Hi Francisco
Need a little more information to answer your question. You reference Xojocloud. Are you connecting to a MySQL database on your XojoCloud server or is your MySQL database on another server?
In this case, I will host the final version of the database on XojoCloud, but I am also interested in knowing how to implement a secure connection on a separate server (mysql).
Only enabling SSL is NOT sufficient, you need to specify the certs to make it secure. Not sure about mySQL as I stopped using it long ago, but I would say that only enabling but not specifying the certs will in the “best” case properly fail and cause an error, in the “worst” case it might be that it is just falling back to a standard connection, w/o a beep. Worst case, because you might feel secure, but you are not.
Generally speaking it is usually better not to expose your database “outside” of the localhost at first place. For testing purposes I would open an SSL Tunnel to your Xojo Cloud server. so that Xojo Cloud databases will be seen in the debugger as any other local instance, so you don’t need to open any ports even not for debugging on production and no need for certificates.
For connections between two server on the Internet (not talking about a local network) it is, in my opinion, best to develop some APIs for full (or better saying maximum) control) still without exposing your whole database to the bad, dark internet. Xojo Cloud Server has implemented a lot of measures to protect you, but exposing a database to the internet is something to still be very careful about Of course it all depends on the content in your database. Grandma’s best apple pie recipes versus credit card record of your customer etc.
When your application that is hosted on Xojocloud is talking to the MySQL database on the same server you are actually behind a firewall and communicating via a local interface so your xojocloud MySQL server is not visible to the internet world. They do allow you to setup an SSL tunnel so you can connect from your local machine to your Xojocloud MySQL server. I would contact @Paul_Lefebvre about current instructions on how to set these things up since I cannot seem to locate the videos that I used when we got started.
With input from Greg O’Lone (I think?) I build the following a long while ago to automate the process of building an SSH tunnel while debugging. Perhaps it might help you too:
Thanks Jeannot, automating the SSH tunnel saves time and effort.
My intention was to work with two mirror databases, one on xojocloud for production and other on an external server for testing. Depending on the url of the session, I connect with one or the other.
That should be possible by just adapting the script accordingly. And you could even SSH between the 2 servers. All better than opening database ports. In the latter case I would probably use a VPN between both servers though. Again depending if we are talking about grandma’s recipes or more sensitive data
I am usually just mirroring the databases on my local machine. It is quite easy to install postgres on macOS for instance and via SSH you can easily pull or push files, for instance a database dump.
My SSH script is meanwhile far more sophisticated. I usually use a global property to set to which server/database I want to connect before starting to debug.
Page not Found error, seeing that a lot of people struggle with this issue , it would be nice if XOJO would do a detailed project on connecting to a MySQL server using Certificates
then with any other app , including go, php, python you just simply connect and it works but apparently not with XOJO .
I guess i asked many times and in many places but no answer so far, so i guess either they don’t know what to reply or don’t want to clarify this issue.
Usually what is provided in many cases are the Client Certificate db.SSLCertificate ; client Key db.SSLKey ; SSL CA which i assume it is db.SSLAuthority, now can someone could clarify for everyone what in the world you would put in db.SSLAuthorityFolder and what is the format of that data in this folder ? as i see it first time here for XOJO only where it requires that much config to connect securely to a Mysql server which should be simple and as standard considering the current security standards .
Xojo chose to only allow databases to be connected to from localhost. That allows for easier connection from your apps and removes the possibility risk of a bad actor connecting from the outside world and exploiting a vulnerability in the database engine itself. The way you connect securely to the database is through an ssh tunnel.
Now yes, Xojo could (and should) update that to use rsa keys, but the mechanism is quite secure already.
while this is true, you don’t always control the DB end so in my case i do need to work what the customer provides, in this case the client certs, the CA cert and the remote ip and port, so how can i explain this to the customer ? sorry, XOJO cannot do that , not nice i guess .I’ll see if they can provide a tunnel with regular connection but this will be declined for sure as that means allowing additional setup and access to the server and so on while the current setup they just generate the client certs when needed and done.
