Welcome Guest, Not a member yet? Register   Sign In
DB question: MySQLi encrypt connection
#1

(This post was last modified: 02-16-2017, 10:04 PM by skunkbad.)

I've got a server with a self signed cert. It needs to be able to make a MySQLi connection with another server, and it must be an encrypted connection. Documentation is a little weak, but my experience with the necessary array elements doesn't help either.


Since I need to specify key, cert, ca, etc., does anyone have a link to a tutorial or necessary info? I'm on a fresh install of Ubuntu Server.

When I set up the self signed cert, I did this:

Code:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

Not sure about anything ...
Quote:‘ssl_key’ - Path to the private key file
‘ssl_cert’ - Path to the public key certificate file
‘ssl_ca’ - Path to the certificate authority file
‘ssl_capath’ - Path to a directory containing trusted CA certificats in PEM format
‘ssl_cipher’ - List of allowed ciphers to be used for the encryption, separated by colons (‘:’)
‘ssl_verify’ - TRUE/FALSE; Whether to verify the server certificate or not (‘mysqli’ only)
This is what I've got so far, but I'm not able to connect:

PHP Code:
$db['encrypted_connection'] = array(
    'dsn'    => '',
    'hostname' => '123.123.123.123',
    'username' => 'coolName',
    'password' => 'greatPassword',
    'database' => 'bigDatabase',
    'dbdriver' => 'mysqli',
    'dbprefix' => '',
    'pconnect' => FALSE,
    'db_debug' => (ENVIRONMENT !== 'production'),
    'cache_on' => FALSE,
    'cachedir' => '',
    'char_set' => 'utf8',
    'dbcollat' => 'utf8_general_ci',
    'swap_pre' => '',
    'encrypt' => [
        'ssl_key'    => '/etc/apache2/ssl/apache.key',
        'ssl_cert'   => '/etc/apache2/ssl/apache.crt',
        'ssl_ca'     => NULL,
        'ssl_capath' => NULL,
        'ssl_cipher' => 'DHE-RSA-AES256-SHA',
        'ssl_verify' => FALSE
    
],
    'compress' => FALSE,
    'stricton' => FALSE,
    'failover' => array(),
    'save_queries' => TRUE
); 

I just came across that cipher in another forum thread, so don't know if it should be something else or not.
Reply
#2

It's a generic "SSL configuration" - hardly differs from configuring HTTPS on a web server.

The OS will give you CA and CAPath defaults, so they only exist if you really need to override them.
Cipher is your own choice ... And there are a lot of wrong choices, but the preferrable ones change over time, so no definitive answer.
Key and Cert are just things that you have, but I've seen nginx reject them simply because of trailing spaces at EOF and stuff like that, so it's not like you can't go wrong there ...

Unfortunately, it's a little too nuanced to be covered by a CI-specific manual. If you already understand SSL/TLS you'll know what to do, and if you don't - you'll screw it up even with all the info available in front of you.
Reply
#3

(02-17-2017, 05:35 AM)Narf Wrote: It's a generic "SSL configuration" - hardly differs from configuring HTTPS on a web server.

The OS will give you CA and CAPath defaults, so they only exist if you really need to override them.
Cipher is your own choice ... And there are a lot of wrong choices, but the preferrable ones change over time, so no definitive answer.
Key and Cert are just things that you have, but I've seen nginx reject them simply because of trailing spaces at EOF and stuff like that, so it's not like you can't go wrong there ...

Unfortunately, it's a little too nuanced to be covered by a CI-specific manual. If you already understand SSL/TLS you'll know what to do, and if you don't - you'll screw it up even with all the info available in front of you.


As it turns out, the remote server isn't even configured to accept the secure connection, so I was going around in circles for nothing. Try again later ... assuming they set it up.

Thanks for the comments, and yes I'll probably screw it up.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB