Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 1st December 2010, 01:45
esmiz esmiz is offline
Member
 
Join Date: Dec 2009
Posts: 44
Thanks: 4
Thanked 3 Times in 3 Posts
Default MySQL SSL encrypted communication between ispconfig slaves and the master

Hi there

On last days I've been trying to learn something about mysql over ssl connections.
In an 'ispconfig 3' multiserver setup, communication between servers is done through unencrypted mysql connections.
I thought It would be great to have slaves communicating over SSL with the master, and this is what I figured out:

Environment is a multiserver with a master and 3 slaves, all of them running Debian Lenny.

First, in one of the servers I made server and client certificates for every machine. All certificates are signed with the same CA, and the only question I answered was common-name where I wrote server's hostname.

Then on every server /etc/mysql/my.cnf I added the path to client certificates within the [client] section, and the path to server certificates within the [mysqld] section. Something like this:

Code:
[client]
ssl-ca		= /etc/mysql/ssl-certs/ca-cert.pem
ssl-cert	= /etc/mysql/ssl-certs/ks1-client-cert.pem
ssl-key		= /etc/mysql/ssl-certs/ks1-client-key.pem

[mysqld]
ssl
ssl-ca		= /etc/mysql/ssl-certs/ca-cert.pem
ssl_capath	= /etc/mysql/ssl-certs/
ssl-cert	= /etc/mysql/ssl-certs/ks1-server-cert.pem
ssl-key		= /etc/mysql/ssl-certs/ks1-server-key.pem

After doing this, all the connections done by mysql seem to be forced to be encrypted. It looked promising, I could connect with root and ispcsrv* users from a server to the others in the usual way: mysql -h -u -p

Checking the connection with commands like: SHOW VARIABLES LIKE '%SSL%'; or SHOW STATUS LIKE 'Ssl_cipher'; showed that SSL was being used.

Well this seems to work when connection is initialized from shell but not when connection is initialized from a php script, so slaves and master were not communicating properly.

I thought that perhaps ispconfig user needs its own my.cnf, and added the file /usr/local/ispconfig/.my.cnf with just this content:

Code:
[client]
ssl-ca		= /etc/mysql/ssl-certs/ca-cert.pem
ssl-cert	= /etc/mysql/ssl-certs/ks1-client-cert.pem
ssl-key		= /etc/mysql/ssl-certs/ks1-client-key.pem

No joy, but some more searching drove me to http://php.net/manual/en/function.mysql-connect.php and that gave me the clue I needed.
Php uses mysql_connect function to connect to mysql servers, the flag 'MYSQL_CLIENT_SSL' is used to achieve ssl connections.

Then I used grep to look for 'mysql_connect' string, in ispconfig /home directory files:


Code:
grep -R 'mysql_connect' /usr/local/ispconfig/

Fortunately, It seems that there are just 6 files where this function is used:

/usr/local/ispconfig/interface/lib/classes/db_firebird.inc.php
/usr/local/ispconfig/interface/lib/classes/db_mysql.inc.php
/usr/local/ispconfig/interface/lib/classes/simplepie.inc.php
/usr/local/ispconfig/server/lib/classes/db_mysql.inc.php
/usr/local/ispconfig/server/plugins-available/mysql_clientdb_plugin.inc.php
/usr/local/ispconfig/server/plugins-available/software_update_plugin.inc.php


So I backed them up, and add the required flags to every instance the function is invoked. As an example, line 72 in the file /usr/local/ispconfig/interface/lib/classes/db_mysql.inc.php looks like:

Code:
$this->linkId = mysql_connect($this->dbHost, $this->dbUser, $this->dbPass);
And with the flags, it becomes:

Code:
$this->linkId = mysql_connect($this->dbHost, $this->dbUser, $this->dbPass, false, MYSQL_CLIENT_SSL);

The result of all this is that communication between ispconfig slaves and the master is back now and is encrypted.

The questions I have are:

Is this is a proper way of doing things?, Is there something that I'm missing or is not needed?

I'm almost sure that there are many wrong things in these steps, so thanks in advance for all your corrections.

Regards.

xmz
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 06:26.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.