[horde] Mysql ssl connection problem

Jan Schneider jan at horde.org
Mon Feb 17 09:41:42 UTC 2014 

Zitat von woj woj <wojnas at gmail.com>:

> 2014-02-16 14:16 GMT+01:00 woj woj <wojnas at gmail.com>:
>
>>
>>
>>
>> 2014-02-16 13:20 GMT+01:00 Erling Preben Hansen <erling at eph.dk>:
>>
>>  Citat af Arjen de Korte <arjen+horde at de-korte.org>:
>>>
>>>
>>>  Citeren woj woj <wojnas at gmail.com>:
>>>>
>>>>  Maybe someone could help me and tell howto try debug the problem?
>>>>>
>>>>
>>>> Please do not top post.
>>>>
>>>>  In connection settings i  have ssl on, and patch to ca certificate.
>>>>>
>>>>
>>>> Is SSL enabled on your MySQL server? What is the output of
>>>>
>>>>   SHOW VARIABLES LIKE 'have_ssl';
>>>>
>>>> in an SQL shell?
>>>>
>>>>  In logs is no error, but when i check transmision on target host by
>>>>> tcpdump
>>>>> conversation is in clear text.
>>>>>
>>>>
>>>>  2014-02-14 12:06 GMT+01:00 woj woj <wojnas at gmail.com>:
>>>>>
>>>>>  2014-02-14 11:54 GMT+01:00 Jan Schneider <jan at horde.org>:
>>>>>>
>>>>>>  Zitat von woj woj <wojnas at gmail.com>:
>>>>>>>
>>>>>>> 2014-02-14 10:02 GMT+01:00 Michael M Slusarz <slusarz at horde.org>:
>>>>>>>
>>>>>>>> Quoting woj woj <wojnas at gmail.com>:
>>>>>>>>
>>>>>>>>> 2014-02-14 9:38 GMT+01:00 Arjen de Korte <arjen+horde at de-korte.org
>>>>>>>>> >:
>>>>>>>>>
>>>>>>>>>  Citeren woj woj <wojnas at gmail.com>:
>>>>>>>>>>
>>>>>>>>>>  Hello,
>>>>>>>>>>>
>>>>>>>>>>> i got problem with ssl connection to mysql server.
>>>>>>>>>>>
>>>>>>>>>>>> It is different server for changing passwords.
>>>>>>>>>>>> I checked horde and httpd log, and everything is allright.
>>>>>>>>>>>> I also checked ssl connection to mysql and its ok.
>>>>>>>>>>>> Certificate is readable by httpd user
>>>>>>>>>>>>
>>>>>>>>>>>> Here is my config/config.local.php
>>>>>>>>>>>>
>>>>>>>>>>>> What file is this? As far as I know, the only config/config.php
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> file used
>>>>>>>>>>> by horde is under admin/config/config.php, but this does not
>>>>>>>>>>> contain
>>>>>>>>>>> variables you can override. So what are you attempting to do here?
>>>>>>>>>>>
>>>>>>>>>>> <?php
>>>>>>>>>>>
>>>>>>>>>>> $conf['wsql']['username'] = 'username';
>>>>>>>>>>>
>>>>>>>>>>>> $conf['wsql']['password'] = 'password';
>>>>>>>>>>>> $conf['wsql']['hostspec'] = 'srv_addres';
>>>>>>>>>>>> $conf['wsql']['port'] = 3306;
>>>>>>>>>>>> $conf['wsql']['protocol'] = 'tcp';
>>>>>>>>>>>> $conf['wsql']['database'] = 'databasename';
>>>>>>>>>>>> $conf['wsql']['charset'] = 'utf-8';
>>>>>>>>>>>> $conf['wsql']['ssl'] = true;
>>>>>>>>>>>> $conf['wsql']['ca'] = '/patch/to/cert.pem';
>>>>>>>>>>>>
>>>>>>>>>>>> A certification authority (that's what the 'ca' probably stands
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> for) is
>>>>>>>>>>> not the same as a client certificate. I'm not even sure Horde is
>>>>>>>>>>> able
>>>>>>>>>>> to
>>>>>>>>>>> use client certificates for authentication to a Sql server.
>>>>>>>>>>>
>>>>>>>>>>> $conf['wsql']['splitread'] = false;
>>>>>>>>>>>
>>>>>>>>>>> $conf['wsql']['phptype'] = 'mysql';
>>>>>>>>>>>
>>>>>>>>>>>> Where is the 'wsql' from? I can't find any references to that in
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Horde.
