…and I’m still alive and kicking. I apologize for the lack of updates recently. I’ve been extremely busy with homework and school, work itself, and family matters. The most recent family matter involved a distant cousin-in-law of mine and my wife’s grandmother. Certain personal effects (mainly most of them) of my grandmother’s were being held ransom by Melissa’s cousin and had to be picked up for fear of being thrown out. Where were they? Phoenix, AZ. After a weekend of driving round-the-clock to and from Phoenix, I was extremely tired and to say the least, tired of driving. However, we managed to obtain Melissa’s grandmother’s personal effects and she was quite pleased.

In any case, I wanted to briefly mention that I hope to completely revamp my blog within the next couple of weeks. A new look is coming about (an original one, for once) as well as a port to Wordpress. I’ve barely been satisfied with Serendipity, so I hope Wordpress will make me much happier. Furthermore, by being able to design my own blog pages, I should be able to make it adapt better to my code entries. Nevertheless, expect an update from me again within the next couple of weeks.

This was a problem I had while trying to send email from my local workstation through a web application. The script would execute fine, but I wouldn’t receive any email. Upon further investigation (which included walking through a debugging session to find out what was going wrong), I came across an exception when trying to use:

SmtpMail.Send(email)

The exception that was thrown have the following error message:

**The message could not be sent to the SMTP server. The transport error code
was 0x800ccc15. The server response was not available **

After a couple of minutes of realizing that I was not using localhost as my SMTP server, I figured there was either a problem with my mail relay, or something wrong with my workstation. A couple of Google hits returned that the problem was a VirusScanner issue. Sure enough, when I took a look at my Access Protection settings in McAfee VirusScan Enterprise 8.0i, one of the ports that was being blocked from sending traffic was port 25. There were 3 possibilities that I could have taken to resolve this:

• Disable port 25 blocking
• Delete the port 25 block rule
• Add both aspnet_wp.exe and w3wp.exe to the exclusion list.

All three of these solutions worked for about 5 minutes and allowed email to be sent through my application. However, after that 5 minute period, the rules were restored. I’m not entirely certain why they were restored despite my making sure that they were saved and took immediately after closing the VirusScan Console, but I’m in the process of figuring that problem out.

The truth is, it has. (That and somehow the Staind song It’s Been a While just started playing…what a coincidence).

In any case, I figured I would give the world an update to let them know I’m alive and well. I’m busy, as usual, but I’m alive and kicking and screaming and everything else that I usually do best. I’m still a developer at CIS Customer Applications, working full time, still owning my own business, but I’m back in school attempting to take 7 hours of classes. Over the summer I changed majors from Electrical Engineering to Computer Engineering with a Computer Science emphasis. The reason I did it was because I was enjoying programming a whole lot more than I was building circuits. The change only increased my requirements from 54 credits to 71 credits till I graduate. I did the math, and it seems as though I’ll be able to graduate by December 2009 if I continue working at the pace that I have been (that is, 7 hours a semester with a minimester of courses between every semester).

The classes this semester are going well thus far, but it’s a lot of work and sucks up most of my time (when I’m not doing stuff for Cerberus, etc.). My first class is a math class (I thought I was supposed to be done with math, but changing from Electrical Engineering to Computer Engineering over the summer added one last math class). The course title is Discrete Mathematics, though it has hardly been anything but logic - which is a fairly simple concept. I feel like we’re taking baby steps in the class, with the exception that my professor likes to give us enough homework problems to take up 8-10 pages of notebook paper for each assignment.

The other class I’m taking is ELEN325, Electronics. It’s basically a course that extends two other basic courses that we had during our sophomore year, and is the last electrical engineering course I have to take. The only difference between how it is now versus how it was last semester when I first tried to take it is that my professor makes sense. He does a great job of thoroughly explaining everything without taking a real long time to do it. As a result, I totally understand the homework I’m working on, the pre-labs and laboratory exercises, etc. I hope to pull out of this semester with an A in both this class and MATH302 (Discrete).

