Yacoubi Mohamed - Mysql
2023-02-13T14:54:31+01:00
Yacoubi Mohamed
urn:md5:eacabd43d1ec1439188ee60076d41b1e
Dotclear
myisamchk error Not enough memory for blob
urn:md5:0eef442678b48d1303c4abeeacd1c4cd
2009-08-27T23:59:00+02:00
2010-02-28T21:19:24+01:00
Mohamed YACOUBI
Mysql
Gentoo
infogérance
mysql
<p><img src="https://blog.yacoubi.fr/public/Logo/.mysql_logo_s.jpg" alt="mysql_logo.gif" style="display:block; margin:0 auto;" title="mysql_logo.gif, fév. 2010" />
<br />
Une nouvelle erreur apparu sur une table corrompu suite à un crash <strong><a href="http://www.mysql.fr/" hreflang="fr">Mysql</a></strong> pour manque de RAM (Out of memory).
<br />
<br />
<ins>Tout d'abord un petit rappel sur la façon qu'utilise le moteur <strong><a href="http://dev.mysql.com/doc/refman/5.0/en/myisam-storage-engine.html" hreflang="en">MyISAM</a></strong> pour la gestion des tables :</ins></p>
<ol>
<li>wordpress_postmeta.MYD - la table où tous les enregistrements sont stockés.</li>
<li>wordpress_postmeta.MYI - l'index pour les tables.</li>
<li>wordpress_postmeta.frm - le schéma de la table.</li>
</ol>
<p><br /></p>
<p><ins>Voici l' erreur rencontrée lors de la réparation de la table :</ins></p>
<pre class="bash">srv1234 ~ <span style="color: #808080; font-style: italic;"># myisamchk -r /var/lib/mysql/wordpress/wordpress_postmeta.MYI</span>
- recovering <span style="color: #7a0874; font-weight: bold;">(</span>with <span style="color: #c20cb9; font-weight: bold;">sort</span><span style="color: #7a0874; font-weight: bold;">)</span> MyISAM-table <span style="color: #ff0000;">'/var/lib/mysql/wordpress/wordpress_postmeta.MYI'</span>
Data records: <span style="color: #000000;">31769</span>
- Fixing index <span style="color: #000000;">1</span>
Wrong block with wrong total length starting at <span style="color: #000000;">94358749</span>
myisamchk: error: Not enough memory <span style="color: #000000; font-weight: bold;">for</span> blob at <span style="color: #000000;">94358800</span>
MyISAM-table <span style="color: #ff0000;">'/var/lib/mysql/wordpress/wordpress_postmeta.MYI'</span> is not fixed because of errors</pre>
<p>Cela se produit parce que l'entrée de l'index invalide indique que la taille d'un champ <strong><a href="http://dev.mysql.com/doc/refman/5.0/en/blob.html" hreflang="en">BLOB</a></strong> est plus grande que celle spécifié entre parenthèse.
La correction a été assez simple, il suffit d'ajouter l'option <strong><a href="http://dev.mysql.com/doc/refman/5.0/en/myisamchk-repair-options.html#option_myisamchk_max-record-length" hreflang="en">--max-record-length=0</a></strong>.</p>
<pre class="bash">srv1234 ~ <span style="color: #808080; font-style: italic;"># myisamchk --max-record-length=0 -r /var/lib/mysql/wordpress/wordpress_postmeta.MYI</span></pre>
<p>Dans le cas présent la valeur <strong><a href="http://dev.mysql.com/doc/refman/5.0/en/myisamchk-repair-options.html#option_myisamchk_max-record-length" hreflang="en">--max-record-length=0</a></strong> permet de ne définir aucune limitation sur la taille du champ <strong><a href="http://dev.mysql.com/doc/refman/5.0/en/blob.html" hreflang="en">BLOB</a></strong>.</p>
Utilisation Mysql SSL
urn:md5:029af18452e1d61bbeecb1db41ea31de
2009-01-29T19:01:00+01:00
2010-02-28T21:19:40+01:00
Mohamed YACOUBI
Mysql
cryptologie
infogérance
linux
mysql
openssl
ssl
x509
<p><img src="https://blog.yacoubi.fr/public/Logo/.mysql_logo_s.jpg" alt="mysql_logo.gif" style="display:block; margin:0 auto;" title="mysql_logo.gif, fév. 2010" />
<br />
Par défaut, <strong>MySQL</strong> utilise une connexion en clair entre le client et le serveur. Cela signifie qu'une personne peut surveiller votre trafic, et lire les données échangées. Cette personne pourrait aussi modifier les données qui transitent entre le client et le serveur. Parfois, vous aurez besoin d'échanger des informations sur un réseau public, mais en sécurisant ces informations. Dans ce cas, utiliser une connexion sans protection est inacceptable.</p>
<p><strong>SSL</strong> est un protocole qui utilise différents algorithmes de chiffrement pour s'assurer que les données qui transitent par un réseau public peuvent être considérées comme fiables. Ce protocole dispose de méthodes pour s'assurer que les données n'ont pas été modifiées, ce que soit par une altération, une perte ou une répétition des données. <strong>SSL</strong> inclut aussi des algorithmes pour reconnaître et fournit des outils de vérifications d'identité, pris en charge par le standard <strong>X509</strong>.</p>
<p>Le chiffrement est une méthode pour rendre des données illisibles. En fait, les pratiques actuelles requièrent d'autres éléments de sécurité issus des algorithmes de chiffrement. Ils doivent savoir résister à de nombreux types d'attaque, comme la modification de l'ordre des messages ou les répétitions inopinées.</p>
<p><strong>X509</strong> est un standard qui rend possible l'identification d'une personne sur l'internet. Il est particulièrement utilisé pour les applications e-commerce. En termes simples, il doit y avoir une entreprise (appelée l'``autorité de certification'') qui assigne un certificat électronique à toute personne qui en a besoin. Ces certificats utilisent un chiffrement assymétrique qui exploitent deux clés de chiffrement, une clé publique et une clé privée. Le propriétaire d'un certificat peut prouver son identité en montrant son certificat à l'autre partie. Un certificat est constitué de la clé publique du propriétaire. Toute donnée qui est chiffrée avec cette clé publique doit être déchiffrée avec la clé secrète correspondante, qui est détenue par le propriétaire du certificat.</p>
<p><strong>MySQL</strong> n'utilise pas les connexions chiffrées par défaut, car cela ralentit considérablement le protocole de communication. Toute fonctionnalité supplémentaire requiert du travail supplémentaire de la part du serveur, et chiffrer des données est une tâche particulièrement coûteuse, qui peut ralentir considérablement les tâches principales de <strong>MySQL</strong>. Par défaut, <strong>MySQL</strong> est paramétré pour être aussi rapide que possible.</p>
<h4><ins>A savoir :</ins></h4>
<p><strong>MySQL</strong> permet de faire du cas par cas.
