MySQL over stunnel with SSL-Client-Certificate

The problem: Dataconnections between MySQL-Server and the Client are unencrypted. This means that authentication, the request and the output are transmitted in plain text over the net. To use SSL in MySQL the option must compiled within. In most distributions it isn't.
Here's a small workaround to use a secure connection without recompiling the MySQL-Server:

First install stunnel on the server & on the client. www.stunnel.org

Genetate a SSL-Certificate (On Server and Client):
umask 077; \
/usr/bin/openssl req -new -x509 -days 3650 -nodes -config \
/usr/share/doc/packages/stunnel/stunnel.cnf \
-out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem


In /etc/stunnel/stunnel.conf (on Server runing MySQL) add or uncomment these lines:
#
# Authentication stuff
#
verify = 2
CAfile = /etc/stunnel/certs.pem
cert = /etc/stunnel/stunnel.pem
[mysqls]
accept = 3307
connect = localhost:3306
client = no


Create /etc/stunnel/certs.pem with owner and permission "root.root 600"


On the client copy from the file /etc/stunnel/stunnel.pem the section:
-----BEGIN CERTIFICATE-----
f05yAI/lCUxXYdOMIICOTCCAaKg
MBEGA1UECBMKf05yAI/lCUxXYdO
f05yAI/lCUxXYdOIEx0ZDESMBAG
MTA5MzA1NFowf05yAI/lCUxXYdO
f05yAI/lCUxXYdOBgNVBAoTFlN0
dDCBnzANBgkqf05yAI/lCUxXYdO
f05yAI/lCUxXYdOexW1uigvYk7f
bBDRCEC39YIQf05yAI/lCUxXYdO
f05yAI/lCUxXYdOUjOPdHWz5CB2
SIb3DQEBBAUAf05yAI/lCUxXYdO
f05yAI/lCUxXYdOlTG9m64pAyD6
U44OtGGV+cwcf05yAI/lCUxXYdO
-----END CERTIFICATE-----
and paste it on the Server in /etc/stunnel/certs.pem


On the client add or uncomment these lines in /etc/stunnel/stunnel.conf
#
# Authentication stuff
#
cert = /etc/stunnel/stunnel.pem
[mysqls]
accept = 3306
connect = IPorFQDNofSERVER:3307
client = yes



Start the service on both machines.

Connect to the MySQL-Server: mysql -u root -h 127.0.0.1 -p

Check the stream if its encrypted with:
tcpdump -l -i eth0 -w - src or dst port 3306 | strings
....thats it !!!


A.Mathibe, April,4th 2004