[horde] Mysql ssl connection problem

woj woj wojnas at gmail.com
Sun Feb 16 13:18:53 UTC 2014 

2014-02-16 14:16 GMT+01:00 woj woj <wojnas at gmail.com>:

>
>
>
> 2014-02-16 13:20 GMT+01:00 Erling Preben Hansen <erling at eph.dk>:
>
>  Citat af Arjen de Korte <arjen+horde at de-korte.org>:
>>
>>
>>  Citeren woj woj <wojnas at gmail.com>:
>>>
>>>  Maybe someone could help me and tell howto try debug the problem?
>>>>
>>>
>>> Please do not top post.
>>>
>>>  In connection settings i  have ssl on, and patch to ca certificate.
>>>>
>>>
>>> Is SSL enabled on your MySQL server? What is the output of
>>>
>>>   SHOW VARIABLES LIKE 'have_ssl';
>>>
>>> in an SQL shell?
>>>
>>>  In logs is no error, but when i check transmision on target host by
>>>> tcpdump
>>>> conversation is in clear text.
>>>>
>>>
>>>  2014-02-14 12:06 GMT+01:00 woj woj <wojnas at gmail.com>:
>>>>
>>>>  2014-02-14 11:54 GMT+01:00 Jan Schneider <jan at horde.org>:
>>>>>
>>>>>  Zitat von woj woj <wojnas at gmail.com>:
>>>>>>
>>>>>> 2014-02-14 10:02 GMT+01:00 Michael M Slusarz <slusarz at horde.org>:
>>>>>>
>>>>>>> Quoting woj woj <wojnas at gmail.com>:
>>>>>>>
>>>>>>>> 2014-02-14 9:38 GMT+01:00 Arjen de Korte <arjen+horde at de-korte.org
>>>>>>>> >:
>>>>>>>>
>>>>>>>>  Citeren woj woj <wojnas at gmail.com>:
>>>>>>>>>
>>>>>>>>>  Hello,
>>>>>>>>>>
>>>>>>>>>> i got problem with ssl connection to mysql server.
>>>>>>>>>>
>>>>>>>>>>> It is different server for changing passwords.
>>>>>>>>>>> I checked horde and httpd log, and everything is allright.
>>>>>>>>>>> I also checked ssl connection to mysql and its ok.
>>>>>>>>>>> Certificate is readable by httpd user
>>>>>>>>>>>
>>>>>>>>>>> Here is my config/config.local.php
>>>>>>>>>>>
>>>>>>>>>>> What file is this? As far as I know, the only config/config.php
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> file used
>>>>>>>>>> by horde is under admin/config/config.php, but this does not
>>>>>>>>>> contain
>>>>>>>>>> variables you can override. So what are you attempting to do here?
>>>>>>>>>>
>>>>>>>>>> <?php
>>>>>>>>>>
>>>>>>>>>> $conf['wsql']['username'] = 'username';
>>>>>>>>>>
>>>>>>>>>>> $conf['wsql']['password'] = 'password';
>>>>>>>>>>> $conf['wsql']['hostspec'] = 'srv_addres';
>>>>>>>>>>> $conf['wsql']['port'] = 3306;
>>>>>>>>>>> $conf['wsql']['protocol'] = 'tcp';
>>>>>>>>>>> $conf['wsql']['database'] = 'databasename';
>>>>>>>>>>> $conf['wsql']['charset'] = 'utf-8';
>>>>>>>>>>> $conf['wsql']['ssl'] = true;
>>>>>>>>>>> $conf['wsql']['ca'] = '/patch/to/cert.pem';
>>>>>>>>>>>
>>>>>>>>>>> A certification authority (that's what the 'ca' probably stands
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> for) is
>>>>>>>>>> not the same as a client certificate. I'm not even sure Horde is
>>>>>>>>>> able
>>>>>>>>>> to
>>>>>>>>>> use client certificates for authentication to a Sql server.
>>>>>>>>>>
>>>>>>>>>> $conf['wsql']['splitread'] = false;
>>>>>>>>>>
>>>>>>>>>> $conf['wsql']['phptype'] = 'mysql';
>>>>>>>>>>
>>>>>>>>>>> Where is the 'wsql' from? I can't find any references to that in
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Horde.
>>>>>>>>>>
>>>>>>>>>> P.s. I checked transmission by tcpdump, and everything is in
>>>>>>>>>> cleartext
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Horde mailing list
>>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>>
>>>>>>>>>> Arjen thanks for your answer.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have two mysql databases:
>>>>>>>>> 1. Localhost database for horde (no ssl).
>>>>>>>>> 2. Remote database on different host to reset passwords and
>>>>>>>>>
>>>>>>>> activate
>>
>>>   vacations. (ssl is mandatory)
>>>>>>>>>
>>>>>>>>> I create file config.local.php in horde/config/  with definition
>>>>>>>>>
>>>>>>>> for
>>
>>>   new
>>>>>>>>> variable for connection to different host.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> Horde does not read any config.local.php file.  So that's not going
>>>>>>>> to
>>>>>>>> do
>>>>>>>> anything.
>>>>>>>>
>>>>>>>> In passwd configuration I use my on varibble
>>>>>>>>
>>>>>>> $GLOBALS['conf']['wsql']
>>
>>>  for
>>>>>>>>
>>>>>>>>  configuration, and everything works ok, except ssl connection.
>>>>>>>>>
>>>>>>>>> $conf['wsql']['ca'] = is patch to bundle ca certificate.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> This won't work either.  You configure a Passwd SQL backend in the
>>>>>>>> passwd/config/backends.local.php file.
>>>>>>>>
>>>>>>>> You can't just start adding random config options to a configuration