As far as everything outside of school (the rest being my wonderful wife Melissa), she’s also stressing out about school (amongst other things). She’s gone back to taking a full-time load of classwork because she’s ready to get out of the community college system and into a university with a good music program (namely Sam Houston State University). As a result, the courses are piling homework on top of her, and it doesn’t help that she’s working 20+ hours a week at the HelpDesk AND the HelpDesk has been swamped by walk-up visitors, which have taken her away from doing homework at her desk. Coupled with the fact that the HelpDesk is having some rather nightmare-ish organizational issues with a merger that occurred recently, it’s been hell for her and I’ve had to console her a lot.

Because we’ve been so busy the past couple of weeks, we haven’t been able to spend much time with friends, let alone clean the house. I hope to get some time to at least do laundry, if not mow the lawn (because it hasn’t been mown in over 3 weeks!) this weekend. Wish me luck. Hopefully I’ll update soon, again…

So, in trying to figure out the LDAP issues that I had earlier, I needed to check the public key that was returned by the LDAP server when using SSL / TLS. The problem was that I had the damndest time trying to figure out the command necessary to open up and examine SSL certificates on non-standard ports (ie: anything but HTTPS, IMAPS, POP3 over SSL, etc.). Finally, I found on the Atlassian Confluence website the exact command I needed:

openssl s_client -connect host.example.com:ldaps

This displayed everything I needed to know, including the PEM formatted public key / certificate as well as the Certificate Chain (ie: who was the Certificate Authority for the certificate).

It never ceases to amaze me how many outside dependencies there are for PHP. When trying to get a PHP application to connect to an LDAP server over SSL, you have to have the following:

• OpenLDAP (at least branch 2.x.x)
• OpenSSL
• Reminder: Compile OpenLDAP with SSL support! Just in case you didn’t do that already.

Yes, but once you have all that done, then you need to hope and pray that it will connect successfully. On a Linux server, this is definitely a possibility (but a treacherous task at that). On a Windows machine: forget it. You might as well count your losses and start coding your application in .Net before you try connecting to an LDAP server via SSL with a Windows box (that or you need to be really good at compiling opensource software on Windows machines).

The Error

So, here’s the error message I’m getting in my PHP app:

Warning: ldap_bind(): Unable to bind to server: Can't contact LDAP server.

Pretty generic error message right? It can be anything. I’m guessing, though, that it’s something with OpenLDAP. That’s why it comes with the wonderful tool `ldapsearch`. This _should_ help me figure out if it’s an application problem or a OpenLDAP problem.

neraath:~/> ldapsearch -b ou=people,dc=example,dc=com 
-H ldaps://host.example.com searchMailbox=neraath
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Once again, a pretty generic error message. If you try to Google that error message, you’re not gonna get anywhere. This is where OpenLDAP’s debugging switch turns out to be quite handy. My favorite: `-d 7`. Watch it in action:

neraath:~/> ldapsearch -b ou=people,dc=example,dc=com 
-d 7 -H ldaps://host.example.com searchMailbox=neraath
ldap_create
ldap_url_parse_ext(ldaps://host.example.com)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_send_initial_request
ldap_new_connection
ldap_int_open_connection
ldap_connect_to_host: TCP host.example.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying IP.ADDRESS.HIDDEN.HERE:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_is_sock_ready: 3
ldap_ndelay_off: 3
TLS: could not load client CA list (file:`',dir:`/etc/apache2/ssl.crt').
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:642
TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:278
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:280
ldap_perror
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

Lo-and-behold the answer becomes evident:

TLS: could not load client CA list (file:`',dir:`/etc/apache2/ssl.crt').

I change the /etc/openldap/ldap.conf file line ‘TLS_CACERTDIR /etc/apache2/ssl.crt’ from what it is to ‘TLS_CACERTDIR /etc/ssl/certs’. I re-run the above command and it prompts me for a password. This is definitely a good sign. Running it again in my PHP code? Of course not.

Step 2: Google Some More

After more wonderful Googling for the most generic PHP error possible, I find that the problem may potentially be the certificate (view the thread). So, I decide to try to figure out how to actually view the certificate that’s on the server (in case it is self-signed or not trusted, somehow). This takes me the better part of half an hour, but I finally figure out the openssl command necessary to view the public key / certificate of a service:

openssl s_client -connect host.example.com:ldaps

This gave me the public key necessary to save and then place in at /etc/ssl/certs/host.example.com.pem. After doing so, I ran `c_rehash` and then modified my /etc/openldap/ldap.conf file. I added the following lines to the config:

URI: ldap://host.example.com
TLS_CACERT /etc/ssl/certs/host.example.com.pem

After restarting Apache and testing the PHP file, things seem to be going a little smoother. No more connect errors. I will update if something goes awry, though.