Il est possible de n'activer <strong>SSL</strong> que pour certains utilisateurs ou encore de permettre des communications sécurisées avec un utilisateur sans vérifier l'authenticité du client.</p>
<h4><ins>Vérification du support ssl :</ins></h4>
<p>Afin de savoir si un serveur <strong>MySQL</strong> possède le support pour <strong>SSL</strong>, il suffit de s'y connecter et de taper la requête suivante :</p>
<pre class="sql">mysql<span style="color: #66cc66;">></span> <span style="color: #993333; font-weight: bold;">SHOW</span> <span style="color: #993333; font-weight: bold;">VARIABLES</span> <span style="color: #993333; font-weight: bold;">LIKE</span> <span style="color: #ff0000;">'have_openssl'</span>;
+<span style="color: #808080; font-style: italic;">------------------+-------------+</span>
<span style="color: #66cc66;">|</span> Variable_name <span style="color: #66cc66;">|</span> Value <span style="color: #66cc66;">|</span>
+<span style="color: #808080; font-style: italic;">------------------+-------------+</span>
<span style="color: #66cc66;">|</span> have_openssl <span style="color: #66cc66;">|</span> DISABLED <span style="color: #66cc66;">|</span>
+<span style="color: #808080; font-style: italic;">------------------+-------------+</span>
<span style="color: #cc66cc;">1</span> row <span style="color: #993333; font-weight: bold;">IN</span> <span style="color: #993333; font-weight: bold;">SET</span> <span style="color: #66cc66;">(</span><span style="color: #cc66cc;">0.00</span> sec<span style="color: #66cc66;">)</span></pre>
<p>Le support est disponible mais non actif.</p>
<h4><ins> Activation du support ssl et création des certificats</ins></h4>
<p>Tout les certificats doivent être en format <strong>"pem" (X509 en base-64)</strong></p>
<ul>
<li>On prépare le terrain</li>
</ul>
<p>1) On crée le répertoire</p>
<pre class="bash"><span style="color: #c20cb9; font-weight: bold;">mkdir</span> -p <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>ssl<span style="color: #000000; font-weight: bold;">/</span>mysql<span style="color: #000000; font-weight: bold;">/</span>private
<span style="color: #c20cb9; font-weight: bold;">mkdir</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>ssl<span style="color: #000000; font-weight: bold;">/</span>mysql<span style="color: #000000; font-weight: bold;">/</span>newcerts<span style="color: #000000; font-weight: bold;">/</span>
<span style="color: #7a0874; font-weight: bold;">cd</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>ssl<span style="color: #000000; font-weight: bold;">/</span>mysql</pre>
<p>2) Création des fichiers nécessaires : database, serial</p>
<pre class="bash"><span style="color: #c20cb9; font-weight: bold;">touch</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>ssl<span style="color: #000000; font-weight: bold;">/</span>mysql<span style="color: #000000; font-weight: bold;">/</span>index.txt
<span style="color: #7a0874; font-weight: bold;">echo</span> <span style="color: #ff0000;">"01"</span> <span style="color: #000000; font-weight: bold;">></span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>ssl<span style="color: #000000; font-weight: bold;">/</span>mysql<span style="color: #000000; font-weight: bold;">/</span>serial</pre>
<p>3) Préparation d'un openssl.cnf alternatif</p>
<pre class="bash">srv94 mysql <span style="color: #808080; font-style: italic;"># cp -av /etc/ssl/openssl.cnf ./ </span>
`<span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>ssl<span style="color: #000000; font-weight: bold;">/</span>openssl.cnf<span style="color: #ff0000;">' -> `./openssl.cnf'</span></pre>
<p>4) On modifie openssl.cnf</p>
<pre class="diff">srv94 mysql # diff /etc/ssl/openssl.cnf ./openssl.cnf
<span style="color: #440088;">37c37</span>
<span style="color: #991111;">< dir = ./demoCA # Where everything is kept</span>
<span style="color: #888822;">---
<span style="color: #00b000;">> dir = /etc/ssl/mysql/ # Where everything is kept</span></span></pre>
<ul>
<li>Génération du certificat d'autorité (CA) :</li>
</ul>
<pre class="bash">srv94 mysql <span style="color: #808080; font-style: italic;"># openssl req -new -x509 -keyout /etc/ssl/mysql/private/cakey.pem -out /etc/ssl/mysql/cacert.pem -config /etc/ssl/mysql/openssl.cnf</span>
Generating a <span style="color: #000000;">1024</span> bit RSA private key
................++++++
..........................++++++
writing new private key to <span style="color: #ff0000;">'/etc/ssl/mysql/private/cakey.pem'</span>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter <span style="color: #ff0000;">'.'</span>, the field will be left blank.
