[horde] Mysql ssl connection problem

woj woj wojnas at gmail.com
Wed Feb 19 06:45:13 UTC 2014


2014-02-17 10:41 GMT+01:00 Jan Schneider <jan at horde.org>:

>
> Zitat von woj woj <wojnas at gmail.com>:
>
>  2014-02-16 14:16 GMT+01:00 woj woj <wojnas at gmail.com>:
>>
>>
>>>
>>>
>>> 2014-02-16 13:20 GMT+01:00 Erling Preben Hansen <erling at eph.dk>:
>>>
>>>  Citat af Arjen de Korte <arjen+horde at de-korte.org>:
>>>
>>>>
>>>>
>>>>  Citeren woj woj <wojnas at gmail.com>:
>>>>
>>>>>
>>>>>  Maybe someone could help me and tell howto try debug the problem?
>>>>>
>>>>>>
>>>>>>
>>>>> Please do not top post.
>>>>>
>>>>>  In connection settings i  have ssl on, and patch to ca certificate.
>>>>>
>>>>>>
>>>>>>
>>>>> Is SSL enabled on your MySQL server? What is the output of
>>>>>
>>>>>   SHOW VARIABLES LIKE 'have_ssl';
>>>>>
>>>>> in an SQL shell?
>>>>>
>>>>>  In logs is no error, but when i check transmision on target host by
>>>>>
>>>>>> tcpdump
>>>>>> conversation is in clear text.
>>>>>>
>>>>>>
>>>>>  2014-02-14 12:06 GMT+01:00 woj woj <wojnas at gmail.com>:
>>>>>
>>>>>>
>>>>>>  2014-02-14 11:54 GMT+01:00 Jan Schneider <jan at horde.org>:
>>>>>>
>>>>>>>
>>>>>>>  Zitat von woj woj <wojnas at gmail.com>:
>>>>>>>
>>>>>>>>
>>>>>>>> 2014-02-14 10:02 GMT+01:00 Michael M Slusarz <slusarz at horde.org>:
>>>>>>>>
>>>>>>>>  Quoting woj woj <wojnas at gmail.com>:
>>>>>>>>>
>>>>>>>>>  2014-02-14 9:38 GMT+01:00 Arjen de Korte <
>>>>>>>>>> arjen+horde at de-korte.org
>>>>>>>>>> >:
>>>>>>>>>>
>>>>>>>>>>  Citeren woj woj <wojnas at gmail.com>:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>  Hello,
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> i got problem with ssl connection to mysql server.
>>>>>>>>>>>>
>>>>>>>>>>>>  It is different server for changing passwords.
>>>>>>>>>>>>> I checked horde and httpd log, and everything is allright.
>>>>>>>>>>>>> I also checked ssl connection to mysql and its ok.
>>>>>>>>>>>>> Certificate is readable by httpd user
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here is my config/config.local.php
>>>>>>>>>>>>>
>>>>>>>>>>>>> What file is this? As far as I know, the only config/config.php
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> file used
>>>>>>>>>>>> by horde is under admin/config/config.php, but this does not
>>>>>>>>>>>> contain
>>>>>>>>>>>> variables you can override. So what are you attempting to do
>>>>>>>>>>>> here?
>>>>>>>>>>>>
>>>>>>>>>>>> <?php
>>>>>>>>>>>>
>>>>>>>>>>>> $conf['wsql']['username'] = 'username';
>>>>>>>>>>>>
>>>>>>>>>>>>  $conf['wsql']['password'] = 'password';
>>>>>>>>>>>>> $conf['wsql']['hostspec'] = 'srv_addres';
>>>>>>>>>>>>> $conf['wsql']['port'] = 3306;
>>>>>>>>>>>>> $conf['wsql']['protocol'] = 'tcp';
>>>>>>>>>>>>> $conf['wsql']['database'] = 'databasename';
>>>>>>>>>>>>> $conf['wsql']['charset'] = 'utf-8';
>>>>>>>>>>>>> $conf['wsql']['ssl'] = true;
>>>>>>>>>>>>> $conf['wsql']['ca'] = '/patch/to/cert.pem';
>>>>>>>>>>>>>
>>>>>>>>>>>>> A certification authority (that's what the 'ca' probably stands
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> for) is
>>>>>>>>>>>> not the same as a client certificate. I'm not even sure Horde is
>>>>>>>>>>>> able
>>>>>>>>>>>> to
>>>>>>>>>>>> use client certificates for authentication to a Sql server.
>>>>>>>>>>>>
>>>>>>>>>>>> $conf['wsql']['splitread'] = false;
>>>>>>>>>>>>
>>>>>>>>>>>> $conf['wsql']['phptype'] = 'mysql';
>>>>>>>>>>>>
>>>>>>>>>>>>  Where is the 'wsql' from? I can't find any references to that
>>>>>>>>>>>>> in
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> Horde.
>>>>>>>>>>>>
>>>>>>>>>>>> P.s. I checked transmission by tcpdump, and everything is in
>>>>>>>>>>>> cleartext