Well, it’s been a really long time since I last updated my blog and let everyone know what’s been going on in my life. In essence, I’ve been busy as usual, but have made progress by leaps and bounds in most things I’m actually involved in, and also have a new addition to our (Melissa and my) family (more to come later).

So, a few weeks ago, Melissa and myself went to Denver, Colorado for a break from College Station and so that I could take some training in the infamous (and totally ripped off) programming language C# using the ASP.NET 2.0 framework. The reason I say it’s totally ripped off is that if you learn the language and learn Java (or vice-versa), you’ll notice that C# = Java. Barring that fact, I had a really cool instructor named Michael who kept me interested in learning the language and I did learn a lot. Essentially, I learned the syntax and how C# works and afterwards learned how to use Visual Studio 2005 along with parts of the Framework and how to create ASP.NET websites - simple ones at least. Besides the awesome (yet expensive learning) that it was, Melissa and I got to know her Aunt Kathy and Uncle Greg as well as do fun and cool things around Denver, a town that I haven’t been to in a long time.

While we were in Denver and staying at Aunt Kathy’s place, I fell in love with their large Lab and Golden Retriever dogs. It reminded me of how much I had always wanted a big dog, but never had one. They were extremely sweet animals and I told Nissa that we had to get a dog sometime in the future. I was thinking she was going to get one for me for my birthday, but as it turned out we went out and got a Collie puppy (also something I had always wanted). We had quite a bit of troubles trying to adopt it (read Nissa’s article), but we were happy when we finally got to adopt her. She’s truly very sweet and utterly cute and Melissa made me extremely happy that she did that for me (really for us). The collie is what Melissa had expressed that she really wanted, and when we went to the pound to look for a puppy, she saw the collie (we named her Sophie, eventually), she fell in love with her and it really seemed as though I wasn’t going to get out of the pound without her. I’m not upset by any means, though. Collies are sweet, wonderful, and really smart dogs - not to mention it’s the official mascot of A&M, but that’s not a selling point for me. I’ll have pictures of her soon to share with everyone.

Past that, it’s been crazy-busy at work because I’ve been involved with so many projects that have stringent deadlines and high requirements (isn’t that how it usually goes?). All of the projects are PHP, none of my time is actually budgeted to them (with the exception of one), and all of them have SQL Injection vulnerabilities! ‘Tis a shame that I don’t get paid more for security consulting and fixing these damn things. Same going for the documents I’ve been creating. I think I spent 2 days making a 40 page document for the proposed changes to one of the projects. I’ve essentially been doing the work of a Senior Software Applications Developer, but my title (and regrettably, my pay) is at the level of a Sr. IT Associate - someone that’s not really important. I’m not really upset, though, because I’m at least appreciated where I’m at. The managers (and associate director) understand that I provide valuable service to CIS, and that matters a lot to me. Of course, I’m still gonna demand a position upgrade at the time I was originally promised.

As of now, I’m in Chicago taking the advanced C# course right at this moment. The course has been even better than the intro course that I took. Our instructor Brad is very outgoing, humorous, and very intelligent. The course has definitely helped me to learn a lot about C# and I’m really looking forward to building websites with it. Another really cool thing is my business partner Tom came up yesterday and is staying until Friday. I don’t get to hang out during the day, but the evenings we actually get to hang out.

I feel really bad because I didn’t bring my wife along with me (because we didn’t have the money for it). From now on, though, I’ll definitely need to bring her along (assuming she can and assuming we can afford it). I love her dearly and I hate leaving her alone, and she likewise hates being left alone.

In any case, back to my course. I’ll update soon (hopefully).

