Anyone using SSL-encrypted backend mysql calls?

Due to circumstances beyond my control (mgmt), my RT instances will be moved
from their present isolated network into the mainstream with other corporate
devices. As I don’t want any sniffers that might exist on the wire to inspect
my traffic to/from the database servers, I’m looking at using the SSL
encryption feature…but I don’t know what incantations need to be used for the
front-end RT instance to successfully communicate.

If this is explained in a FAQ or manual somewhere, please point me to it.

Thanks, in advance…

sklutch

How about stunnel?

–David

rt-users-bounces@lists.bestpractical.com wrote on 09/30/2008 10:23:06 AM:

Due to circumstances beyond my control (mgmt), my RT instances will be
moved
from their present isolated network into the mainstream with other
corporate
devices. As I don’t want any sniffers that might exist on the wire
to inspect
my traffic to/from the database servers, I’m looking at using the SSL
encryption feature…but I don’t know what incantations need to be
used for the
front-end RT instance to successfully communicate.

If this is explained in a FAQ or manual somewhere, please point me to
it.

David Chandek-Stark <david.chandek.stark duke.edu> writes:

How about stunnel?
–David

I’ve been asked not to use “custom” software solutions in our corporate
environment. sigh

sklutch

OpenSSL is far from what i’d call a “custom” software solution lol

isn’t it like… the most widely used SSL implementation in the world?

stunnel is nothing more than a wrapper allowing you to use it with any protocol.

you could always provide them with the source so they can scrutinize at will.

push management a little, sometimes they actually give in :slight_smile:

-gabeFrom: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com]On Behalf Of Simon
Jester
Sent: Tuesday, September 30, 2008 10:09 AM
To: rt-users@lists.fsck.com
Subject: Re: [rt-users] Anyone using SSL-encrypted backend mysql calls?

David Chandek-Stark <david.chandek.stark duke.edu> writes:

How about stunnel?
–David

I’ve been asked not to use “custom” software solutions in our corporate
environment. sigh

sklutch

http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Gabriel Cadieux <gcadieux securetechnologies.ca> writes:

OpenSSL is far from what i’d call a “custom” software solution lol

push management a little, sometimes they actually give in :slight_smile:
-gabe

If it isn’t in the “Known support lexicon” </end corpspeak>,
then it’s a “custom” solution and requires singing/dancing/alms/blood to
implement. Otoh, if I use an existing capability of the MySQL server and a
(hopefully) simple modification to RT it doesn’t register on the “not from
around here” meter.

<wierd breaks are for my posting client’s requirements>

sklutch

Do NOT use mysql SSL in a production environment.

Yes, I have done it. No, you do not want to.

It can be made to work. It is not stable. You will wake up one day
wondering why mysql connections are dying. You will google the error
messages and find all sorts of info on MySQL mailing lists showing
that many others have the same problem. Then you too will recompile
MySQL without SSL support and revert to stunnel.

Which you should have done in the first place, as others have already
suggested.

It is not a “custom” solution, it’s a very common and most excellent
tool used for this purpose.

On mysql clients, I bind stunnel to 127.0.0.10?. Increment the last
digit for each MySQL server your client wants to connect to. On the
mysql server, bind MySQL to the loopback IP and stunnel listens on the
network interface and proxies the request to it.

MattOn Sep 30, 2008, at 7:23 AM, simon jester wrote:

Due to circumstances beyond my control (mgmt), my RT instances will
be moved
from their present isolated network into the mainstream with other
corporate
devices. As I don’t want any sniffers that might exist on the wire
to inspect
my traffic to/from the database servers, I’m looking at using the SSL
encryption feature…but I don’t know what incantations need to be
used for the
front-end RT instance to successfully communicate.

If this is explained in a FAQ or manual somewhere, please point me
to it.

Thanks, in advance…

sklutch


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

Matt Simerson <matt corp.spry.com> writes:

Do NOT use mysql SSL in a production environment.

Well, that’s emphatic enough…guess that means it’s “forgiveness vs
permission” time. :slight_smile:

sklutch

Matt Simerson <matt corp.spry.com> writes:

Do NOT use mysql SSL in a production environment.

Well, that’s emphatic enough…guess that means it’s “forgiveness vs
permission” time. :slight_smile:

Public mailing lists is not the best place to announce premeditated
policy ignoring. :wink:

Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot

signature.asc (197 Bytes)

ROFLFrom: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com]On Behalf Of Matt
Zagrabelny
Sent: Tuesday, September 30, 2008 2:42 PM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] Anyone using SSL-encrypted backend mysql calls?

Matt Simerson <matt corp.spry.com> writes:

Do NOT use mysql SSL in a production environment.

Well, that’s emphatic enough…guess that means it’s “forgiveness vs
permission” time. :slight_smile:

Public mailing lists is not the best place to announce premeditated
policy ignoring. :wink:

Matt Zagrabelny - mzagrabe@d.umn.edu - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot