[horde] Mysql ssl connection problem
woj woj
wojnas at gmail.com
Wed Feb 19 06:45:13 UTC 2014
2014-02-17 10:41 GMT+01:00 Jan Schneider <jan at horde.org>:
>
> Zitat von woj woj <wojnas at gmail.com>:
>
> 2014-02-16 14:16 GMT+01:00 woj woj <wojnas at gmail.com>:
>>
>>
>>>
>>>
>>> 2014-02-16 13:20 GMT+01:00 Erling Preben Hansen <erling at eph.dk>:
>>>
>>> Citat af Arjen de Korte <arjen+horde at de-korte.org>:
>>>
>>>>
>>>>
>>>> Citeren woj woj <wojnas at gmail.com>:
>>>>
>>>>>
>>>>> Maybe someone could help me and tell howto try debug the problem?
>>>>>
>>>>>>
>>>>>>
>>>>> Please do not top post.
>>>>>
>>>>> In connection settings i have ssl on, and patch to ca certificate.
>>>>>
>>>>>>
>>>>>>
>>>>> Is SSL enabled on your MySQL server? What is the output of
>>>>>
>>>>> SHOW VARIABLES LIKE 'have_ssl';
>>>>>
>>>>> in an SQL shell?
>>>>>
>>>>> In logs is no error, but when i check transmision on target host by
>>>>>
>>>>>> tcpdump
>>>>>> conversation is in clear text.
>>>>>>
>>>>>>
>>>>> 2014-02-14 12:06 GMT+01:00 woj woj <wojnas at gmail.com>:
>>>>>
>>>>>>
>>>>>> 2014-02-14 11:54 GMT+01:00 Jan Schneider <jan at horde.org>:
>>>>>>
>>>>>>>
>>>>>>> Zitat von woj woj <wojnas at gmail.com>:
>>>>>>>
>>>>>>>>
>>>>>>>> 2014-02-14 10:02 GMT+01:00 Michael M Slusarz <slusarz at horde.org>:
>>>>>>>>
>>>>>>>> Quoting woj woj <wojnas at gmail.com>:
>>>>>>>>>
>>>>>>>>> 2014-02-14 9:38 GMT+01:00 Arjen de Korte <
>>>>>>>>>> arjen+horde at de-korte.org
>>>>>>>>>> >:
>>>>>>>>>>
>>>>>>>>>> Citeren woj woj <wojnas at gmail.com>:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> i got problem with ssl connection to mysql server.
>>>>>>>>>>>>
>>>>>>>>>>>> It is different server for changing passwords.
>>>>>>>>>>>>> I checked horde and httpd log, and everything is allright.
>>>>>>>>>>>>> I also checked ssl connection to mysql and its ok.
>>>>>>>>>>>>> Certificate is readable by httpd user
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here is my config/config.local.php
>>>>>>>>>>>>>
>>>>>>>>>>>>> What file is this? As far as I know, the only config/config.php
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> file used
>>>>>>>>>>>> by horde is under admin/config/config.php, but this does not
>>>>>>>>>>>> contain
>>>>>>>>>>>> variables you can override. So what are you attempting to do
>>>>>>>>>>>> here?
>>>>>>>>>>>>
>>>>>>>>>>>> <?php
>>>>>>>>>>>>
>>>>>>>>>>>> $conf['wsql']['username'] = 'username';
>>>>>>>>>>>>
>>>>>>>>>>>> $conf['wsql']['password'] = 'password';
>>>>>>>>>>>>> $conf['wsql']['hostspec'] = 'srv_addres';
>>>>>>>>>>>>> $conf['wsql']['port'] = 3306;
>>>>>>>>>>>>> $conf['wsql']['protocol'] = 'tcp';
>>>>>>>>>>>>> $conf['wsql']['database'] = 'databasename';
>>>>>>>>>>>>> $conf['wsql']['charset'] = 'utf-8';
>>>>>>>>>>>>> $conf['wsql']['ssl'] = true;
>>>>>>>>>>>>> $conf['wsql']['ca'] = '/patch/to/cert.pem';
>>>>>>>>>>>>>
>>>>>>>>>>>>> A certification authority (that's what the 'ca' probably stands
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> for) is
>>>>>>>>>>>> not the same as a client certificate. I'm not even sure Horde is
>>>>>>>>>>>> able
>>>>>>>>>>>> to
>>>>>>>>>>>> use client certificates for authentication to a Sql server.
