4.3.9.2 Требования

Для того чтобы SSL-соединения могли работать с MySQL, необходимо выполнить следующие действия:

1. Установите библиотеку OpenSSL. Тестирование MySQL производилось с библиотекой OpenSSL 0.9.6. http://www.openssl.org/.
2. Выполните настройку компиляции MySQL (configure) при помощи параметров --with-vio --with-openssl.
3. Если используется старая версия MySQL, то необходимо обновить таблицу mysql.user путем добавления в нее определенных новых столбцов. Это можно сделать, запустив скрипт mysql_fix_privilege_tables.sh.
4. Проверить, скомпилирована ли в запущенном сервере mysqld библиотека OpenSSL можно, убедившись, что SHOW VARIABLES LIKE 'have_openssl' показывает YES.

User Comments

How about something here about changing a user's passwd with mysqladmin ?
I hate the idea of passwords appearing on screen. I would expect to be able to
create a user and then get them to set their passwd, possibly using my
terminal. They don't want to type in their passwd so I can see it and I certainly
don't want them to !

Hmm, this is not exactly an OpenBSD bug, it is more a portabitility problem. Nontheless, the solution is to compile mysql with pth-threads. To do so:

cd /usr/ports/databases/mysql/;
make FLAVOR=pth install

I used password('mypassword') function in my own
user table for an application. It works great
for storing passwords and not having clear text
in the table. Next if your user forgets the
password, to my knowledge you cannot reverse the
password() function, you have to reset the
password for the user and email them the new
password.

For those using GRANT/REVOKE with user@FQDN-style
access rights - beware, as upgrading will require
you to write the user part as
'user@"host.example.com"'
where before '[email protected]' worked fine.
I haven't seen this mentioned anywhere else.

Surely it would be quite handy to give examples
of how to give privilidges by database, table,
etc. The above examples only illustrate how to
give someone control over all my tables. Now why
would I want to do that more than once or twice?
I cannot work out how to grant a user permission
to look at only certain databases!

So now after trial and error (AGAIN!) I have
found that to give select and insert
privilelidges to someone for a database you use
the following:
GRANT SELECT,INSERT ON database.* TO user@host

The * refers to all tables on the named
database. If you want to limit things to a
specific table on the database I think you just
put the table name in place of the *. But I
think you may need to do the command with the *
first but with USAGE instead of SELECT,INSERT and
THEN give the SELECT,INSERT priviliges for the
table. I am confused about this, and sorry I
can't make myself clearer!

I'm missing any explanation as to *how* one
turns on an encrypted transmission between
client and server.

I think that these ssl pages dont help at all... they just say to do --with-vio and --with-openssl, they dont say that you have to put a path to openssl, because i have tried with the ssl include path, the ssl base path, the bin path and every path i could think of and still nothing, and to know that you finally made it just look for the have_ssl=yes variable, that is pretty ugly because every time it says no you have to try all over again to configure and compile it and it gets very frustrating. That doesnt help at all, its almost like they dont want to include SSL.
These pages are no help at all and they dont say almost anything about SSL with mySQL, hope they fix this pretty soon and really document and add help for this.

I think that this ssl pages dont help at all...
they just say to do --with-vio and --with-
openssl, they dont say that you have to put a
path to openssl because i have tried with the
ssl include path, the ssl base path, the bin
path and every path i could think of and still
nothing, and to know that you finally made it
just look for the have_ssl=yes variable. That
doesnt help at all, its almost like they dont
want to include SSL at all.
These pages are no help at all and they dont
say almost anything about SSL with mySQL,
hope they fix this pretty soon and really
document and add help for this

You can configure a C API client to use SSL.
Just add CLIENT_SSL (no quotes) as the
db_flags argument to mysql_real_connect().
Recompile, and voila!

As far as I can tell, you can't use the mysql
Monitor to do SSL (but you may know better!). I
also don't know how to make a secure
connection from PHP or Perl.

For all those who would like to use this on windows... :)

Here's how to do it in Visual Studio:

Download the source, and load it in VS. Go to the Properties of mysqld, and where you can add Define statements, add HAVE_VIO and HAVE_OPENSSL (not WITH_OPENSSL). then compile the mysqld project, and you're done!

After half a day compilation, I enabled ssl on server. But, how do I start mysql-client with ssl?

philip

Add your own comment.