MySQL with SSL Disabled

Found an issue today that was resolved fairly easily, but was a pain to find.

Was trying to get MySQL working with SSL, did everytihing in the howtos, everything looked right. But I was still getting that have_openssl & have_ssl were DISABLED.

Turns out the problem was the private key file.

MySQL wants the header to be:
-----BEGIN RSA PRIVATE KEY----- 

OpenSSL 1.0 makes a header of:
-----BEGIN PRIVATE KEY-----

Openssl 9.8 includes the RSA in the header.

The difference stems from:
– PKCS#1 RSAPrivateKey** (PEM header: BEGIN RSA PRIVATE KEY)
– PKCS#8 PrivateKeyInfo* (PEM header: BEGIN PRIVATE KEY)

Please note that the footer has to match the header as well.

Great article on making a bootable OSX install image

Quick summary:

  1. Download the installer from the App Store
  2. Goto Applications & right Click on Install OSX…. , select view Package Contents
  3. Under Shared support select InstallESD.dmg, hold the option key & drag it to the desktop (this will make a copy)
  4. use disk utility to format an 8GB USB stick as 1 partition, Mac OX Extended (Journaled) with a GUID Partition table.
  5. Then restore InstallESD.dmg to the stick.

Here is the article:
http://subrosasoft.com/blog/guide/create-a-bootable-mac-os-x-10-8-mountain-lion-installer-flash-drive

Keepass in a console

I use the linux console a lot & there are a lot of times I quickly need a password. I also use KeePassX to store all my passwords. I have a sync script setup to securely sync with a private server. To date I have not been able to quickly grab a password from the command line.

I would ideally like something that did the following:
(set KEEPASSKEYFILE=/somepath/somefile & KEEPASSFILE=/somepath/someotherfile)
$ keepass -l gmail (l for list)
Password: ***********

gmail.com – user1
gmail.com – user2

$ keepass -p gmail.com user1 (p for password)
SecretPassword4User1

I haven’t found this yet, maybe I will write it… we will see
But until then I did see this:

  • http://blog.codingtony.com/2011/01/keepass-in-console.html
  • http://sourceforge.net/projects/ckpass/

Howto wipe your hard disk quickly, securely & easily

I was looking for a way to clean all the data from a hard disk and found a tool that I had never seen before: dcfldd. I haven’t looked into all the options yet, but what I have seen works very well. Basically it is a replace for the *nix command dd. The thing that I liked about it was that it lets you add an input pattern, thus speeding up the process significantly.

So the next thing was to figure out what to write to the disk, I was taught that multi-pass writes were really a good thing, but have read a lot more recently that says you only need 1 pass to get basically the same effect. Being paranoid but in a bit of a hurry, I decided to do a 2 pass wipe. First set all bits to 1, then do a second to 0. This means that every bit will go high then low. So the history would be: ? -> 1 -> 0. That seems like a good / fast solution to me, and it does not need the slow random pass. I like the 0’s to be on the final pass so installers see a nice clean drive. If you are going to encrypt the drive you might want to a random on the end

Anyway here are the steps:

  1. Download & burn your favorite Linux live CD. Make sure that it is 32bit (i386). I used CentOS 6.
  2. Boot from the CD, login
  3. Open a terminal
  4. sudo su –
  5. goto /dev and find your hard drive(s), lets use /dev/sdb for this example (make sure to use the root drive not a partition so /dev/sdb not /dev/sdb1)
  6. write ones: dcfldd pattern=FF of=/dev/sdb bs=1024   (this is the really nice part of dcfldd the pattern statement makes this really easy)
  7. write zeros: dcfldd pattern=00 of=/dev/sdb bs=1024   (pattern should be even faster than /dev/zero, I haven’t played with block sizes with dcfldd, but coming from dd, 1024 seems to be good)

Encrypted MySQL Connections

This week I fought with MySQL trying to get an encrypted connection. Getting the server piece to appear to work was easier than actually getting the connection. Whether the problems didn’t show up until the connection or if the code in myql client app is just broken, I’m not sure, but I did get it to work.

My environment was:

  • RHEL 6.3
  • MySQL 5.5.28 from MySQL SRPM, compiled against OpenSSL 1.0.0j

ERROR 2026 (HY000): SSL connection error: ASN: before date in the future

  • this one is easy, the client checks the certificate date is > the current, so wait a minute and it goes away

I kept getting: ERROR 2026 (HY000): SSL connection error: protocol version mismatch

  • Make sure that your DN’s are different.
  • I saw a lot of stuff to use 0.9.8(something) to generate the certificates, and this did work once, but I also had several fails with 0.9.8 as well.
  • I also got 1.0.0 to work – not 100% sure what I did differently to finally get it working. All of a sudden it went from not working to working.
  • I did use statically defined subject lines, but not 100% sure that fixed it. I think I had the first one fail but after so many trials, I’m not sure.
  • My guess is that the client side has a problem with any but the simplest DN’s. But that is just a guess.

