Archive for the ‘Coding’ Category

Open CA, continued

Coding, Tool Tips | Posted by attriel March 16th, 2010

Well, I haven’t had a chance to look at the entries I mentioned last post.  But I DID remember an open free Certificate Authority.

CA Cert, it’s a site that allows you to register and, assuming you can reasonably proof ownership of your domain (by answering the emails associated with the registrar), then you can issue certs for your domain.  I’m currently looking at issuing certs for my mail server and web daemon.

The CACert Root Certificate isn’t widely distributed, so your users would have to add it the first time they came, but IMO it’s a little better (and possibly more well controlled) than the self-signed “Snake Oil” certs.

The only downside, that I’ve noticed so far, is that there’s no interface for building your request.  So you still have to use OpenSSL or another package to generate your Cert Req and the CSR.  I’m kindof surprised, honestly, that they don’t have that part, since that would be easier than the CA portion I would think.

So, I still want to look at the other tools, but since CACert is centralized and you can add the root cert for your users, I think it makes a decent option when you can use it.

Comments Closed

CA Systems

Coding, Tool Tips | Posted by attriel March 3rd, 2010

So, as part of the MySQL SSL Replication series, I decided that I’d look up some open source CA systems.  Because there must be something better than running openssl –fifty –thousand –options –with –no –memory –or –chceking

I found OpenCA/OpenPKI ,which looked interesting.  Except as I tried to set it up, the Ubuntu distributions were in Redhat RPMs, and after converting them they don’t appear to be actual apps.  They may have been framework prereqs of the app.  But the downloading screens were singularly uninformative.

I also found EJBCA, which I haven’t tried out yet.  Partially because OpenCA sounded decent, and I figured I’d try that first, since EJBCA looks to be a much larger Java/jboss application, and I don’t know JBoss offhand.  I’ll let you know if I get it going, otherwise I’ll do the MySQL entries with openssl.

And I meant to post this yesterday, oops.

Comments Closed

MySQL SSL (1 of 3)

Coding | Posted by attriel January 12th, 2010

First thing to note:  The community build of MySQL does not support SSL.  You either need the Enterprise or you need to build it yourself.

To check if SSL is enabled on your build:
log into MySQL via any account

mysql> show variables like 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl      | YES   |
+---------------+-------+
1 row in set (0.01 sec)

If it says YES, then MySQL is compiled with SSL support, otherwise a new binary will need to be generated.

Once MySQL has SSL, then you can set the configuration options in the MySQL Configuration/INI file as such (with path’s obviously modified):

[mysqld]
ssl-ca=/usr/mysql-5.0.84/ssl/ca-cert.pem
ssl-cert=/usr/mysql-5.0.84/ssl/mysql.cert
ssl-key=/usr/mysql-5.0.84/ssl/mysql.key
ssl-cipher=ALL

(The last line enables all SSL cipher modes except NULL encryption)

This assumes you have the CA Public Certificate saved as ca-cert.pem, and Public/Private key-certificate pair for your mysql server.  That will be another post

To test the functionality, log in to MySQL using an administrator account

mysql> create database test;
mysql> grant all privileges on test.* to test@localhost identified by 'testpassword' require ssl;

Then you can attempt to log in to the server as the test user:

mysql -u test -p --ssl-ca=ssl/cacert.pem --ssl-cipher=ALL

Without the ssl-cipher line, you get an SSL connection error because it does not know how to encrypt the connection that both parties can communicate; the CA certificate is required to activate the SSL connection and to validate the server, AFAICT.

You don’t technically need to use “ALL” for the cipher entries. There are a number of choices that you can select, but for the purposes of demonstration, ALL was the simplest.

Part 2 will cover more detailed user restrictions. This setup effectively only require that the connection get SSL encryption (confidentiality), but does not validate the user (authenticity).

Part 3 will implement replication over SSL.

Tags: ,
Comments Closed