>>>>>>>>>>>
>>>>>>>>>>> P.s. I checked transmission by tcpdump, and everything is in
>>>>>>>>>>> cleartext
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Horde mailing list
>>>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>>>
>>>>>>>>>>> Arjen thanks for your answer.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have two mysql databases:
>>>>>>>>>> 1. Localhost database for horde (no ssl).
>>>>>>>>>> 2. Remote database on different host to reset passwords and
>>>>>>>>>>
>>>>>>>>> activate
>>>
>>>>   vacations. (ssl is mandatory)
>>>>>>>>>>
>>>>>>>>>> I create file config.local.php in horde/config/  with definition
>>>>>>>>>>
>>>>>>>>> for
>>>
>>>>   new
>>>>>>>>>> variable for connection to different host.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Horde does not read any config.local.php file.  So that's not going
>>>>>>>>> to
>>>>>>>>> do
>>>>>>>>> anything.
>>>>>>>>>
>>>>>>>>> In passwd configuration I use my on varibble
>>>>>>>>>
>>>>>>>> $GLOBALS['conf']['wsql']
>>>
>>>>  for
>>>>>>>>>
>>>>>>>>>  configuration, and everything works ok, except ssl connection.
>>>>>>>>>>
>>>>>>>>>> $conf['wsql']['ca'] = is patch to bundle ca certificate.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This won't work either.  You configure a Passwd SQL backend in the
>>>>>>>>> passwd/config/backends.local.php file.
>>>>>>>>>
>>>>>>>>> You can't just start adding random config options to a configuration
>>>>>>>>> file
>>>>>>>>> and expect them to do anything.
>>>>>>>>>
>>>>>>>>> michael
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> ___________________________________
>>>>>>>>> Michael Slusarz [slusarz at horde.org]
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Horde mailing list
>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> Ok, I understand.
>>>>>>>> I put everything in passwd/config/backends.local.php
>>>>>>>>
>>>>>>>> Result is the same - any ideas ?
>>>>>>>>
>>>>>>>> <?php
>>>>>>>>    $backends['sql'] = array(
>>>>>>>>    'disabled' => false,
>>>>>>>>    'name' => 'Postfix SQL Authentication',
>>>>>>>>    'driver' => 'Sql',
>>>>>>>>    'policy' => array(
>>>>>>>>        'minLength' => 8,
>>>>>>>>        'minNumeric' => 1,
>>>>>>>>        'minUpper' => 1,
>>>>>>>>        'minLower' => 1,
>>>>>>>>        'minSymbol' => 1,
>>>>>>>>    ),
>>>>>>>>    'params' => array(
>>>>>>>>                        'phptype' => 'mysql',
>>>>>>>>                        'hostspec' => 'srv_addres',
>>>>>>>>                        'username' => 'username',
>>>>>>>>                        'password' => 'password',
>>>>>>>>                        'port' => '3306',
>>>>>>>>                        'protocol' => 'tcp',
>>>>>>>>                        'database' => 'databasename',
>>>>>>>>                        'charset' => 'utf-8',
>>>>>>>>                        'ssl' => true,
>>>>>>>>                        'ca' => '/patch/to/ca-bundle.pem',
>>>>>>>>            'table' => 'tabelname',
>>>>>>>>            'user_col' => 'username',
>>>>>>>>            'pass_col' => 'password',
>>>>>>>>            'show_encryption' => false,
>>>>>>>>            'encryption' => 'crypt-md5',
>>>>>>>>    ),
>>>>>>>>    'logout' => true,
>>>>>>>> );
>>>>>>>>
>>>>>>>
