From owner-freebsd-questions@FreeBSD.ORG  Thu Oct  8 07:45:57 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 66C19106566B
	for <freebsd-questions@freebsd.org>;
	Thu,  8 Oct 2009 07:45:57 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id F34F18FC14
	for <freebsd-questions@freebsd.org>;
	Thu,  8 Oct 2009 07:45:56 +0000 (UTC)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id
	n987jark019710; Thu, 8 Oct 2009 08:45:39 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk n987jark019710
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
	d=infracaninophile.co.uk; s=200708; t=1254987939;
	bh=PV3cs6BgeFICd8gxecLORM5mRAYFcuDzEy331Vr0KSI=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<4ACD9898.7000701@infracaninophile.co.uk>|Date:=20T
	hu,=2008=20Oct=202009=2008:45:28=20+0100|From:=20Matthew=20Seaman=
	20<m.seaman@infracaninophile.co.uk>|Organization:=20Infracaninophi
	le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20090823)|MIME-Vers
	ion:=201.0|To:=20Olivier=20Nicole=20<Olivier.Nicole@cs.ait.ac.th>|
	CC:=20freebsd-questions@freebsd.org|Subject:=20Re:=20MySQL=20+=20S
	SL|References:=20<200910080332.n983WTW3018483@banyan.cs.ait.ac.th>
	|In-Reply-To:=20<200910080332.n983WTW3018483@banyan.cs.ait.ac.th>|
	X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/signed=3B=2
	0micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-signat
	ure"=3B=0D=0A=20boundary=3D"------------enigE9D1DDEEF235241AE05CC4
	C4";
	b=CPchR8t67AyyacFcQVv751kT2ON/a00+wI6zZ2Uga9LoJ310XczQGvEV5TGiyjstk
	GQNnh2HYIaWX747mW2Ei1Nf+whjm5ym0BCbXt9rIViT32zBia/9cjX56gnD2e22fLq
	ih56b6SbNuRFE0I1hr6tCbOgpWT948LnHPfdF544=
X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host
	localhost [IPv6:::1] claimed to be
	happy-idiot-talk.infracaninophile.co.uk
Message-ID: <4ACD9898.7000701@infracaninophile.co.uk>
Date: Thu, 08 Oct 2009 08:45:28 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.23 (X11/20090823)
MIME-Version: 1.0
To: Olivier Nicole <Olivier.Nicole@cs.ait.ac.th>
References: <200910080332.n983WTW3018483@banyan.cs.ait.ac.th>
In-Reply-To: <200910080332.n983WTW3018483@banyan.cs.ait.ac.th>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enigE9D1DDEEF235241AE05CC4C4"
X-Virus-Scanned: clamav-milter 0.95.2 at
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: MySQL + SSL
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2009 07:45:57 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigE9D1DDEEF235241AE05CC4C4
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Olivier Nicole wrote:
> Hi,
>=20
> I have been strugling to find the correct syntax for the mysql(1)
> command to connect with SSL.
>=20
> My server is accepting SSL connections:
>=20
>   db2<root>: mysql -u root -p
>   Enter password:=20
>   Welcome to the MySQL monitor.  Commands end with ; or \g.
>   Your MySQL connection id is 1
>   Server version: 5.4.2-beta FreeBSD port: mysql-server-5.4.2
>  =20
>   Type 'help;' or '\h' for help. Type '\c' to clear the current input s=
tatement.
>  =20
>   mysql> SHOW VARIABLES LIKE '%ssl%';
>   +---------------+-------------------------------------------+
>   | Variable_name | Value                                     |
>   +---------------+-------------------------------------------+
>   | have_openssl  | YES                                       |
>   | have_ssl      | YES                                       |
>   | ssl_ca        | /usr/local/ssl/ca/ait-itserv.crt          |
>   | ssl_capath    |                                           |
>   | ssl_cert      | /usr/local/ssl/crt/db2.cs.ait.ac.th.crt   |
>   | ssl_cipher    | DHE-RSA-AES256-SHA:AES128-SHA             |
>   | ssl_key       | /database/mysql/database.cs.ait.ac.th.key |
>   +---------------+-------------------------------------------+
>   7 rows in set (0.00 sec)
>  =20
>   mysql> quit
>   Bye
>   db2<root>:

This is a question more suited to one of the various MySQL fora really.

Anyhow, the standard take on using SSL to encrypt MySQL connections is:
don't do it.  MySQL is apparently pretty ropey when in comes to doing
crypto.

Instead, you should use ipsec, ssh, stunnel or the like to provide an
encrypted transport layer that you access MySQL through.  It's also
generally the case that the overhead of doing encryption between the DB
and the client application tends to destroy performance.  Design your=20
network so that the DB is close to the application servers and has a
protected private network between the two, where you can send plaintext
traffic without fear of snooping.  If you need to work with systems
distributed over a number of sites, then replicating the DB so there is
an instance at each location is a good design choice, despite the
difficulties this introduces with Insert/Update/Delete on replica
DBs.  Then just encrypt the transport layer the inter-site replication
traffic uses.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enigE9D1DDEEF235241AE05CC4C4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkrNmKAACgkQ8Mjk52CukIwKpACfXa2c5ZHgx+j3FHZhmDoVZbBK
zxEAniaqCW+5F4QAQQ2o7RjDWLZn2N2S
=xFPG
-----END PGP SIGNATURE-----

--------------enigE9D1DDEEF235241AE05CC4C4--