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Horde mailing list
>>>>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>>>>
>>>>>>>>>>>> Arjen thanks for your answer.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> I have two mysql databases:
>>>>>>>>>>> 1. Localhost database for horde (no ssl).
>>>>>>>>>>> 2. Remote database on different host to reset passwords and
>>>>>>>>>>>
>>>>>>>>>>>  activate
>>>>>>>>>>
>>>>>>>>>
>>>>    vacations. (ssl is mandatory)
>>>>>
>>>>>>
>>>>>>>>>>> I create file config.local.php in horde/config/  with definition
>>>>>>>>>>>
>>>>>>>>>>>  for
>>>>>>>>>>
>>>>>>>>>
>>>>    new
>>>>>
>>>>>> variable for connection to different host.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> Horde does not read any config.local.php file.  So that's not
>>>>>>>>>> going
>>>>>>>>>> to
>>>>>>>>>> do
>>>>>>>>>> anything.
>>>>>>>>>>
>>>>>>>>>> In passwd configuration I use my on varibble
>>>>>>>>>>
>>>>>>>>>>  $GLOBALS['conf']['wsql']
>>>>>>>>>
>>>>>>>>
>>>>   for
>>>>>
>>>>>>
>>>>>>>>>>  configuration, and everything works ok, except ssl connection.
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> $conf['wsql']['ca'] = is patch to bundle ca certificate.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> This won't work either.  You configure a Passwd SQL backend in the
>>>>>>>>>> passwd/config/backends.local.php file.
>>>>>>>>>>
>>>>>>>>>> You can't just start adding random config options to a
>>>>>>>>>> configuration
>>>>>>>>>> file
>>>>>>>>>> and expect them to do anything.
>>>>>>>>>>
>>>>>>>>>> michael
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> ___________________________________
>>>>>>>>>> Michael Slusarz [slusarz at horde.org]
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Horde mailing list
>>>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Ok, I understand.
>>>>>>>>> I put everything in passwd/config/backends.local.php
>>>>>>>>>
>>>>>>>>> Result is the same - any ideas ?
>>>>>>>>>
>>>>>>>>> <?php
>>>>>>>>>    $backends['sql'] = array(
>>>>>>>>>    'disabled' => false,
>>>>>>>>>    'name' => 'Postfix SQL Authentication',
>>>>>>>>>    'driver' => 'Sql',
>>>>>>>>>    'policy' => array(
>>>>>>>>>        'minLength' => 8,
>>>>>>>>>        'minNumeric' => 1,
>>>>>>>>>        'minUpper' => 1,
>>>>>>>>>        'minLower' => 1,
>>>>>>>>>        'minSymbol' => 1,
>>>>>>>>>    ),
>>>>>>>>>    'params' => array(
>>>>>>>>>                        'phptype' => 'mysql',
>>>>>>>>>                        'hostspec' => 'srv_addres',
>>>>>>>>>                        'username' => 'username',
>>>>>>>>>                        'password' => 'password',
>>>>>>>>>                        'port' => '3306',
>>>>>>>>>                        'protocol' => 'tcp',
>>>>>>>>>                        'database' => 'databasename',
>>>>>>>>>                        'charset' => 'utf-8',
>>>>>>>>>                        'ssl' => true,
>>>>>>>>>                        'ca' => '/patch/to/ca-bundle.pem',
>>>>>>>>>            'table' => 'tabelname',
>>>>>>>>>            'user_col' => 'username',
>>>>>>>>>            'pass_col' => 'password',
>>>>>>>>>            'show_encryption' => false,
>>>>>>>>>            'encryption' => 'crypt-md5',
>>>>>>>>>    ),
>>>>>>>>>    'logout' => true,
>>>>>>>>> );
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Unless I missed something you didn't even say what your problem is.
>>>>>>>> --
>>>>>>>> Jan Schneider
>>>>>>>> The Horde Project
>>>>>>>> http://www.horde.org/
>>>>>>>> https://www.facebook.com/hordeproject
>>>>>>>>
>>>>>>>> --
>>>>>>>> Horde mailing list
>>>>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>>>>>
>>>>>>>>
>>>>>>> Of course  - I checked transmission by tcpdump, on my mysql server
