Closed GoogleCodeExporter closed 9 years ago
I looked into this a bit. It turns out you have to use php's mysqli (mysql
improved)
to get ssl to work. mysqli seems to be included by default in the distros, but
it's
buggy in the default CentOS 5 version, so it has to be upgraded to 5.2x (or at
least
beyond php-5.1.6) to work. Other than that, it's pretty simple if you already
had ssl
working.
This is pretty rough. I'm sure you can make it look much better ;)
In three easy changes!
1) Add an item for an external mysql style cnf file
2) Change the connection string to use mysqli.
3) Change the query wrapper to use mysqli too.
Here's the diff:
diff ss_get_mysql_stats.php ss_get_mysql_stats.php.bak
42d41
< $mysql_ssl_cnf = 'myssl.cnf'; # MySQL style cnf file with SSL items filled in.
248,256c247,250
< $conn = mysqli_init();
< if (!$conn) {
< die('mysqli_init failed');
< }
< mysqli_options($conn,MYSQLI_READ_DEFAULT_FILE,'$mysql_ssl_cnf');
< if (!mysqli_real_connect($conn, $host_str, $user, $pass, '')) {
< die('Connect Error (' . mysqli_connect_errno() . ') '
< . mysqli_connect_error());
< }
---
> $conn = @mysql_connect($host_str, $user, $pass);
> if ( !$conn ) {
> die("MySQL: " . mysql_error());
> }
1050c1044
< $result = mysqli_query($conn, $sql);
---
> $result = @mysql_query($sql, $conn);
1052c1046
< $error = mysqli_error($conn);
---
> $error = @mysql_error($conn);
1059c1053
< while ( $row = mysqli_fetch_array($result) ) {
---
> while ( $row = @mysql_fetch_array($result) ) {
Example ssl.cnf:
[client]
ssl-cert=/var/www/cacti/scripts/tls/cert.pem
ssl-key=/var/www/cacti/scripts/tls/key.pem
ssl-ca=/var/www/cacti/scripts/tls/cacert.pem
Here are some things that I'd like to add but don't know how.
1) Re-use the connection. It seems to open three connections over the course of
the
stats gathering queries.
2) Check for mysqli and fall back to mysql if not available
Let me know what you think.
Jeff
Original comment by bikes...@gmail.com
on 16 Dec 2009 at 11:06
Jeff, I'm a little hesitant to add this as it is, because I think it'll add
complexity and possibly add bugs that wouldn't turn up until the next release.
Alas,
this would be hard to test :-( From what I see, we would need to do at least
the
following:
- add a command-line option and config variable for --use-ssl
- add a command-line option for the ssl-conf file
- add a command-line option and config variable for mysql vs mysqli
- add an if/then to open either a mysql or mysqli connection
- add/update wiki documentation
I've added you as an SVN committer, so if you would like to make and commit
those
changes that'd be great.
Original comment by baron.schwartz
on 25 Dec 2009 at 10:33
This works out of the box in CentOS 5.2:
mysql_connect($server, $user, $pass, false, MYSQL_CLIENT_SSL)
I've been doing it for a while without question so I verified with tcpdump and
SHOW
STATUS LIKE 'Ssl_cipher';. The only configuration was my.cnf on the server:
+ ssl-ca=/etc/mysql/ca-cert.pem
+ ssl-cert=/etc/mysql/server-cert.pem
+ ssl-key=/etc/mysql/server-key.pem
I'm sure I haven't touched php.ini on the client.
Original comment by AndrewHa...@gmail.com
on 28 Dec 2009 at 1:41
This issue was closed by revision r452.
Original comment by baron.schwartz
on 21 Mar 2010 at 3:58
I've adopted the solution suggested in comment 3, with absolutely no testing.
Original comment by baron.schwartz
on 21 Mar 2010 at 3:59
Original issue reported on code.google.com by
bikes...@gmail.com
on 16 Dec 2009 at 12:20