Comments on: Connecting to MySQL using SSL encryption in Ruby on Rails

By: Gavin Pearce

Gavin Pearce — Mon, 01 Feb 2010 13:34:40 +0000

Cheers mate – good article!

Theo,

You’re fine if the DB is on the same physical machine – however, it’s a good idea to have a separate DB server that isn’t web accessible. Improves your security somewhat.

By: Michael

Michael — Wed, 02 Dec 2009 18:26:32 +0000

O.K., ‘REVOKE’ exists…never mind.

By: Michael

Michael — Wed, 25 Nov 2009 18:02:39 +0000

Baby question: what if a user has already been set up without the requirement that she connect via SSL—how can her access be restricted to SSL? (I tried the GRANT statement with the restriction, but it seems to be supervened by the initial set-up—Note: I’m extremely newby at this, so I might be missing something obvious.)

By: theo

theo — Fri, 20 Nov 2009 21:30:42 +0000

do you need to use secure connection between webserver and mysql if they are on the same server machine? the site will run on https so transmission to the server will be secure. its just the internal communication i’m not sure of. thanks

By: MikeJ

MikeJ — Fri, 23 Oct 2009 17:11:06 +0000

Apparently the blog software is converting two minus signs into a single minus sign. Let’s try that with code tags:

mysql -ssl-ca

param needs to be mysql -–ssl-ca

By: MikeJ

MikeJ — Fri, 23 Oct 2009 17:07:38 +0000

Thanks man, saved me a ton of time!

The reason the client needs the CA certificate is simple. The client uses it to verify that the server’s certificate is valid each time it connects.

Minor correction: “mysql -ssl-ca” param needs to be “mysql –ssl-ca”.

By: ITS Strategy & Architecture » MySQL and SSL

ITS Strategy & Architecture » MySQL and SSL — Fri, 27 Mar 2009 19:03:47 +0000

[...] http://blog.aisleten.com/2008/05/25/connecting-to-mysql-using-ssl-encryption-in-ruby-on-rails/ [...]

By: Nick Hoffman

Nick Hoffman — Thu, 30 Oct 2008 00:56:08 +0000

Another method that would work is using STunnel, rather than an SSH tunnel or MySQL’s built-in SSL support.

By: Michael Richardson

Michael Richardson — Thu, 09 Oct 2008 17:56:37 +0000

So, I am a security expert. I’ve worked at SSH, and on IPsec all over the place. Rails is a pleasant diversion…
First, I see no advantage of an SSH tunnel. At best, it’s not more secure, and if done wrong, it’s actually less secure. The biggest issue is that there are simply more moving parts. (It also won’t work well with windows, but maybe that’s something in it’s favour, since you’d be less secure there for other reasons)

When building a passphrase-less public key authenticated SSH tunnel, you’d be copying the client’s public key to the server, and putting it in the authorized_keys file.
That authenticates the client to the server.
When you first connect, you copy the server’s public key to the client’s known_hosts file. That authenticates the server to the client.
In the SSL case, you authenticate the server to the client by copying the server’s cacert.pem file to the client. SSL has the X509/PKIX notion of a CA and a hierarchy, and althougth it’s generally a disaster of complexity, fundamentally, it just a fatter version of what SSH provides.
You do not describe copying the client’s public key to the server. In theory, in real SSL practice, you’d have the client’s certificate generated by a CA that was trusted by the server, and configure the authorization (vs authentication) for the client to connect somewhere on the server.
In practice, you do not do that, instead, you use passwords. This means that effectively anyone can connect to your port 3306 and attempt to crack your passwords.

That means that IP level restrictrictions are in order.
All of this would seem to prefer the SSH method, but only if you could use the SSH client code built-in to ruby, and have the same thing on the mysql side.

If you use an external SSH client, then you have an additional moving part to set, a dummy account on the server to setup, etc.

By: philemon

philemon — Tue, 22 Jul 2008 12:24:42 +0000

hey everyone, want to manage mysql db just chk this out sqlyog an amazing front end offered under open source just for free. u can connect thru ssh/ssl/tunnel. more secured tool to maintain your db. Highly recommendable.