-----
Country Name <span style="color: #7a0874; font-weight: bold;">(</span><span style="color: #000000;">2</span> letter code<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span>AU<span style="color: #7a0874; font-weight: bold;">]</span>:FR
State or Province Name <span style="color: #7a0874; font-weight: bold;">(</span>full name<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span>Some-State<span style="color: #7a0874; font-weight: bold;">]</span>:Seine Saint-Denis
Locality Name <span style="color: #7a0874; font-weight: bold;">(</span>eg, city<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:Saint-Denis
Organization Name <span style="color: #7a0874; font-weight: bold;">(</span>eg, company<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span>Internet Widgits Pty Ltd<span style="color: #7a0874; font-weight: bold;">]</span>:Euro-Web SARL
Organizational Unit Name <span style="color: #7a0874; font-weight: bold;">(</span>eg, section<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:
Common Name <span style="color: #7a0874; font-weight: bold;">(</span>eg, YOUR name<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:srv94.sd-france.net
Email Address <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:xxxxxxx<span style="color: #000000; font-weight: bold;">@</span>xxxxx.xx</pre>
<ul>
<li>On génère la clé privée du serveur ainsi qu'une demande de certificat :</li>
</ul>
<pre class="bash">srv94 mysql <span style="color: #808080; font-style: italic;"># openssl req -new -keyout /etc/ssl/mysql/server-key.pem -out /etc/ssl/mysql/server-req.pem -days 3600 -config /etc/ssl/mysql/openssl.cnf</span>
Generating a <span style="color: #000000;">1024</span> bit RSA private key
.......................................++++++
............++++++
writing new private key to <span style="color: #ff0000;">'/etc/ssl/mysql/server-key.pem'</span>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter <span style="color: #ff0000;">'.'</span>, the field will be left blank.
-----
Country Name <span style="color: #7a0874; font-weight: bold;">(</span><span style="color: #000000;">2</span> letter code<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span>AU<span style="color: #7a0874; font-weight: bold;">]</span>:FR
State or Province Name <span style="color: #7a0874; font-weight: bold;">(</span>full name<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span>Some-State<span style="color: #7a0874; font-weight: bold;">]</span>:Seine Saint-Denis
Locality Name <span style="color: #7a0874; font-weight: bold;">(</span>eg, city<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:Saint-Denis
Organization Name <span style="color: #7a0874; font-weight: bold;">(</span>eg, company<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span>Internet Widgits Pty Ltd<span style="color: #7a0874; font-weight: bold;">]</span>:Euro-Web SARL
Organizational Unit Name <span style="color: #7a0874; font-weight: bold;">(</span>eg, section<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:
Common Name <span style="color: #7a0874; font-weight: bold;">(</span>eg, YOUR name<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:srv94.sd-france.net
Email Address <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:xxxxxxx<span style="color: #000000; font-weight: bold;">@</span>xxxxx.xx
Please enter the following <span style="color: #ff0000;">'extra'</span> attributes
to be sent with your certificate request
A challenge password <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:
An optional company name <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:</pre>
<ul>
<li>On supprime la passphrase de la clé :</li>
</ul>
<pre class="bash">srv94 mysql <span style="color: #808080; font-style: italic;"># openssl rsa -in /etc/ssl/mysql/server-key.pem -out /etc/ssl/mysql/server-key.pem</span>
Enter pass phrase <span style="color: #000000; font-weight: bold;">for</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>ssl<span style="color: #000000; font-weight: bold;">/</span>mysql<span style="color: #000000; font-weight: bold;">/</span>server-key.pem:
writing RSA key</pre>
<ul>
<li>Signature par l'autorité de certification (CA) du certificat serveur :</li>
</ul>
<pre class="bash">srv94 mysql <span style="color: #808080; font-style: italic;"># openssl ca -policy policy_anything -out /etc/ssl/mysql/server-cert.pem -config /etc/ssl/mysql/openssl.cnf -infiles /etc/ssl/mysql/server-req.pem</span>
Using configuration from <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>ssl<span style="color: #000000; font-weight: bold;">/</span>mysql<span style="color: #000000; font-weight: bold;">/</span>openssl.cnf
Enter pass phrase <span style="color: #000000; font-weight: bold;">for</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>ssl<span style="color: #000000; font-weight: bold;">/</span>mysql<span style="color: #000000; font-weight: bold;">//</span>private<span style="color: #000000; font-weight: bold;">/</span>cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: <span style="color: #000000;">1</span> <span style="color: #7a0874; font-weight: bold;">(</span>0x1<span style="color: #7a0874; font-weight: bold;">)</span>
Validity
Not Before: Feb <span style="color: #000000;">12</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">55</span>:<span style="color: #000000;">14</span> <span style="color: #000000;">2009</span> GMT
Not After : Feb <span style="color: #000000;">12</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">55</span>:<span style="color: #000000;">14</span> <span style="color: #000000;">2010</span> GMT
Subject:
countryName = FR
stateOrProvinceName = Seine Saint-Denis
localityName = Saint-Denis
organizationName = Euro-Web SARL
commonName = srv94.sd-france.net
emailAddress = xxxxxxx<span style="color: #000000; font-weight: bold;">@</span>xxxxx.xx
