Comments on: Connecting to MySQL using SSL encryption in Ruby on Rails

By: Amit

Amit — Wed, 28 Dec 2011 08:50:51 +0000

Thanks

By: Justin S

Justin S — Sun, 11 Sep 2011 06:06:05 +0000

Great tutorial! I’m running to a problem though, when I try to put sslca, sslkey, and sslcert variables into my database.yml file. Passenger phusion throws the following error when I reload the page after restarting apache:

syntax error on line 53, col 7: ` sslca: /home/jsarma/rapps/prod/db/ssl/ca-cert.pem’

I’m using rails 2.3.8, with passenger 3.0.7 and apache 2.2. I know I’ve set up ssl right because the mysql client login works fine with ssl.

The error suggests to me that I need to install some extension so the ssl variables will be recognized in rails. But this doesn’t make sense, because I already have ssl working for client logins. Now I’m trying to get it working for communication between the web server and the DB. I’m using a different web server self signed certificate that is not in the apache vhost config. Does the web cert specified in database.yml have to be in the apache config?

I’d really appreciate some advice on this.

Thanks

By: Chris Schulte

Chris Schulte — Wed, 23 Mar 2011 17:07:52 +0000

Just a heads up that the ssl-ca patch is officially part of Rails, so there’s no need to do the client key & certificate (just include the ssl-ca parameter).

I’m using 2.3.11, but the patch was submitted in July 2008 so I’m guessing if you’re using anything from 2.2 on you should have the patch.

By: Gavin Pearce

Gavin Pearce — Mon, 01 Feb 2010 13:34:40 +0000

Cheers mate – good article!

Theo,

You’re fine if the DB is on the same physical machine – however, it’s a good idea to have a separate DB server that isn’t web accessible. Improves your security somewhat.

By: Michael

Michael — Wed, 02 Dec 2009 18:26:32 +0000

O.K., ‘REVOKE’ exists…never mind.

By: Michael

Michael — Wed, 25 Nov 2009 18:02:39 +0000

Baby question: what if a user has already been set up without the requirement that she connect via SSL—how can her access be restricted to SSL? (I tried the GRANT statement with the restriction, but it seems to be supervened by the initial set-up—Note: I’m extremely newby at this, so I might be missing something obvious.)

By: theo

theo — Fri, 20 Nov 2009 21:30:42 +0000

do you need to use secure connection between webserver and mysql if they are on the same server machine? the site will run on https so transmission to the server will be secure. its just the internal communication i’m not sure of. thanks

By: MikeJ

MikeJ — Fri, 23 Oct 2009 17:11:06 +0000

Apparently the blog software is converting two minus signs into a single minus sign. Let’s try that with code tags:

mysql -ssl-ca

param needs to be mysql -–ssl-ca

By: MikeJ

MikeJ — Fri, 23 Oct 2009 17:07:38 +0000

Thanks man, saved me a ton of time!

The reason the client needs the CA certificate is simple. The client uses it to verify that the server’s certificate is valid each time it connects.

Minor correction: “mysql -ssl-ca” param needs to be “mysql –ssl-ca”.

By: ITS Strategy & Architecture » MySQL and SSL

ITS Strategy & Architecture » MySQL and SSL — Fri, 27 Mar 2009 19:03:47 +0000

[...] http://blog.aisleten.com/2008/05/25/connecting-to-mysql-using-ssl-encryption-in-ruby-on-rails/ [...]