guess the pasword will be encrypted.
Actually, when I think about it : the connection is encrypted itself (that's what ssl is about, isn't it?) so the password IS sent encrypted.
Mark
Posted: 17.01.2011, 06:07
by ManUtdFans
Hi guidoaerts,
I have asked our administrator to create the 3 files for me as you suggested and in the pdf file:
ca-cert.pem
client-cert.pem
client-key.pem
Firstly he did not have idea why the client needs certificate in client pc. Then he looks at the mySQL link below:
http://dev.mysql.com/doc/refman/5.1/en/ ... certs.html
It describes the way for:
Create CA certificate and
Create client certificate
But any idea how about the client-key.pem ?
He showed me in the server the 'certificate' in a long string, is the key embedded inside?
Posted: 21.01.2011, 03:33
by ManUtdFans
Arg, just noticed the link says:
# Create CA certificate
shell> openssl genrsa 2048 > ca-key.pem
shell> openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem > ca-cert.pem
# Create client certificate
shell> openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout client-key.pem > client-req.pem
shell> openssl x509 -req -in client-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
ca-key.pem will be CA file.
ca-cert.pem will be the Key file.
client-cert.pem will be the client cert.
Posted: 26.01.2011, 23:51
by mdaems
ManUtdFans,
Did you get the SSL connection working?
Mark
Posted: 02.02.2011, 05:00
by ManUtdFans
Hi,
As I am still waiting for my sys admin to create the cert files for me.
He does not understand why the client needs cert on client pc. He took an example from browser when visiting and SSL website, the client browser does not have cert file on pc. Any idea?
Posted: 02.04.2011, 21:34
by mdaems
Yes, I do have an idea.
Your web browser requests the public certificate from the server and can use that to decrypt/encrypt all communication.
Probably the mysql client tools are not equiped to do a similar trick. Actually, I'd think distributing these keys by hand adds another level of security. Doesn't it?
Mark