1 Reply by Markus

(2 replies, posted in wolfSSL)

Hi Kaleb,

Thanks for your reply.
I am a bit confused about the different names: CyaSSL, YaSSL, wolfSSL. Is there an information somewhere how the link together? Is the MariaDB acutally compiled with wolfSSL and just showing YaSSL?

Regarding my problem:
I am not so into programming to know where to enter your code. I have also no access to the code. I just have the config file

/etc/mysql/mariadb.conf.d/50-server.cnf

My Section [mysqld] looks like this:

 ssl-ca=/etc/mysql/ssl/ca-cert.pem 
 ssl-cert=/etc/mysql/ssl/server-cert.pem
 ssl-key=/etc/mysql/ssl/server-key.pem
# ssl-capath=/etc/mysql/capath/Client1.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
# ssl-cipher=TLSv1.2
# ..when MariaDB is compiled with YaSSL (default in Debian):
 ssl=on

Now the loaded variables are:

Server version: 10.1.37-MariaDB-0+deb9u1 Raspbian 9.0

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
+---------------------+--------------------------------+
| Variable_name       | Value                          |
+---------------------+--------------------------------+
| have_openssl        | NO                             |
| have_ssl            | YES                            |
| ssl_ca              | /etc/mysql/ssl/ca-cert.pem     |
| ssl_capath          |                                |
| ssl_cert            | /etc/mysql/ssl/server-cert.pem |
| ssl_cipher          |                                |
| ssl_crl             |                                |
| ssl_crlpath         |                                |
| ssl_key             | /etc/mysql/ssl/server-key.pem  |
| version_ssl_library | YaSSL 2.4.4                    |
+---------------------+--------------------------------+

Where do I have to enter your code?

Thanks,
Markus

Go to forum: wolfSSL

2 Topic by Markus

(2 replies, posted in wolfSSL)

Hi,

I am new to SSL and especially to get it running.
I am trying to enable SSL between an application and a MariaDB using YaSSL 2.4.4 based on the variable version_ssl_library.
Most users use have the application running with openSSL. The setup there is quite easy:
- The application creates its own certificate, which can be exported (one cert per installation, therefore several per end device).
- The exported cert will be stored in a folder on the MariaDB Server in a folder /path/capath. The variable ssl_capath points to these certs
- As the server knows all client certificates, it will trust them an grant access.

Unfortunately YaSSL works a bit different:
https://mariadb.com/kb/en/library/ssltl … sl_capath. "Those built with yaSSL don't normally support it, since yaSSL prefers to have all components of the CA certificate contained within a single certificate tree and each certificate in a file given a unique SubjectName value. To get around this with yaSSL, create a new file containing the concatenated individual certificate files in the tree, and specify this new file using this variable or the --ssl-capath option. It implies the --ssl option."

My setting:
I exported the installation files as Client1.crt, Client2.crt, Client3.crt.
These were convertet into PEM format using

openssl x509 -in Cient1.crt -inform DER -out Client1.pem -outform PEM

I have only one cert per client, no key-file and no CA-file.

My questions:
How can I create the mentioned new file with the tree?
How do I combine the individual certificates files into one file for YaSSL?
I would be really happy, if you could provide examples of the commands I have to use.

Thanks!
Markus

Go to forum: wolfSSL