For the SSL connection error: protocol version mismatch – I did a little research in the code, but then stopped once I got it working:

  1. protocol version mismatch points comes from badVersion_error yassl_error.cpp
  2. badVersion is used in 2 files: extra/yassl/src/yassl_imp.cpp & extra/yassl/src/yassl_int.cpp
  3. either there is a test that is applied to the client cert file that is bombing out because of a version, or the client cert file is not being loaded & causing an error with the underlying ssl — haven’t dug deeper yet

So Here is the code:

/etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
symbolic-links=0
log-error=/var/log/mysqld.log
bind-address=server.milcom.us

sql_mode=STRICT_ALL_TABLES
max_allowed_packet=64M
query_cache_size=128M

# innodb settings
innodb_fast_shutdown=0
innodb_flush_log_at_trx_commit=1
innodb_lock_wait_timeout=120

# replication settings
server-id=1
log-bin=mysql-bin
binlog-format=MIXED
sync_binlog=1

# SSL settings
ssl
ssl-cipher=DHE-RSA-AES256-SHA
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem

log-error=/var/log/mysql/error
log-warnings

[client]
host=server.milcom.us
port=3306
user=username

ssl
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/client-cert.pem
ssl-key=/etc/mysql/client-key.pem

/etc/mysql/make-cert
#!/bin/bash
# ********* NEW CERT Script **********
rm -f *.pem

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem -subj '/DC=us/DC=milcom/CN=CA'

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem -subj '/DC=us/DC=milcom/DC=server'
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem -subj '/DC=us/DC=milcom/DC=server/CN=user'
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 0x100001 -out client-cert.pem

openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

chmod 600 ca-key.pem
chmod 644 ca-cert.pem
chgrp mysql server* client*
chmod 640 server*
chmod 644 client*

References:

  • http://waterlovinghead.com/MysqlSSL&show_comments=1#comments
  • http://www.mysqlfanboy.com/2011/11/simplified-mysql-ssl-connections/
  • http://bugs.mysql.com/bug.php?id=64870
  • http://orensol.com/2010/06/21/error-2026-hy000-ssl-connection-error-the-solution/
  • http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
  • http://dev.mysql.com/doc/refman/5.0/en/server-options.html
  • http://www.howtoforge.com/managing-multiple-mysql-servers-from-one-phpmyadmin-installation-using-ssl-encryption

2012 Conference – Sunday Service

Scott Kirkpatrick (Greenville)

  • Romans 5:6-8
  • Christ died for me.
  • Ephesians 2:13-16

Mike Talifero

  • Matthew 4:8-10
  • Satan tried to get Jesus to trade
  • Say no to Internet Pornography
  • Change our schedules
  • Truly repent – be penatant & decisive
  • Purpose
  • Matthew 8:1-
  • Luke 6:12-
  • Matthew 28:16-
  • When the apostles came off the mountain, they made disciples, we got the book of Acts
  • Get back to basics
  • We will never solve a problem that we won’t face.
  • Do I have the purpose of Christ in my heart?
  • Jesus plan is just for each of us to help another person
  • Sacrifice
  • since when is sacrifice, moving from 1 rich American city to another?
  • be frugal savers not credit bengers
  • Mark 9: – coming off the mountain is tough
  • there is no sugar coating this
  • We can not fade … don’t forget!
  • 1 Peter 5:5
  • We had become the message. We should have never been the message. It is God’s mercy & His s
  • 2 Corinthians 5:5-10

2012 Conference – Saturday NIght Service

third night

(Indonesia)

  • 17k Islands
  • 4k Disciples in 29 cities
  • Mathew 13:32
  • Why did God describe the kingdom of God as a mustard seed?
  • God believes that even the smallest seed can make a big impact. What can 1 disciple do?
  • 1 Disciple started a church
  • Church planting doubled in 1 year
  • there are 17k disciples here tonight – 16k new churches 🙂

Emmanual Emmah (Lagos Nigeria)

  • if you believe, you can say to that mountain, move, and it will
  • Psalm 145:1-7
  • Physical mountains & spiritual mountains
  • Biggest mountain to move is the generational mountain
  • Mountains can either elevate or obstruct
  • Am I willing to move?
  • Poem: Black Man Who Dream

Alex Paiz (Rio De Janero)

  • Mark 1:15
  • Cronos (cronoligical time) & Chaios (special time, God’s time)
  • This is Chaios – a special time, God’s time
  • This was just after John the Baptist had been put in jail by Herod, so he went right into Herod’s backyard and preached this.
  • Have you prayed to be a missionary? Have you prayed to serve where the greatest needs are?
  • What is holding you back?
  • Old: Abraham was 75 when he was called.
  • Young: Timothy was a teen when he was called.
  • The time has come!