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
CC:D2:B4:BF:DD:7F:<span style="color: #000000;">07</span>:9D:<span style="color: #000000;">46</span>:5F:<span style="color: #000000;">22</span>:3B:4D:A4:8C:<span style="color: #000000;">08</span>:D6:C2:EB:B7
X509v3 Authority Key Identifier:
keyid:<span style="color: #000000;">54</span>:F0:E4:EF:<span style="color: #000000;">61</span>:E0:<span style="color: #000000;">05</span>:<span style="color: #000000;">70</span>:F1:<span style="color: #000000;">24</span>:<span style="color: #000000;">82</span>:B2:<span style="color: #000000;">06</span>:<span style="color: #000000;">69</span>:<span style="color: #000000;">60</span>:<span style="color: #000000;">83</span>:<span style="color: #000000;">01</span>:4E:<span style="color: #000000;">27</span>:<span style="color: #000000;">16</span>
Certificate is to be certified <span style="color: #000000; font-weight: bold;">until</span> Feb <span style="color: #000000;">12</span> <span style="color: #000000;">17</span>:<span style="color: #000000;">55</span>:<span style="color: #000000;">14</span> <span style="color: #000000;">2010</span> GMT <span style="color: #7a0874; font-weight: bold;">(</span><span style="color: #000000;">365</span> days<span style="color: #7a0874; font-weight: bold;">)</span>
Sign the certificate? <span style="color: #7a0874; font-weight: bold;">[</span>y<span style="color: #000000; font-weight: bold;">/</span>n<span style="color: #7a0874; font-weight: bold;">]</span>:y
<span style="color: #000000;">1</span> out of <span style="color: #000000;">1</span> certificate requests certified, commit? <span style="color: #7a0874; font-weight: bold;">[</span>y<span style="color: #000000; font-weight: bold;">/</span>n<span style="color: #7a0874; font-weight: bold;">]</span>y
Write out database with <span style="color: #000000;">1</span> new entries
Data Base Updated</pre>
<ul>
<li>On génère la clé privée du client ainsi qu'une demande de certificat :</li>
</ul>
<pre class="bash">srv94 mysql <span style="color: #808080; font-style: italic;"># openssl req -new -keyout /etc/ssl/mysql/client-key.pem -out /etc/ssl/mysql/client-req.pem -days 3600 -config /etc/ssl/mysql/openssl.cnf</span>
Generating a <span style="color: #000000;">1024</span> bit RSA private key
..............++++++
...................................++++++
writing new private key to <span style="color: #ff0000;">'/etc/ssl/mysql/client-key.pem'</span>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter <span style="color: #ff0000;">'.'</span>, the field will be left blank.
-----
Country Name <span style="color: #7a0874; font-weight: bold;">(</span><span style="color: #000000;">2</span> letter code<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span>AU<span style="color: #7a0874; font-weight: bold;">]</span>:FR
State or Province Name <span style="color: #7a0874; font-weight: bold;">(</span>full name<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span>Some-State<span style="color: #7a0874; font-weight: bold;">]</span>:Paris
Locality Name <span style="color: #7a0874; font-weight: bold;">(</span>eg, city<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:Paris
Organization Name <span style="color: #7a0874; font-weight: bold;">(</span>eg, company<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span>Internet Widgits Pty Ltd<span style="color: #7a0874; font-weight: bold;">]</span>:Euro-Web
Organizational Unit Name <span style="color: #7a0874; font-weight: bold;">(</span>eg, section<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:SD-France
Common Name <span style="color: #7a0874; font-weight: bold;">(</span>eg, YOUR name<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:blog.yacoubi.fr
Email Address <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:xxxxx<span style="color: #000000; font-weight: bold;">@</span>xxx.xx
Please enter the following <span style="color: #ff0000;">'extra'</span> attributes
to be sent with your certificate request
A challenge password <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:
An optional company name <span style="color: #7a0874; font-weight: bold;">[</span><span style="color: #7a0874; font-weight: bold;">]</span>:</pre>
<ul>
<li>On supprime la passphrase</li>
</ul>
<pre class="bash">srv94 mysql <span style="color: #808080; font-style: italic;"># openssl rsa -in /etc/ssl/mysql/client-key.pem -out /etc/ssl/mysql/client-key.pem</span>
Enter pass phrase <span style="color: #000000; font-weight: bold;">for</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>ssl<span style="color: #000000; font-weight: bold;">/</span>mysql<span style="color: #000000; font-weight: bold;">/</span>client-key.pem:
writing RSA key</pre>
<ul>
<li>Et enfin on signe par le CA le certificat</li>
</ul>
<pre class="bash">srv94 mysql <span style="color: #808080; font-style: italic;"># openssl ca -policy policy_anything -out /etc/ssl/mysql/client-cert.pem -config /etc/ssl/mysql/openssl.cnf -infiles /etc/ssl/mysql/client-req.pem</span>
Using configuration from <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>ssl<span style="color: #000000; font-weight: bold;">/</span>mysql<span style="color: #000000; font-weight: bold;">/</span>openssl.cnf
Enter pass phrase <span style="color: #000000; font-weight: bold;">for</span> <span style="color: #000000; font-weight: bold;">/</span>etc<span style="color: #000000; font-weight: bold;">/</span>ssl<span style="color: #000000; font-weight: bold;">/</span>mysql<span style="color: #000000; font-weight: bold;">//</span>private<span style="color: #000000; font-weight: bold;">/</span>cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: <span style="color: #000000;">2</span> <span style="color: #7a0874; font-weight: bold;">(</span>0x2<span style="color: #7a0874; font-weight: bold;">)</span>