>>>>>>> Unless I missed something you didn't even say what your problem is.
>>>>>>> --
>>>>>>> Jan Schneider
>>>>>>> The Horde Project
>>>>>>> http://www.horde.org/
>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>
>>>>>>> --
>>>>>>> Horde mailing list
>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>
>>>>>>
>>>>>> Of course  - I checked transmission by tcpdump, on my mysql server and
>>>>>> everything is in cleartext.
>>>>>>
>>>>>
>>>>> --
>>>>> Horde mailing list
>>>>> Frequently Asked Questions: http://horde.org/faq/To unsubscribe, mail:
>>>>> horde-unsubscribe at lists.horde.org
>>>>>
>>>>
>>>  Does your sql user have "require ssl" set.
>>>>
>>>> take a look at this:
>>>> https://dev.mysql.com/doc/refman/5.0/en/ssl-connections.html
>>>>
>>>> /erling
>>>>
>>> --
>>> Horde mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>
>> Thanks for all your sugestions.
>> I have tested ssl connection to mysql from different host.
>> User have require ssl option set and I succesful connect to mysql from
>> shell:
>>
>> mysql> \s;
>> ....
>> Current user:           user at localhost
>> SSL:                    Cipher in use is DHE-RSA-AES256-SHA
>> ....
>>
>> mysql> SHOW VARIABLES LIKE 'have_ssl';
>> +---------------+-------+
>> | Variable_name | Value |
>> +---------------+-------+
>> | have_ssl      | YES   |
>> +---------------+-------+
>>
>> I Also checked connection from remote site  with this php  script and it's
>> ok:
>>
>> Script:
>> <?php
>> $link = mysql_connect("ip","test","testpass",false,MYSQL_CLIENT_SSL)
>>         or die(mysql_error());
>> $res = mysql_query("SHOW STATUS LIKE 'ssl_cipher';",$link);
>> print_r(mysql_fetch_row($res));
>> echo "Finished.";
>> ?>
>>
>> Result:
>>
>> php mysqli-ssl.php
>> Array
>> (
>> [0] => Ssl_cipher
>> [1] => DHE-RSA-AES256-SHA
>> )
>>
>> The problem is when I use ssl option in horde.
>> Maybe it is the problem with wildcard certificate on mysql server *.
>> domain.name ?
>>
>
> Thanks for all your sugestions.
> I have tested ssl connection to mysql from different host.
> User have require ssl option set and I succesful connect to mysql from
> shell:
>
> mysql> \s;
> ....
> Current user:           user at localhost
> SSL:                    Cipher in use is DHE-RSA-AES256-SHA
> ....
>
> mysql> SHOW VARIABLES LIKE 'have_ssl';
> +---------------+-------+
> | Variable_name | Value |
> +---------------+-------+
> | have_ssl      | YES   |
> +---------------+-------+
>
> I Also checked connection from remote site  with this php  script and it's
> ok:
>
> Script:
> <?php
> $link = mysql_connect("ip","test","testpass",false,MYSQL_CLIENT_SSL)
>         or die(mysql_error());
> $res = mysql_query("SHOW STATUS LIKE 'ssl_cipher';",$link);
> print_r(mysql_fetch_row($res));
> echo "Finished.";
> ?>
>
> Result:
>
> php mysqli-ssl.php
> Array
> (
> [0] => Ssl_cipher
> [1] => DHE-RSA-AES256-SHA
> )
>
> The problem is when I use ssl option in horde.
> Maybe it is the problem with wildcard certificate on mysql server *.
> domain.name ?

Taking a look at the Horde_Db code, it looks as if only the MySQLi  
driver is supporting SSL connections.
-- 
Jan Schneider
The Horde Project
http://www.horde.org/
https://www.facebook.com/hordeproject

More information about the horde mailing list