>>>>>>> and
>>>>>>> everything is in cleartext.
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Horde mailing list
>>>>>> Frequently Asked Questions: http://horde.org/faq/To unsubscribe,
>>>>>> mail:
>>>>>> horde-unsubscribe at lists.horde.org
>>>>>>
>>>>>>
>>>>>   Does your sql user have "require ssl" set.
>>>>
>>>>>
>>>>> take a look at this:
>>>>> https://dev.mysql.com/doc/refman/5.0/en/ssl-connections.html
>>>>>
>>>>> /erling
>>>>>
>>>>>  --
>>>> Horde mailing list
>>>> Frequently Asked Questions: http://horde.org/faq/
>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>
>>>>  Thanks for all your sugestions.
>>> I have tested ssl connection to mysql from different host.
>>> User have require ssl option set and I succesful connect to mysql from
>>> shell:
>>>
>>> mysql> \s;
>>> ....
>>> Current user:           user at localhost
>>> SSL:                    Cipher in use is DHE-RSA-AES256-SHA
>>> ....
>>>
>>> mysql> SHOW VARIABLES LIKE 'have_ssl';
>>> +---------------+-------+
>>> | Variable_name | Value |
>>> +---------------+-------+
>>> | have_ssl      | YES   |
>>> +---------------+-------+
>>>
>>> I Also checked connection from remote site  with this php  script and
>>> it's
>>> ok:
>>>
>>> Script:
>>> <?php
>>> $link = mysql_connect("ip","test","testpass",false,MYSQL_CLIENT_SSL)
>>>         or die(mysql_error());
>>> $res = mysql_query("SHOW STATUS LIKE 'ssl_cipher';",$link);
>>> print_r(mysql_fetch_row($res));
>>> echo "Finished.";
>>> ?>
>>>
>>> Result:
>>>
>>> php mysqli-ssl.php
>>> Array
>>> (
>>> [0] => Ssl_cipher
>>> [1] => DHE-RSA-AES256-SHA
>>> )
>>>
>>> The problem is when I use ssl option in horde.
>>> Maybe it is the problem with wildcard certificate on mysql server *.
>>> domain.name ?
>>>
>>>
>> Thanks for all your sugestions.
>> I have tested ssl connection to mysql from different host.
>> User have require ssl option set and I succesful connect to mysql from
>> shell:
>>
>> mysql> \s;
>> ....
>> Current user:           user at localhost
>> SSL:                    Cipher in use is DHE-RSA-AES256-SHA
>> ....
>>
>> mysql> SHOW VARIABLES LIKE 'have_ssl';
>> +---------------+-------+
>> | Variable_name | Value |
>> +---------------+-------+
>> | have_ssl      | YES   |
>> +---------------+-------+
>>
>> I Also checked connection from remote site  with this php  script and it's
>> ok:
>>
>> Script:
>> <?php
>> $link = mysql_connect("ip","test","testpass",false,MYSQL_CLIENT_SSL)
>>         or die(mysql_error());
>> $res = mysql_query("SHOW STATUS LIKE 'ssl_cipher';",$link);
>> print_r(mysql_fetch_row($res));
>> echo "Finished.";
>> ?>
>>
>> Result:
>>
>> php mysqli-ssl.php
>> Array
>> (
>> [0] => Ssl_cipher
>> [1] => DHE-RSA-AES256-SHA
>> )
>>
>> The problem is when I use ssl option in horde.
>> Maybe it is the problem with wildcard certificate on mysql server *.
>> domain.name ?
>>
>
> Taking a look at the Horde_Db code, it looks as if only the MySQLi driver
> is supporting SSL connections.
>
> --
> Jan Schneider
> The Horde Project
> http://www.horde.org/
> https://www.facebook.com/hordeproject
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>

Thanks Jan for your suggestion.
I changed php driver to mysqli and I used instructions from
 /usr/share/pear/Horde/Db/Adapter/Mysqli.php

$config = array(
 *     'username' => 'someuser',
 *     'password' => 'apasswd',
 *     'hostspec' => 'localhost',
 *     'database' => 'thedb',
 *     'ssl'      => array(
 *         'key'      => 'client-key.pem',
 *         'cert'     => 'client-cert.pem',
 *         'ca'       => 'cacert.pem',
 *         'capath'   => '/path/to/ca/dir',
 *     ),
 * );


More information about the horde mailing list