Validity
Not Before: Feb <span style="color: #000000;">12</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">07</span>:<span style="color: #000000;">44</span> <span style="color: #000000;">2009</span> GMT
Not After : Feb <span style="color: #000000;">12</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">07</span>:<span style="color: #000000;">44</span> <span style="color: #000000;">2010</span> GMT
Subject:
countryName = FR
stateOrProvinceName = Paris
localityName = Paris
organizationName = Euro-Web
organizationalUnitName = SD-France
commonName = blog.yacoubi.fr
emailAddress = xxxxx<span style="color: #000000; font-weight: bold;">@</span>xxx.xx
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
<span style="color: #000000;">09</span>:<span style="color: #000000;">76</span>:3A:FC:BF:<span style="color: #000000;">58</span>:<span style="color: #000000;">34</span>:<span style="color: #000000;">42</span>:CF:<span style="color: #000000;">54</span>:CE:<span style="color: #000000;">23</span>:<span style="color: #000000;">81</span>:<span style="color: #000000;">63</span>:C4:<span style="color: #000000;">13</span>:A3:4F:CD:5B
X509v3 Authority Key Identifier:
keyid:<span style="color: #000000;">54</span>:F0:E4:EF:<span style="color: #000000;">61</span>:E0:<span style="color: #000000;">05</span>:<span style="color: #000000;">70</span>:F1:<span style="color: #000000;">24</span>:<span style="color: #000000;">82</span>:B2:<span style="color: #000000;">06</span>:<span style="color: #000000;">69</span>:<span style="color: #000000;">60</span>:<span style="color: #000000;">83</span>:<span style="color: #000000;">01</span>:4E:<span style="color: #000000;">27</span>:<span style="color: #000000;">16</span>
Certificate is to be certified <span style="color: #000000; font-weight: bold;">until</span> Feb <span style="color: #000000;">12</span> <span style="color: #000000;">18</span>:<span style="color: #000000;">07</span>:<span style="color: #000000;">44</span> <span style="color: #000000;">2010</span> GMT <span style="color: #7a0874; font-weight: bold;">(</span><span style="color: #000000;">365</span> days<span style="color: #7a0874; font-weight: bold;">)</span>
Sign the certificate? <span style="color: #7a0874; font-weight: bold;">[</span>y<span style="color: #000000; font-weight: bold;">/</span>n<span style="color: #7a0874; font-weight: bold;">]</span>:y
<span style="color: #000000;">1</span> out of <span style="color: #000000;">1</span> certificate requests certified, commit? <span style="color: #7a0874; font-weight: bold;">[</span>y<span style="color: #000000; font-weight: bold;">/</span>n<span style="color: #7a0874; font-weight: bold;">]</span>y
Write out database with <span style="color: #000000;">1</span> new entries
Data Base Updated</pre>
<h4><ins>Configuration du serveur :</ins></h4>
<p>On modifie la configuration de <strong>MYSQL</strong></p>
<pre class="sql"><span style="color: #66cc66;">[</span>mysqld<span style="color: #66cc66;">]</span>
ssl-ca<span style="color: #66cc66;">=</span>/etc/ssl/mysql/cacert.pem
ssl-cert<span style="color: #66cc66;">=</span>/etc/ssl/mysql/server-cert.pem
ssl-<span style="color: #993333; font-weight: bold;">KEY</span><span style="color: #66cc66;">=</span>/etc/ssl/mysql/server-<span style="color: #993333; font-weight: bold;">KEY</span>.pem</pre>
<p>On vérifie que <strong>SSL</strong> est bien activé</p>
<pre class="sql">mysql<span style="color: #66cc66;">></span> <span style="color: #993333; font-weight: bold;">SHOW</span> <span style="color: #993333; font-weight: bold;">VARIABLES</span> <span style="color: #993333; font-weight: bold;">LIKE</span> <span style="color: #ff0000;">'have_openssl'</span>;
+<span style="color: #808080; font-style: italic;">------------------+-------+</span>
<span style="color: #66cc66;">|</span> Variable_name <span style="color: #66cc66;">|</span> Value <span style="color: #66cc66;">|</span>
+<span style="color: #808080; font-style: italic;">------------------+-------+</span>
<span style="color: #66cc66;">|</span> have_openssl <span style="color: #66cc66;">|</span> YES <span style="color: #66cc66;">|</span>
+<span style="color: #808080; font-style: italic;">------------------+-------+</span>
<span style="color: #cc66cc;">1</span> row <span style="color: #993333; font-weight: bold;">IN</span> <span style="color: #993333; font-weight: bold;">SET</span> <span style="color: #66cc66;">(</span><span style="color: #cc66cc;">0.00</span> sec<span style="color: #66cc66;">)</span></pre>
<p>Pour la suite tout se fera à la ligne de commande, vous pouvez bien entendu configuré /etc/mysql/my.cnf en conséquence</p>
<pre class="sql"><span style="color: #66cc66;">[</span>client<span style="color: #66cc66;">]</span>
ssl-ca <span style="color: #66cc66;">=</span> /etc/ssl/mysql/cacert.pem
ssl-cert <span style="color: #66cc66;">=</span> /etc/ssl/mysql/client-cert.pem
ssl-<span style="color: #993333; font-weight: bold;">KEY</span> <span style="color: #66cc66;">=</span> /etc/ssl/mysql/client-<span style="color: #993333; font-weight: bold;">KEY</span>.pem</pre>
<p>On crée/modifie un utilisateur pour forcer le <strong>SSL</strong></p>