>>>>>>>>>>>>
>>>>>>>>>>>> $conf['wsql']['splitread'] = false;
>>>>>>>>>>>>
>>>>>>>>>>>> $conf['wsql']['phptype'] = 'mysql';
>>>>>>>>>>>>
>>>>>>>>>>>> Where is the 'wsql' from? I can't find any references to that
>>>>>>>>>>>>> in
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> Horde.
>>>>>>>>>>>>
>>>>>>>>>>>> P.s. I checked transmission by tcpdump, and everything is in
>>>>>>>>>>>> cleartext
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Horde mailing list
>>>>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>>>>
>>>>>>>>>>>> Arjen thanks for your answer.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> I have two mysql databases:
>>>>>>>>>>> 1. Localhost database for horde (no ssl).
>>>>>>>>>>> 2. Remote database on different host to reset passwords and
>>>>>>>>>>>
>>>>>>>>>>> activate
>>>>>>>>>>
>>>>>>>>>
>>>> vacations. (ssl is mandatory)
>>>>>
>>>>>>
>>>>>>>>>>> I create file config.local.php in horde/config/ with definition
>>>>>>>>>>>
>>>>>>>>>>> for
>>>>>>>>>>
>>>>>>>>>
>>>> new
>>>>>
>>>>>> variable for connection to different host.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> Horde does not read any config.local.php file. So that's not
>>>>>>>>>> going
>>>>>>>>>> to
>>>>>>>>>> do
>>>>>>>>>> anything.
>>>>>>>>>>
>>>>>>>>>> In passwd configuration I use my on varibble
>>>>>>>>>>
>>>>>>>>>> $GLOBALS['conf']['wsql']
>>>>>>>>>
>>>>>>>>
>>>> for
>>>>>
>>>>>>
>>>>>>>>>> configuration, and everything works ok, except ssl connection.
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> $conf['wsql']['ca'] = is patch to bundle ca certificate.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> This won't work either. You configure a Passwd SQL backend in the
>>>>>>>>>> passwd/config/backends.local.php file.
>>>>>>>>>>
>>>>>>>>>> You can't just start adding random config options to a
>>>>>>>>>> configuration
>>>>>>>>>> file
>>>>>>>>>> and expect them to do anything.
>>>>>>>>>>
>>>>>>>>>> michael
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> ___________________________________
>>>>>>>>>> Michael Slusarz [slusarz at horde.org]
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Horde mailing list
>>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Ok, I understand.
>>>>>>>>> I put everything in passwd/config/backends.local.php
>>>>>>>>>
>>>>>>>>> Result is the same - any ideas ?
>>>>>>>>>
>>>>>>>>> <?php
>>>>>>>>> $backends['sql'] = array(
>>>>>>>>> 'disabled' => false,
>>>>>>>>> 'name' => 'Postfix SQL Authentication',
>>>>>>>>> 'driver' => 'Sql',
>>>>>>>>> 'policy' => array(
>>>>>>>>> 'minLength' => 8,
>>>>>>>>> 'minNumeric' => 1,
>>>>>>>>> 'minUpper' => 1,
>>>>>>>>> 'minLower' => 1,
>>>>>>>>> 'minSymbol' => 1,
>>>>>>>>> ),
>>>>>>>>> 'params' => array(
>>>>>>>>> 'phptype' => 'mysql',
>>>>>>>>> 'hostspec' => 'srv_addres',
>>>>>>>>> 'username' => 'username',
>>>>>>>>> 'password' => 'password',
>>>>>>>>> 'port' => '3306',
>>>>>>>>> 'protocol' => 'tcp',
>>>>>>>>> 'database' => 'databasename',
>>>>>>>>> 'charset' => 'utf-8',
>>>>>>>>> 'ssl' => true,
>>>>>>>>> 'ca' => '/patch/to/ca-bundle.pem',
>>>>>>>>> 'table' => 'tabelname',
>>>>>>>>> 'user_col' => 'username',
>>>>>>>>> 'pass_col' => 'password',
>>>>>>>>> 'show_encryption' => false,
>>>>>>>>> 'encryption' => 'crypt-md5',
>>>>>>>>> ),
>>>>>>>>> 'logout' => true,
>>>>>>>>> );
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Unless I missed something you didn't even say what your problem is.