Take this email conversation for an example:

Says she is having error messages when sending
 
-----Original Message-----
From: Christopher Weldon
Sent: Tuesday, June 26, 2007 2:45 PM
To: <hidden>
Subject: Re: help
 
S wrote:
> > Chris --- K cannot send emails out of the network----S
> > 
 
S,
 
I verified that she could. I sent myself emails from all of her 
addresses and they came through just fine. Can you please provide me 
some specifics of what error messages she is getting?

The situation is that the customer was having problems sending emails outside of their domain via Outlook. I went on-site and proceeded to verify that every single one of them could send emails out (by sending to my domain). K’s was one that I double checked.

So, when I ask for “specifics” and get a reply that says nothing about what I requested, I just want to double my rate for support and call it the “dumbass upcharge”.

For many of you who use Komodo, you will have undoubtedly come across the Source Code Control feature available within it. This feature works GREAT with MacOS X and Linux systems, but if you have ever tried to use it within Windows, it’s a bit tricky to get working properly (if you’ve even been able to do that).

I’ve been tackling the issue for the past hour or so (after having tried it in the past - but to no avail), but now I think I’ve figured out what’s up with this damn thing. It revolves around using a combination of PuTTY, Subversion (NOT TortoiseSVN), and (of course) Komodo.

Before we get started, you might want to check out this forum thread as this is what gave me some hints as to what to do, though I had to take it all with a grain of salt since it was so messy. If you don’t care, then read onward!

These first steps are really quite quick, and I don’t care to explain how to do them (as I expect you to figure out how to install applications yourself). If all else fails, RTFM.

1. Install Putty
   Note: You must install the full application (this includes putty.exe, puttygen.exe, plink.exe, etc.)
2. Install Subversion
3. Restart the computer (this will populate your PATH with the environment variables for PuTTY and Subversion)
4. Generate your Public/Private Key Pairs
   (Note: The following section was copied from the Komodo Documentation):

   Run the puttygen utility. Configure as follows:

   1. Set Parameters: Select either “SSH2 RSA” or “SSH2 DSA”.
   2. Generate Key Pair: Click the Generate button to generate the key pair. While the key is being generated, move the mouse pointer around the blank space to provide key randomness.
   3. Enter Key Passphrase: Enter and confirm a passphrase for the key. Remember the passphrase - it is required later.
   4. Save Public Key: Click the “Save public key” button and store the key in a file called public1.key.
   5. Save Private Key: Click the Save private key button and store the key in a file called private1.key, in the same directory as the public key.
   Note: The extension .ppk will be appended to the name specified (i.e. private1.key.ppk).
   6. Copy Key Contents: Copy the contents of the public key field (at the top of the dialog box) to a file named public1-openssh.key. This key is required later.
   7. Close puttygen

5. Load and Configure Pageant
   (Note: This section was copied from the Komodo Documentation):

   Run the pageant program. This loads the Putty Authentication Agent into the Windows System Tray.

   Right-click the Pageant icon in the Windows System Tray. Select Add Key. Navigate to the directory where you saved the public and private keys in the previous step, and select the file private1.key.ppk.

6. Configure PuTTY Session

   Run PuTTY. Note: Before reading the next section, you MUST realize that the naming convention used for the session name is CRITICAL for checking out and committing over SSH. Once you understand this, read the documentation that was copied from the Komodo documentation:

   1. Specify Server: On the Session page of the Configuration form, enter the host name or IP address of the server.
   2. Specify Protocol: On the Session page, in the Protocol field, select the “SSH” protocol.
   3. Create Saved Session: In the Saved Sessions field, enter the host name again. Click the Save button.
   4. Configure Connection: on the Connection page of the Configuration form, enter your username for the server in the Auto-login username field.
   5. Configure SSH Protocol: On the SSH page of the Configuration form, specify “2″ for the Preferred SSH protocol version.
   6. Enable Agent Forwarding: On the Auth page of the Configuration form, check Allow agent forwarding. In the Private key file for authentication field, specify the path and filename of the private key created above (private1.key).
   7. Save Session Information: On the Session page of the Configuration form, click the Save button.

7. Store the Public Key on the Server
   Note: Copied from the Komodo Documentation:

   You must store the public key file generated in step 2 (public1-openssh.key) on the CVS or Subversion server.