<pre class="sql"><span style="color: #993333; font-weight: bold;">REVOKE</span> <span style="color: #993333; font-weight: bold;">ALL</span> PRIVILEGES <span style="color: #993333; font-weight: bold;">ON</span> <span style="color: #ff0000;">`mohamed`</span>.* <span style="color: #993333; font-weight: bold;">FROM</span> <span style="color: #ff0000;">'mohamed'</span>@<span style="color: #ff0000;">'%'</span>; <span style="color: #993333; font-weight: bold;">GRANT</span> <span style="color: #993333; font-weight: bold;">SELECT</span>, <span style="color: #993333; font-weight: bold;">INSERT</span>, <span style="color: #993333; font-weight: bold;">UPDATE</span>, <span style="color: #993333; font-weight: bold;">DELETE</span>, <span style="color: #993333; font-weight: bold;">CREATE</span>, <span style="color: #993333; font-weight: bold;">DROP</span>, <span style="color: #993333; font-weight: bold;">INDEX</span>, <span style="color: #993333; font-weight: bold;">ALTER</span>, <span style="color: #993333; font-weight: bold;">CREATE</span> <span style="color: #993333; font-weight: bold;">TEMPORARY</span> <span style="color: #993333; font-weight: bold;">TABLES</span>, <span style="color: #993333; font-weight: bold;">LOCK</span> <span style="color: #993333; font-weight: bold;">TABLES</span>, <span style="color: #993333; font-weight: bold;">CREATE</span> <span style="color: #993333; font-weight: bold;">VIEW</span>, <span style="color: #993333; font-weight: bold;">SHOW</span> <span style="color: #993333; font-weight: bold;">VIEW</span>, <span style="color: #993333; font-weight: bold;">CREATE</span> ROUTINE, <span style="color: #993333; font-weight: bold;">ALTER</span> ROUTINE, EXECUTE <span style="color: #993333; font-weight: bold;">ON</span> <span style="color: #ff0000;">`mohamed`</span>.* <span style="color: #993333; font-weight: bold;">TO</span> <span style="color: #ff0000;">'mohamed'</span>@<span style="color: #ff0000;">'%'</span> REQUIRE SSL;</pre>
<p>Un test pour une connexion standard nous permet de vérifier que <strong>SSL</strong> est bien requis</p>
<pre class="bash">blog ~ <span style="color: #808080; font-style: italic;"># mysql -umohamed -pssl -hsrv94</span>
ERROR <span style="color: #000000;">1045</span> <span style="color: #7a0874; font-weight: bold;">(</span><span style="color: #000000;">28000</span><span style="color: #7a0874; font-weight: bold;">)</span>: Access denied <span style="color: #000000; font-weight: bold;">for</span> user <span style="color: #ff0000;">'mohamed'</span><span style="color: #000000; font-weight: bold;">@</span><span style="color: #ff0000;">'localhost'</span> <span style="color: #7a0874; font-weight: bold;">(</span>using password: YES<span style="color: #7a0874; font-weight: bold;">)</span></pre>
<p>Un nouveau test en précisant le CA, on constate que la connexion s'établie</p>
<pre class="bash">blog ~ <span style="color: #808080; font-style: italic;"># mysql -umohamed -pssl --ssl-ca=/etc/mysql/ca-cert.pem -hsrv94</span>
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection <span style="color: #c20cb9; font-weight: bold;">id</span> is <span style="color: #000000;">101</span>
Server version: <span style="color: #000000;">5.0</span><span style="color: #000000;">.70</span> Gentoo Linux mysql<span style="color: #000000;">-5.0</span><span style="color: #000000;">.70</span>-r1
Type <span style="color: #ff0000;">'help;'</span> or <span style="color: #ff0000;">'<span style="color: #000099; font-weight: bold;">\h</span>'</span> <span style="color: #000000; font-weight: bold;">for</span> <span style="color: #7a0874; font-weight: bold;">help</span>. Type <span style="color: #ff0000;">'<span style="color: #000099; font-weight: bold;">\c</span>'</span> to <span style="color: #c20cb9; font-weight: bold;">clear</span> the buffer.
mysql<span style="color: #000000; font-weight: bold;">></span></pre>
<p>Voici la différence entre la version <strong>non SSL</strong> et <strong>SSL</strong> obtenu en sniffant</p>
<pre class="bash">mysqlsniffer listening <span style="color: #000000; font-weight: bold;">for</span> MySQL on interface eth0 port <span style="color: #000000;">3306</span>
<span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60024</span> <span style="color: #000000; font-weight: bold;">></span> server: ID <span style="color: #000000;">0</span> len <span style="color: #000000;">1</span> COM_QUIT
server <span style="color: #000000; font-weight: bold;">></span> <span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60025</span>: ID <span style="color: #000000;">0</span> len <span style="color: #000000;">52</span> Handshake <span style="color: #000000; font-weight: bold;"><</span>proto <span style="color: #000000;">10</span> ver <span style="color: #000000;">5.0</span><span style="color: #000000;">.70</span> thd <span style="color: #000000;">17</span><span style="color: #000000; font-weight: bold;">></span>
<span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60025</span> <span style="color: #000000; font-weight: bold;">></span> server: ID <span style="color: #000000;">1</span> len <span style="color: #000000;">61</span> Handshake <span style="color: #7a0874; font-weight: bold;">(</span>new auth<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #000000; font-weight: bold;"><</span>user mohamed db <span style="color: #7a0874; font-weight: bold;">(</span>null<span style="color: #7a0874; font-weight: bold;">)</span> max pkt <span style="color: #000000;">16777216</span><span style="color: #000000; font-weight: bold;">></span>
server <span style="color: #000000; font-weight: bold;">></span> <span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60025</span>: ID <span style="color: #000000;">2</span> len <span style="color: #000000;">7</span> OK <span style="color: #000000; font-weight: bold;"><</span>fields <span style="color: #000000;">0</span> affected rows <span style="color: #000000;">0</span> insert <span style="color: #c20cb9; font-weight: bold;">id</span> <span style="color: #000000;">0</span> warnings <span style="color: #000000;">0</span><span style="color: #000000; font-weight: bold;">></span>
<span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60025</span> <span style="color: #000000; font-weight: bold;">></span> server: ID <span style="color: #000000;">0</span> len <span style="color: #000000;">33</span> COM_QUERY: <span style="color: #000000; font-weight: bold;">select</span> <span style="color: #000000; font-weight: bold;">@@</span>version_comment limit <span style="color: #000000;">1</span>