>>>>>>>> file
>>>>>>>> and expect them to do anything.
>>>>>>>>
>>>>>>>> michael
>>>>>>>> --
>>>>>>>>
>>>>>>>> ___________________________________
>>>>>>>> Michael Slusarz [slusarz at horde.org]
>>>>>>>>
>>>>>>>> --
>>>>>>>> Horde mailing list
>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Ok, I understand.
>>>>>>> I put everything in passwd/config/backends.local.php
>>>>>>>
>>>>>>> Result is the same - any ideas ?
>>>>>>>
>>>>>>> <?php
>>>>>>>    $backends['sql'] = array(
>>>>>>>    'disabled' => false,
>>>>>>>    'name' => 'Postfix SQL Authentication',
>>>>>>>    'driver' => 'Sql',
>>>>>>>    'policy' => array(
>>>>>>>        'minLength' => 8,
>>>>>>>        'minNumeric' => 1,
>>>>>>>        'minUpper' => 1,
>>>>>>>        'minLower' => 1,
>>>>>>>        'minSymbol' => 1,
>>>>>>>    ),
>>>>>>>    'params' => array(
>>>>>>>                        'phptype' => 'mysql',
>>>>>>>                        'hostspec' => 'srv_addres',
>>>>>>>                        'username' => 'username',
>>>>>>>                        'password' => 'password',
>>>>>>>                        'port' => '3306',
>>>>>>>                        'protocol' => 'tcp',
>>>>>>>                        'database' => 'databasename',
>>>>>>>                        'charset' => 'utf-8',
>>>>>>>                        'ssl' => true,
>>>>>>>                        'ca' => '/patch/to/ca-bundle.pem',
>>>>>>>            'table' => 'tabelname',
>>>>>>>            'user_col' => 'username',
>>>>>>>            'pass_col' => 'password',
>>>>>>>            'show_encryption' => false,
>>>>>>>            'encryption' => 'crypt-md5',
>>>>>>>    ),
>>>>>>>    'logout' => true,
>>>>>>> );
>>>>>>>
>>>>>>
>>>>>> Unless I missed something you didn't even say what your problem is.
>>>>>> --
>>>>>> Jan Schneider
>>>>>> The Horde Project
>>>>>> http://www.horde.org/
>>>>>> https://www.facebook.com/hordeproject
>>>>>>
>>>>>> --
>>>>>> Horde mailing list
>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>
>>>>>
>>>>> Of course  - I checked transmission by tcpdump, on my mysql server and
>>>>> everything is in cleartext.
>>>>>
>>>>
>>>> --
>>>> Horde mailing list
>>>> Frequently Asked Questions: http://horde.org/faq/To unsubscribe, mail:
>>>> horde-unsubscribe at lists.horde.org
>>>>
>>>
>>  Does your sql user have "require ssl" set.
>>>
>>> take a look at this:
>>> https://dev.mysql.com/doc/refman/5.0/en/ssl-connections.html
>>>
>>> /erling
>>>
>> --
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
> Thanks for all your sugestions.
> I have tested ssl connection to mysql from different host.
> User have require ssl option set and I succesful connect to mysql from
> shell:
>
> mysql> \s;
> ....
> Current user:           user at localhost
> SSL:                    Cipher in use is DHE-RSA-AES256-SHA
> ....
>
> mysql> SHOW VARIABLES LIKE 'have_ssl';
> +---------------+-------+
> | Variable_name | Value |
> +---------------+-------+
> | have_ssl      | YES   |
> +---------------+-------+
>
> I Also checked connection from remote site  with this php  script and it's
> ok:
>
> Script:
> <?php
> $link = mysql_connect("ip","test","testpass",false,MYSQL_CLIENT_SSL)
>         or die(mysql_error());
> $res = mysql_query("SHOW STATUS LIKE 'ssl_cipher';",$link);
> print_r(mysql_fetch_row($res));
> echo "Finished.";
> ?>
>
> Result:
>
> php mysqli-ssl.php
> Array
> (
> [0] => Ssl_cipher
> [1] => DHE-RSA-AES256-SHA
> )
>
> The problem is when I use ssl option in horde.
> Maybe it is the problem with wildcard certificate on mysql server *.
> domain.name ?
>

Thanks for all your sugestions.
I have tested ssl connection to mysql from different host.
User have require ssl option set and I succesful connect to mysql from
shell:

mysql> \s;
....
Current user:           user at localhost
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
....

mysql> SHOW VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl      | YES   |
+---------------+-------+

I Also checked connection from remote site  with this php  script and it's
ok:

Script:
<?php
$link = mysql_connect("ip","test","testpass",false,MYSQL_CLIENT_SSL)
        or die(mysql_error());
$res = mysql_query("SHOW STATUS LIKE 'ssl_cipher';",$link);
print_r(mysql_fetch_row($res));
echo "Finished.";
?>

Result:

php mysqli-ssl.php
Array
(
[0] => Ssl_cipher
[1] => DHE-RSA-AES256-SHA
)

The problem is when I use ssl option in horde.
Maybe it is the problem with wildcard certificate on mysql server *.
domain.name ?

More information about the horde mailing list