[rt-users] Anyone using SSL-encrypted backend mysql calls?

Matt Simerson matt at corp.spry.com
Tue Sep 30 14:46:43 EDT 2008


Do NOT use mysql SSL in a production environment.

Yes, I have done it.  No, you do not want to.

It can be made to work. It is not stable. You will wake up one day  
wondering why mysql connections are dying. You will google the error  
messages and find all sorts of info on MySQL mailing lists showing  
that many others have the same problem. Then you too will recompile  
MySQL without SSL support and revert to stunnel.

Which you should have done in the first place, as others have already  
suggested.

It is not a "custom" solution, it's a very common and most excellent  
tool used for this purpose.

On mysql clients, I bind stunnel to 127.0.0.10?. Increment the last  
digit for each MySQL server your client wants to connect to.  On the  
mysql server, bind MySQL to the loopback IP and stunnel listens on the  
network interface and proxies the request to it.

Matt


On Sep 30, 2008, at 7:23 AM, simon jester wrote:

> Due to circumstances beyond my control (mgmt), my RT instances will  
> be moved
> from their present isolated network into the mainstream with other  
> corporate
> devices. As I don't want any sniffers that *might* exist on the wire  
> to inspect
> my traffic to/from the database servers, I'm looking at using the SSL
> encryption feature...but I don't know what incantations need to be  
> used for the
> front-end RT instance to successfully communicate.
>
> If this is explained in a FAQ or manual somewhere, please point me  
> to it.
>
> Thanks, in advance...
>
>
> sklutch
>
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com




More information about the rt-users mailing list