I need some help in figuring out the SSL properties in MySQL. Specifically, I need to know what files (and formats) each is looking for.
The properties are:
- SSLAuthority
- SSLAuthorityDirectory (a folder that holds authorities that I can export from Keychain?)
- SSLCertificate
- SSLCipher (the LR suggests “DHE-RSA-AES256-SHA”, but where is the complete list?)
- SSLKey
I’d appreciate any help and will flesh out the LR with what’s provided here.
This is my understanding, which has worked for me over the years doing SSL with Apache and Xojo to PostGreSQL DB over SSL:
SSLAuthority = The Certificate Authority’s public certificate in .pem format. I’m using the “AddTrustExternalCARoot.pem” file that I downloaded from their public website.
SSLAuthorityDirectory = A directory that stores all of the certs that the primary certs may depend on to complete the trust chain. Ie, I had a CA root cert a while back that required that another cert existed. In the directory I ran the ‘c_rehash .’ command on OS X so that a link would be created for the other certs. You need to run this command because otherwise the SSL process doesn’t know which of the files in the directory is the file to use because you can name the file anything. c_rehash creates a link to the file so that the trust chain knows what to look for in the same directory.
SSLCertificate = This is SSLCertificate for the client’s public cert. You’d use this if you needed to ensure that you trust the client doing the request. In my case I don’t use this.
SSLCipher = I don’t have any experience with this in my app, but I suspect it’s negotiated at connection time. I’m not setting this in my Xojo to PostGreSQL DB SSL connection.
SSLKey = I believe that this is the hosts/client’s private key file?
http://dev.mysql.com/doc/refman/5.1/en/ssl-connections.html
Maybe this link can help a bit, although i guess you already have found this.
I hadn’t, thanks! I’ll pour over that link and post further information and questions.
I’ve finally gotten an opportunity to dive into this, and the setup was far easier than the docs make it seem. The people hosting the MySQL database set up a test database that accepts SSL connections only, then sent me a certificate file.
On my end, all I had to do was set SSLMode to true and point SSLAuthority to the cert file they sent. That’s it, easy peasy.
Before anyone asks, without these settings, I couldn’t establish a connection at all. That test database does not allow connections without SSL.
I hope this helps others too.
Thank you @Kem Tekinay! Your comment just saved me from a lot of frustration trying to get Xojo to cooperate with an SSL MariaDB connection! Much appreciated.