• Registered: 2018-11-26
  • Posts: 2

Topic: YaSSL with --ssl-capath - Looking for howto

Hi,

I am new to SSL and especially to get it running.
I am trying to enable SSL between an application and a MariaDB using YaSSL 2.4.4 based on the variable version_ssl_library.
Most users use have the application running with openSSL. The setup there is quite easy:
- The application creates its own certificate, which can be exported (one cert per installation, therefore several per end device).
- The exported cert will be stored in a folder on the MariaDB Server in a folder /path/capath. The variable ssl_capath points to these certs
- As the server knows all client certificates, it will trust them an grant access.

Unfortunately YaSSL works a bit different:
https://mariadb.com/kb/en/library/ssltl … sl_capath. "Those built with yaSSL don't normally support it, since yaSSL prefers to have all components of the CA certificate contained within a single certificate tree and each certificate in a file given a unique SubjectName value. To get around this with yaSSL, create a new file containing the concatenated individual certificate files in the tree, and specify this new file using this variable or the --ssl-capath option. It implies the --ssl option."

My setting:
I exported the installation files as Client1.crt, Client2.crt, Client3.crt.
These were convertet into PEM format using

openssl x509 -in Cient1.crt -inform DER -out Client1.pem -outform PEM

I have only one cert per client, no key-file and no CA-file.

My questions:
How can I create the mentioned new file with the tree?
How do I combine the individual certificates files into one file for YaSSL?
I would be really happy, if you could provide examples of the commands I have to use.

Thanks!
Markus

Share

  • From: Bozeman
  • Registered: 2014-05-09
  • Posts: 777

Re: YaSSL with --ssl-capath - Looking for howto

Hi Markus,

Thank you for contacting wolfSSL via the forums with your questions!

Have you tried simply loading the entire directory so you don't have to build up trust chains like you described? The way to load all certs in a directory for verification purposes is like the example below:

      int ret;                                                                     
      WOLFSSL_CTX* ctx;                                                            
                                                                                   
      wolfSSL_Init();                                                              
                                            
      ctx = wolfSSL_CTX_new(wolfSSLv23_server_method());                           
      if (ctx == NULL) {                                                           
          printf("CTX init failed\n");                                             
          return -1;                                                               
      }                                                                            
      // Load every cert in the directory "./certs" rather than loading a specific file
      ret = wolfSSL_CTX_load_verify_locations(ctx, NULL, "./certs");             
      printf("ret = %d\n", ret);                                                   
                                                                                   
      return 0;

Regards,

K

Kaleb J. Himes's Website

Share

  • Registered: 2018-11-26
  • Posts: 2

Re: YaSSL with --ssl-capath - Looking for howto

Hi Kaleb,

Thanks for your reply.
I am a bit confused about the different names: CyaSSL, YaSSL, wolfSSL. Is there an information somewhere how the link together? Is the MariaDB acutally compiled with wolfSSL and just showing YaSSL?

Regarding my problem:
I am not so into programming to know where to enter your code. I have also no access to the code. I just have the config file

/etc/mysql/mariadb.conf.d/50-server.cnf

My Section [mysqld] looks like this:

 ssl-ca=/etc/mysql/ssl/ca-cert.pem 
 ssl-cert=/etc/mysql/ssl/server-cert.pem
 ssl-key=/etc/mysql/ssl/server-key.pem
# ssl-capath=/etc/mysql/capath/Client1.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
# ssl-cipher=TLSv1.2
# ..when MariaDB is compiled with YaSSL (default in Debian):
 ssl=on

Now the loaded variables are:

Server version: 10.1.37-MariaDB-0+deb9u1 Raspbian 9.0

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
+---------------------+--------------------------------+
| Variable_name       | Value                          |
+---------------------+--------------------------------+
| have_openssl        | NO                             |
| have_ssl            | YES                            |
| ssl_ca              | /etc/mysql/ssl/ca-cert.pem     |
| ssl_capath          |                                |
| ssl_cert            | /etc/mysql/ssl/server-cert.pem |
| ssl_cipher          |                                |
| ssl_crl             |                                |
| ssl_crlpath         |                                |
| ssl_key             | /etc/mysql/ssl/server-key.pem  |
| version_ssl_library | YaSSL 2.4.4                    |
+---------------------+--------------------------------+

Where do I have to enter your code?

Thanks,
Markus

Share