A special extended edition of Tech Messages for 2011-09-21 through 2012-05-11:
Managing SSL certificates for MySQL can be somewhat of a pain, especially when setting it up on multiple machines.
I looked around on the web, and didn’t really run into any mentions of how to do this for multiple machines, so I dug into it a bit more.
If you’ve created the certificates before, you’ll know you get prompted for various bits of information during a couple of the steps (country, state, email).
However, this can be by-passed by using the -batch option with the openssl command.
So, to set this up for multiple servers, just loop through the following 5 commands for your servers:
cd C:\mysql\certs
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -batch -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 3600 -batch -nodes -keyout server-key.pem >
server-req.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem
-CAkey …[Read more]
If you’re using MySQL and SSL, you might want to glance over this article and give your setup a quick test.
I’ve uncovered an alarming bug in 5.5 where one could gain access to your MySQL instance just knowing the username and password (not having any SSL certificate, key, etc.)!
Of course, I’ve filed a bug about it here:
http://bugs.mysql.com/bug.php?id=62743
It’s been over 4 days now, and not one comment from the MySQL Bug/Dev Team.
So once again, I feel the need to share this bug with the public, in case you are using SSL with 5.5, and think your connections are secure, or that only users with the certs/key could gain access.
For SSL Users, you’ll already have this set up, but for those who don’t, I’ve simply got mysqld (5.5.15 and 5.5.16 thus far) running with the following options:
ssl-ca = …[Read more]
In this article I will describe how to test the plain and the encrypted SMTP/POP3/IMAP and HTTP protocols with telnet and the openssl s_client command.
list of references
For a complete list of available commands for the used protocols check the RFCs please:
SMTP sending mail
In the first example I will open a telnet connection to a SMTP Server on …
[Read more]How To Set Up MySQL Database Replication With SSL Encryption On Debian Squeeze
This tutorial describes how to set up database replication in MySQL using an SSL connection for encryption (to make it impossible for hackers to sniff out passwords and data transferred between the master and slave). MySQL replication allows you to have an exact copy of a database from a master server on another server (slave), and all updates to the database on the master server are immediately replicated to the database on the slave server so that both databases are in sync. This is not a backup policy because an accidentally issued DELETE command will also be carried out on the slave; but replication can help protect against hardware failures though.
Since MySQL 4.0 it's possible to use SSL to secure the
connections to MySQL. Unfortunately this is not used very
often.
It can be used for cient-server connections and for replication. It will encrypt your traffic and
prevent man-in-the-middle attacks if you're using
ssl-verify-server-cert when connecting using mysql.
Securing database communication can be required to be compliant
to some regulations.
There are other means of preventing anyone from snooping your
database traffic like VPN, SSH Tunneling or stunnel.
As usual the documentation is quite good. The only
issue with the docs is that the verification step is missing.
(Bug …
This is more of a question than me sharing knowledge, but I'm testing the effects of MySQL SSL on replication delay. Interestingly, my tests show faster replication when I enable SSL, versus disable. The slave_compressed_protocol has an effect too, and I get the best result when I use SSL and slave compression in a non-CPU bound test.
The question came up, however, of what SSL Cipher I'm using. I'm not specifying one in my CHANGE MASTER statement, so I'm guessing I'm getting the same default cipher as if I connect with the regular mysql command line client with SSL, which is:
So, just in case that wasn’t evil enough for you… perhaps you have something you want to know the MD5 checksum of. So, you could just do this:
drizzle> select md5('Hello World!');
+----------------------------------+
| md5('Hello World!') |
+----------------------------------+
| ed076287532e86365e841e92bfc50d8c |
+----------------------------------+
1 row in set (0 sec)
But that is soooo boring.
Since we have the SSL libs already loaded into Drizzle, and using my very evil libtcc plugin… we could just implement it in C. We can even use malloc!
drizzle> SELECT LIBTCC("#include …
Reminder, mark you callendar:
Wednesday January 27th, Join the Sun Startup Essentials Webinar on Security for Web Applications.
A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Solaris, Apache, MySQL, ZFS and more.
Registration limited to members of the Sun Startup Essentials program.
Your company is less than 6 year and 150 employee: Join Sun Startup Essentials >>
Reminder, mark you callendar:
Wednesday January 27th, Join the Sun Startup Essentials Webinar on Security for Web Applications.
A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Solaris, Apache, MySQL, ZFS and more.
Registration limited to members of the Sun Startup Essentials program.
Your company is less than 6 year and 150 employee: Join Sun Startup Essentials >>