server <span style="color: #000000; font-weight: bold;">></span> <span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60025</span>: ID <span style="color: #000000;">1</span> len <span style="color: #000000;">1</span> <span style="color: #000000;">1</span> Fields
ID <span style="color: #000000;">2</span> len <span style="color: #000000;">39</span> Field: ..<span style="color: #000000; font-weight: bold;">@@</span>version_comment <span style="color: #000000; font-weight: bold;"><</span>type var string <span style="color: #7a0874; font-weight: bold;">(</span><span style="color: #000000;">509</span><span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #c20cb9; font-weight: bold;">size</span> <span style="color: #000000;">28</span><span style="color: #000000; font-weight: bold;">></span>
ID <span style="color: #000000;">3</span> len <span style="color: #000000;">5</span> End <span style="color: #000000; font-weight: bold;"><</span>warnings <span style="color: #000000;">0</span><span style="color: #000000; font-weight: bold;">></span>
ID <span style="color: #000000;">4</span> len <span style="color: #000000;">29</span> <span style="color: #000000; font-weight: bold;">||</span> Gentoo Linux mysql<span style="color: #000000;">-5.0</span><span style="color: #000000;">.70</span>-r1 <span style="color: #000000; font-weight: bold;">||</span>
ID <span style="color: #000000;">5</span> len <span style="color: #000000;">5</span> End <span style="color: #000000; font-weight: bold;"><</span>warnings <span style="color: #000000;">0</span><span style="color: #000000; font-weight: bold;">></span></pre>
<hr />
<pre class="bash">mysqlsniffer listening <span style="color: #000000; font-weight: bold;">for</span> MySQL on interface eth0 port <span style="color: #000000;">3306</span>
server <span style="color: #000000; font-weight: bold;">></span> <span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60302</span>: ID <span style="color: #000000;">0</span> len <span style="color: #000000;">52</span> Handshake <span style="color: #000000; font-weight: bold;"><</span>proto <span style="color: #000000;">10</span> ver <span style="color: #000000;">5.0</span><span style="color: #000000;">.70</span> thd <span style="color: #000000;">21</span><span style="color: #000000; font-weight: bold;">></span>
<span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60302</span> <span style="color: #000000; font-weight: bold;">></span> server: ID <span style="color: #000000;">1</span> len <span style="color: #000000;">32</span> Handshake <span style="color: #7a0874; font-weight: bold;">(</span>new auth<span style="color: #7a0874; font-weight: bold;">)</span> <span style="color: #000000; font-weight: bold;"><</span>user db <span style="color: #7a0874; font-weight: bold;">(</span>null<span style="color: #7a0874; font-weight: bold;">)</span> max pkt <span style="color: #000000;">16777216</span><span style="color: #000000; font-weight: bold;">></span>
<span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60302</span> <span style="color: #000000; font-weight: bold;">></span> server: ::FRAGMENT END::
server <span style="color: #000000; font-weight: bold;">></span> <span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60302</span>:
::FRAGMENT START::
::FRAGMENT END::
<span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60302</span> <span style="color: #000000; font-weight: bold;">></span> server:
::FRAGMENT START::
::FRAGMENT END::
server <span style="color: #000000; font-weight: bold;">></span> <span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60302</span>:
::FRAGMENT START::
::FRAGMENT END::
<span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60302</span> <span style="color: #000000; font-weight: bold;">></span> server:
::FRAGMENT START::
::FRAGMENT END::
server <span style="color: #000000; font-weight: bold;">></span> <span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60302</span>:
::FRAGMENT START::
::FRAGMENT END::
<span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60302</span> <span style="color: #000000; font-weight: bold;">></span> server:
::FRAGMENT START::
::FRAGMENT END::
server <span style="color: #000000; font-weight: bold;">></span> <span style="color: #000000;">78.41</span><span style="color: #000000;">.233</span><span style="color: #000000;">.209</span><span style="color: #000000;">.60302</span>:
::FRAGMENT START::
::FRAGMENT END::</pre>
<p>Il est à noter que cette option active juste le cryptage, on teste avec un fichier pris au hasard sur le système</p>
<pre class="bash">blog ~ <span style="color: #808080; font-style: italic;"># mysql -umohamed -pssl --ssl-ca=/root/LISEZMOI.TXT -hsrv94</span>
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection <span style="color: #c20cb9; font-weight: bold;">id</span> is <span style="color: #000000;">103</span>
Server version: <span style="color: #000000;">5.0</span><span style="color: #000000;">.70</span> Gentoo Linux mysql<span style="color: #000000;">-5.0</span><span style="color: #000000;">.70</span>-r1
Type <span style="color: #ff0000;">'help;'</span> or <span style="color: #ff0000;">'<span style="color: #000099; font-weight: bold;">\h</span>'</span> <span style="color: #000000; font-weight: bold;">for</span> <span style="color: #7a0874; font-weight: bold;">help</span>. Type <span style="color: #ff0000;">'<span style="color: #000099; font-weight: bold;">\c</span>'</span> to <span style="color: #c20cb9; font-weight: bold;">clear</span> the buffer.
mysql<span style="color: #000000; font-weight: bold;">></span></pre>
<p>C'est bien beau de chiffré mais si n'importe quelle fichier peut faire office de CA ça limite l'intérêt.