   1. Open Command Prompt Window: Type cmd in the Windows Run dialog box.
   2. Copy Public Key to Server: At the command prompt, enter:

   pscp c:\path\to\public1-openssh.key username@server.com:public1-openssh.key

   …where c:\path\to\public1-openssh.key specifies the location of the key file created in step two, and username@server.com specifies your username and URL on the remote server. You are prompted to confirm the legitimacy of the host, and may be prompted to enter your password for the server.
   3. Connect Using Putty: If necessary, run the putty program. In the Saved Sessions field, double-click the configuration created in Step 4. This establishes a connection to the server.
   4. Configure the Key on the Server: After logging on to the server, enter the following commands to configure the SSH key:

   mkdir ~/.ssh
   chmod 700 .ssh
   cat ~/public1-openssh.key >> ~/.ssh/authorized_keys
   rm ~/public1-openssh.key
   chmod 600 ~/.ssh/*

   5. Log Off and Exit Putty: Enter exit to close the session of the server.

8. Setting Up Environment Variables

   Go to your Control Panel and then to the System. Click the Advanced tab and then the Environment Variables button. Add 2 new Global Variables:

   SVN_SSH = "C:\Path\to\plink.exe" -i "C:\Path\to\Private\Key.ppk"
   PLINK_PROTOCOL = ssh

   NOTE that the quotes around the paths are critical to SVN working appropriately. If you don’t use quotes, subversion will try to use the entire string as the path to plink, which will obviously fail. If you put quotes around the entire thing, the same occurs.

9. Checking out files

   This is CRITICAL in order to make certain that Komodo works appropriately. If you do not check out files appropriately, Komodo will hang and then you’ll go hang yourself. The syntax of the command used to check out files should be:

   C:\> svn co svn+ssh://PuTTY Session Name/Path To Repository/ directory

   If you use a hostname rather than a PuTTY Session name, you are guaranteed failure.

Enjoy.

The third and wonderful “conclusion” to the Pirates of the Caribbean trilogy was released last week, and I had the opportunity to take my wife to go see it two days after it came out. Suprisingly, the crowd at the movie theater was small, with the show being only 3/4 of the way filled. But, that’s to be suspected with the college crowd almost completely gone for summer.

The movie is slow to begin, but quickly ramps up once the underlying story is presented. Then, when you least expect it, it hits the ground running with a nice full-town battle ensuing between allies (?) and foes. ‘Tis unusual without the biggest character of the story, Jack Sparrow, present. Fret not, however, as his re-appearance is one of peculiarity, but undoubtedly reminds you of the Jack Sparrow you knew from the other two movies.

As many people have claimed, there seems to be more battles and more fighting in this movie than in the past two. This, I can agree with, but likewise disagree with. The difference between At World’s End and either of the other two movies is the complete interweaving of all characters that had been introduced up to the final movie. A lot of drama and arguing ensue, yet there’s always the ever-so-often hint of humor.

One of the more enjoyable aspects of this movie was the addition of more “traditional” things from the Pirates of the Caribbean ride at Disney. You hear more songs and see things that are oddly reminiscent of the ride, should you have had the wonderful opportunity of riding it before.

Overall, this nearly 3-hour long adventure is one well suited for any Pirate fan, and in my case, I can only hope the DVD is right around the corner.

4.5 / 5 Stars

So, I now have one of our new servers sitting in a datacenter in Dallas. It is to replace one of our dedicated servers we are renting through The Planet. Well, our client’s website is doing extremely well right now and is averaging roughly 2,000 hits per day. This is one of the various eCommerce websites we have built for various customers. So, credit card data does get transmitted (always securely) between the database server residing on the dedicated server. Well, in order to minimize downtime for our customer’s website and to retain no loss of data, we have to do something about database connectivity between the old server and the new server. Luckily, MySQL is resilient enough to allow for remote connections, and as long as the latency between the servers isn’t bad, the website will operate at the same rate as normal.

However, the difference between connecting to a database residing on localhost and a database server residing on some other machine is the type of connectivity. By default, connections are unencrypted, so eCommerce information should NOT be transmitted in this manner. We need to transmit it over SSL-style connections. Again, MySQL is resilient enough to have these features built-in, assuming you compiled your server with SSL support.