Brian Campbell (Campus minister from Denver Colorado)

  • 2 Corinthians 3:18

2012 Conference – Married Mens Session – The Man and the Mountain

Cynacism is …
But with God, mountains can be climbed,

Robert Carillo (San Diego Coc)
Men’s Leadership in the Family
As a sinner to sinners – nobody is perfect, yet we are commanded to be perfect.

  • Conviction to follow advice.
  • We need convictions to be a great husband & father. – I need to lead my house!
  • the greatest mountain is to lead our families to heaven
  • Exodus 23:17 – “Three times a year all the men are to appear before the Sovereign Lord.”
  • Men are trashed by popular culture. – That is the image of men my son is growing up with.
  • Men used to solve problems & rescue.
  • Even the heros have serious issues (batman, iron man, hulk, etc.)
  • Who do our sons have to look up to?
  • Who do our daughters have to encourage them?
  • Fathers make a difference!
  • We have a generation of children growing up having no idea who Jesus is.
  • 150 – 200 Million orphans. Huge global problem!
  • God’s plan breaks down when fathers don’t do their job.
  • Genesis 18:18-20
  • Exodus 10:1-2
  • Deuteronomy 4:8-10
  • Deuteronomy 6:4-7
  • Leviticus 18:21
  • Leviticus 20:2
  • They were sacrificing their children; how our we sacrificing our children to sports (Nike), academics, pride?
  • Luke 17
  • God wants to rescue our children, should be from the world & not from us.
  • Malachi 4:1-6 (God ends the OT with a curse – scary – depends on hearts of children & parents being turned to each other).
  • Luke 1:8-17 — why did John the Baptist come? to make a people ready for the Lord — this is our charge as brothers, especially our children
  • PREPARE MY CHILDREN, PREPARE MY HOUSE FOR THE COMING OF THE LORD!
  • Psalm by the music director for David, Asaph – Ezra 3:11 – found his children singing His love endures forever! – 500 years later!!!
  • I need to fight (Satan) for my children!

John Lewey (Singapore Church Evangelist)

  • Statistically children who have a great relationship with their parents have fewer health problems.
  • Ephesians 6:1-3 — Children obey your parents … so that it will go well with you.
  • Fathers teach children how to regulate their emotions, thru play.
  • 1 Thessalonians 2:11-12 (encourage, comfort, urge)
  • Help Adolescents By Providing a Voice of Reason
  • Mothers bring out the problems, Fathers are better at solving them — both are needed!
  • #1 predictor of premarital sex was viewing pornography
  • We (as fathers) make assumptions & are lazy.
  • Help Adolescents By _____
  • I need to spend time with each of my kids each week, 1:1.
  • What are your highs & what are the lows?
  • Be a positive role model. As a father, as a husband.
  • Be constantly encouraging!
  • Stay involved thru thick & thin.
  • Do not exasperate. (Ephesians 6:4)
  • I need to be available to talk about all emotions.
  • What do I not like to talk about?
  • Need to get connected.
  • Spend time 1:1 with each child – very specific – model the be
  • http://www.gep.sg to download slides

2012 Conference – Second Night Service

Sam Powell

Joshua 14:7-15

  • Caleb wanted the hill country.
  • It was going to be hard; the Anakites were there.
  • It was a challenge.
  • God has a challenge for each of us.
  • The challenges help us to get out of our comfort zone.
  • We have to decide that we are going to take the hill country.

Numbers 13:17-14:16,20-24

What will it take?

  • God said Caleb had a different spirit:
  • A trusting sport. We need to belied God.
  • Proverbs 3:5
  • Psalm 37:3-6
  • We need to trust God. He is faithful.
  • We have to trust our leaders. If we don’t trust we won’t give our heart.
  • Leaders have to be humble to get trust.
  • We have to trust each other.
  • We must trust sister churches.
  • You have to start with wanting to trust.
  • There is a price to pay for building unity & trust. – We need to pay that price. We have to pay it.

Joshua 15:13-14

  • Satan loves division.
  • Number 13:21
  • Time to fight for what we want.
  • We have to try to do something. We may fail, but we may not.
  • The victory was that they tried.
  • Who is helping me?