>>>>>>>> --
>>>>>>>> Jan Schneider
>>>>>>>> The Horde Project
>>>>>>>> http://www.horde.org/
>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>>
>>>>>>>> --
>>>>>>>> Horde mailing list
>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>
>>>>>>>>
>>>>>>> Of course - I checked transmission by tcpdump, on my mysql server
>>>>>>> and
>>>>>>> everything is in cleartext.
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Horde mailing list
>>>>>> Frequently Asked Questions: http://horde.org/faq/To unsubscribe,
>>>>>> mail:
>>>>>> horde-unsubscribe at lists.horde.org
>>>>>>
>>>>>>
>>>>> Does your sql user have "require ssl" set.
>>>>
>>>>>
>>>>> take a look at this:
>>>>> https://dev.mysql.com/doc/refman/5.0/en/ssl-connections.html
>>>>>
>>>>> /erling
>>>>>
>>>>> --
>>>> Horde mailing list
>>>> Frequently Asked Questions: http://horde.org/faq/
>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>
>>>> Thanks for all your sugestions.
>>> I have tested ssl connection to mysql from different host.
>>> User have require ssl option set and I succesful connect to mysql from
>>> shell:
>>>
>>> mysql> \s;
>>> ....
>>> Current user: user at localhost
>>> SSL: Cipher in use is DHE-RSA-AES256-SHA
>>> ....
>>>
>>> mysql> SHOW VARIABLES LIKE 'have_ssl';
>>> +---------------+-------+
>>> | Variable_name | Value |
>>> +---------------+-------+
>>> | have_ssl | YES |
>>> +---------------+-------+
>>>
>>> I Also checked connection from remote site with this php script and
>>> it's
>>> ok:
>>>
>>> Script:
>>> <?php
>>> $link = mysql_connect("ip","test","testpass",false,MYSQL_CLIENT_SSL)
>>> or die(mysql_error());
>>> $res = mysql_query("SHOW STATUS LIKE 'ssl_cipher';",$link);
>>> print_r(mysql_fetch_row($res));
>>> echo "Finished.";
>>> ?>
>>>
>>> Result:
>>>
>>> php mysqli-ssl.php
>>> Array
>>> (
>>> [0] => Ssl_cipher
>>> [1] => DHE-RSA-AES256-SHA
>>> )
>>>
>>> The problem is when I use ssl option in horde.
>>> Maybe it is the problem with wildcard certificate on mysql server *.
>>> domain.name ?
>>>
>>>
>> Thanks for all your sugestions.
>> I have tested ssl connection to mysql from different host.
>> User have require ssl option set and I succesful connect to mysql from
>> shell:
>>
>> mysql> \s;
>> ....
>> Current user: user at localhost
>> SSL: Cipher in use is DHE-RSA-AES256-SHA
>> ....
>>
>> mysql> SHOW VARIABLES LIKE 'have_ssl';
>> +---------------+-------+
>> | Variable_name | Value |
>> +---------------+-------+
>> | have_ssl | YES |
>> +---------------+-------+
>>
>> I Also checked connection from remote site with this php script and it's
>> ok:
>>
>> Script:
>> <?php
>> $link = mysql_connect("ip","test","testpass",false,MYSQL_CLIENT_SSL)
>> or die(mysql_error());
>> $res = mysql_query("SHOW STATUS LIKE 'ssl_cipher';",$link);
>> print_r(mysql_fetch_row($res));
>> echo "Finished.";
>> ?>
>>
>> Result:
>>
>> php mysqli-ssl.php
>> Array
>> (
>> [0] => Ssl_cipher
>> [1] => DHE-RSA-AES256-SHA
>> )
>>
>> The problem is when I use ssl option in horde.
>> Maybe it is the problem with wildcard certificate on mysql server *.
>> domain.name ?
>>
>
> Taking a look at the Horde_Db code, it looks as if only the MySQLi driver
> is supporting SSL connections.
>
> --
> Jan Schneider
> The Horde Project
> http://www.horde.org/
> https://www.facebook.com/hordeproject
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
Thanks Jan for your suggestion.
I changed php driver to mysqli and I used instructions from
/usr/share/pear/Horde/Db/Adapter/Mysqli.php
$config = array(
* 'username' => 'someuser',
* 'password' => 'apasswd',
* 'hostspec' => 'localhost',
* 'database' => 'thedb',
* 'ssl' => array(
* 'key' => 'client-key.pem',
* 'cert' => 'client-cert.pem',
* 'ca' => 'cacert.pem',
* 'capath' => '/path/to/ca/dir',
* ),
* );
More information about the horde
mailing list