I began by taking a copy of our customer’s database and sending it over to the new server:

oldServer> mysqldump -u root databasename -p > databasename.mysql
oldServer> scp databasename.mysql newserver:/home/customer/databasename.mysql
oldServer> ssh newserver
newServer> mysql -u root databasename -p < /home/customer/databasename.mysql

No problems were encountered here. So, the difference between SSL connections using SSH and SSL connections using MySQL is that MySQL requires SSL certificates and keys, much like web servers and mail servers do. However, you don’t have to purchase one of these. You CAN use self-signed certificates, as long as you have access to the Certificate Authority certificate file (shouldn’t be a problem if you are acting as the Certificate Authority). I’m not going to go into signing your own certificates, but there are several great websites that tell you how to do this, such as this one.

So, I did the usual things necessary to create my certificate (since I act as the certificate authority for my company), and copied the certificate data into the following locations:

newServer> cp /root/sslcerts/newServer.key /etc/ssl/private/newServer.key
newServer> cp /root/sslcerts/newServer.crt /etc/ssl/certs/newServer.crt
newServer> cp /root/sslcerts/CA.crt /etc/ssl/certs/CA.pem
newServer> cd /etc/ssl/certs
newServer> /usr/bin/c_rehash

I followed the same pattern for the CA certificate as everything else that was in that directory. All extensions were .pem. Note that openssl generates PEM formatted certificates and keys anyways, so it is perfectly legal and acceptable. c_rehash is used to parse the /etc/ssl/certs directory for new certificate authority certificates and create a symbolic link that has a name that’s a hashed value of the certificate. Read the man page for c_rehash for further information.

Anywho, everything was in their respective location, and I had added the following lines in my /etc/mysql/my.cnf file (under the server section):

ssl-ca = /etc/ssl/certs/CA.pem
ssl-key = /etc/ssl/private/newServer.key
ssl-cert = /etc/ssl/certs/newServer.crt
ssl-cipher = ALL:-AES:-EXP

I started MySQL and no errors were detected. As the MySQL Manual states for SSL connectivity, you issue the command show variables like ‘have%’ to show if you have SSL connectivity available. Here’s what mine showed:

mysql> show variables like 'have%';
+-----------------------+----------+
| Variable_name         | Value    |
+-----------------------+----------+
| have_archive          | NO       | 
| have_bdb              | YES      | 
| have_blackhole_engine | NO       | 
| have_compress         | YES      | 
| have_crypt            | YES      | 
| have_csv              | NO       | 
| have_dynamic_loading  | YES      | 
| have_example_engine   | NO       | 
| have_federated_engine | NO       | 
| have_geometry         | YES      | 
| have_innodb           | DISABLED | 
| have_isam             | NO       | 
| have_merge_engine     | YES      | 
| have_ndbcluster       | NO       | 
| have_openssl          | DISABLED | 
| have_ssl              | DISABLED | 
| have_query_cache      | YES      | 
| have_raid             | NO       | 
| have_rtree_keys       | YES      | 
| have_symlink          | YES      | 
+-----------------------+----------+
20 rows in set (0.00 sec)

Well that’s interesting, SSL is disabled. After a few hours of trying to figure out what this is, including starting SSL with those configuration options on the command line rather than through the my.cnf file, I found out the culprit of this was the ssl-cipher line in the config. Even setting this to just ALL caused the same result. However, when I removed that option and restarted MySQL, I got the following results:

mysql> show variables like 'have%';
+-----------------------+----------+
| Variable_name         | Value    |
+-----------------------+----------+
| have_archive          | NO       | 
| have_bdb              | YES      | 
| have_blackhole_engine | NO       | 
| have_compress         | YES      | 
| have_crypt            | YES      | 
| have_csv              | NO       | 
| have_dynamic_loading  | YES      | 
| have_example_engine   | NO       | 
| have_federated_engine | NO       | 
| have_geometry         | YES      | 
| have_innodb           | DISABLED | 
| have_isam             | NO       | 
| have_merge_engine     | YES      | 
| have_ndbcluster       | NO       | 
| have_openssl          | YES      | 
| have_ssl              | YES      | 
| have_query_cache      | YES      | 
| have_raid             | NO       | 
| have_rtree_keys       | YES      | 
| have_symlink          | YES      | 
+-----------------------+----------+
20 rows in set (0.00 sec)

I have filed a bug with MySQL about this, because it’s a critical flaw, not being able to specify which Ciphers you wish to allow.

So, now that I see SSL connectivity is allowed, I need to create an account and fully restrict it to require SSL connections. This is done in my grant statement. Full instructions on Granting with SSL Requirements are available in the MySQL Reference Manual. So, in MySQL, I issue the following command:

mysql> GRANT SELECT, INSERT, UPDATE, DELETE ON `databasename`.* TO 'customer_dbuser'@'192.168.1.1' \
    -> IDENTIFIED BY 'goodsecret' \
    -> REQUIRE ISSUER '/C=US/ST=Texas/L=College Station/O=Company Name/OU=Certification Authority Name/CN=My Root Certificate Authority' \
    -> SUBJECT '/C=US/ST=Texas/L=College Station/O=Company Name/OU=Department/CN=oldserver.domain.com/emailAddress=admin@domain.com' \
    -> CIPHER 'DHE-RSA-AES256-SHA';

The ISSUER and SUBJECT lines come from what you filled out when creating the certificate authority CSR and the host CSR, respectively. You can get this value by looking for the issuer and subject lines in the ouput from the following command:

shell> openssl x509 -noout -in oldServer.crt -text

The CIPHER is what openssl uses by default for creating SSL certificates. If you used a different cipher when creating the key, CSR, and Certificates, then specify it accordingly.

So, after having those problems and now having SSL connectivity (half-way) completed, it’s time to move onto the old server. I send over the newly created SSL certificates to the old server via SSH and install them in roughly the same places:

oldServer> cp /root/sslcerts/CA.crt /etc/ssl/certs/CA.pem
oldServer> cp /root/sslcerts/oldServer.crt /etc/ssl/certs/oldServer.crt
oldServer> cp /root/sslcerts/oldServer.key /etc/ssl/private/oldServer.key

I then added the following lines under the client section in the /etc/mysql/my.cnf file:

ssl-ca = /etc/ssl/certs/CA.pem
ssl-key = /etc/ssl/private/oldServer.key
ssl-cert = /etc/ssl/certs/oldServer.crt
# ssl-cipher = ALL:-AES:-EXP

The specification of certificate information on the server as well as certificate information on the client is ESSENTIAL in the success of this. RTFM, if you haven’t already.

So, time to fire up the connection to see if it works:

oldServer> mysql -u customer_dbuser -h newServer -p --ssl-ca=/etc/ssl/certs/CA.pem --ssl-key=/etc/ssl/private/oldServer.key --ssl-cert=/etc/ssl/certs/oldServer.crt
Password: <enter goodsecret>
SSL Connect Failed

If you fail to put anything in the client section of the my.cnf file and DONT specify a ssl-key or ssl-cert on the command line, you will see a generic SSL connection error on the client side and the following error message on the server’s logs (IF you have debugging turned on):

tls peer did not respond with certificate list

This even occurs if you only entered REQUIRE SSL for the client and nothing further. But, this was not my case. I spend yet another few hours trying to figure out what happened with this and finally recompiled the newServer MySQL with the debug option. After trying again and parsing the debug files, I found the following line:

Error:  "error:00000005:lib(0):func(0):DH lib"

This was in the sslaccept function. After Googling this for about an hour, I found nothing relevant to the problem. It’s a generic openssl error, assuming that you are using openssl and not another SSL library set.

To make a long story short, the error message was extremely misleading and it boiled down to a permissions problem. I coulda sworn that all my permissions were correct, but it turns out they weren’t. Here’s how it was setup:

newServer> ls -alF /etc/ssl/private 
drwx------ 2 root root  184 May 19 21:47 ./
drwxr-xr-x 5 root root  152 Apr 19 19:52 ../
-rw-r--r-- 1 root root 3247 May 19 20:32 newServer.key

For those still unfamiliar with Linux, if you look at the permissions for ./, you’ll notice it’s Read, Write, and Execute for the owner ONLY. This means that nobody else could traverse into this directory, EVEN THOUGH the newServer.key was at least readable by everyone.

Moral of the Story

Double check your permissions.