Nous allons donc forcer l'utilisation d'un certificat valide, donc signé</p>
<pre class="sql"><span style="color: #993333; font-weight: bold;">REVOKE</span> <span style="color: #993333; font-weight: bold;">ALL</span> PRIVILEGES <span style="color: #993333; font-weight: bold;">ON</span> <span style="color: #ff0000;">`mohamed`</span>.* <span style="color: #993333; font-weight: bold;">FROM</span> <span style="color: #ff0000;">'mohamed'</span>@<span style="color: #ff0000;">'%'</span>; <span style="color: #993333; font-weight: bold;">GRANT</span> <span style="color: #993333; font-weight: bold;">SELECT</span>, <span style="color: #993333; font-weight: bold;">INSERT</span>, <span style="color: #993333; font-weight: bold;">UPDATE</span>, <span style="color: #993333; font-weight: bold;">DELETE</span>, <span style="color: #993333; font-weight: bold;">CREATE</span>, <span style="color: #993333; font-weight: bold;">DROP</span>, <span style="color: #993333; font-weight: bold;">INDEX</span>, <span style="color: #993333; font-weight: bold;">ALTER</span>, <span style="color: #993333; font-weight: bold;">CREATE</span> <span style="color: #993333; font-weight: bold;">TEMPORARY</span> <span style="color: #993333; font-weight: bold;">TABLES</span>, <span style="color: #993333; font-weight: bold;">LOCK</span> <span style="color: #993333; font-weight: bold;">TABLES</span>, <span style="color: #993333; font-weight: bold;">CREATE</span> <span style="color: #993333; font-weight: bold;">VIEW</span>, <span style="color: #993333; font-weight: bold;">SHOW</span> <span style="color: #993333; font-weight: bold;">VIEW</span>, <span style="color: #993333; font-weight: bold;">CREATE</span> ROUTINE, <span style="color: #993333; font-weight: bold;">ALTER</span> ROUTINE, EXECUTE <span style="color: #993333; font-weight: bold;">ON</span> <span style="color: #ff0000;">`mohamed`</span>.* <span style="color: #993333; font-weight: bold;">TO</span> <span style="color: #ff0000;">'mohamed'</span>@<span style="color: #ff0000;">'%'</span> REQUIRE X509;</pre>
<p>On test de nouveau</p>
<pre class="bash">blog ~ <span style="color: #808080; font-style: italic;"># mysql -umohamed -pssl -hsrv94 </span>
ERROR <span style="color: #000000;">1045</span> <span style="color: #7a0874; font-weight: bold;">(</span><span style="color: #000000;">28000</span><span style="color: #7a0874; font-weight: bold;">)</span>: Access denied <span style="color: #000000; font-weight: bold;">for</span> user <span style="color: #ff0000;">'mohamed'</span><span style="color: #000000; font-weight: bold;">@</span><span style="color: #ff0000;">'localhost'</span> <span style="color: #7a0874; font-weight: bold;">(</span>using password: YES<span style="color: #7a0874; font-weight: bold;">)</span>
blog ~ <span style="color: #808080; font-style: italic;"># mysql -umohamed -pssl --ssl-ca=/root/LISEZMOI.TXT -hsrv94</span>
ERROR <span style="color: #000000;">1045</span> <span style="color: #7a0874; font-weight: bold;">(</span><span style="color: #000000;">28000</span><span style="color: #7a0874; font-weight: bold;">)</span>: Access denied <span style="color: #000000; font-weight: bold;">for</span> user <span style="color: #ff0000;">'mohamed'</span><span style="color: #000000; font-weight: bold;">@</span><span style="color: #ff0000;">'localhost'</span> <span style="color: #7a0874; font-weight: bold;">(</span>using password: YES<span style="color: #7a0874; font-weight: bold;">)</span>
blog ~ <span style="color: #808080; font-style: italic;"># mysql -umohamed -pssl --ssl-ca=/etc/ssl/mysql/ca-cert.pem -hsrv94</span>
ERROR <span style="color: #000000;">1045</span> <span style="color: #7a0874; font-weight: bold;">(</span><span style="color: #000000;">28000</span><span style="color: #7a0874; font-weight: bold;">)</span>: Access denied <span style="color: #000000; font-weight: bold;">for</span> user <span style="color: #ff0000;">'mohamed'</span><span style="color: #000000; font-weight: bold;">@</span><span style="color: #ff0000;">'localhost'</span> <span style="color: #7a0874; font-weight: bold;">(</span>using password: YES<span style="color: #7a0874; font-weight: bold;">)</span></pre>
<p>C'est parfait, on test à présent avec le certificat signé par la CA</p>
<pre class="bash">blog ~ <span style="color: #808080; font-style: italic;"># mysql -umohamed -pssl --ssl-ca=/etc/ssl/mysql/ca-cert.pem --ssl-cert=/etc/ssl/mysql/client-cert.pem --ssl-key=/etc/ssl/mysql/client-key.pem -hsrv94</span>
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection <span style="color: #c20cb9; font-weight: bold;">id</span> is <span style="color: #000000;">109</span>
Server version: <span style="color: #000000;">5.0</span><span style="color: #000000;">.70</span> Gentoo Linux mysql<span style="color: #000000;">-5.0</span><span style="color: #000000;">.70</span>-r1
Type <span style="color: #ff0000;">'help;'</span> or <span style="color: #ff0000;">'<span style="color: #000099; font-weight: bold;">\h</span>'</span> <span style="color: #000000; font-weight: bold;">for</span> <span style="color: #7a0874; font-weight: bold;">help</span>. Type <span style="color: #ff0000;">'<span style="color: #000099; font-weight: bold;">\c</span>'</span> to <span style="color: #c20cb9; font-weight: bold;">clear</span> the buffer.
mysql<span style="color: #000000; font-weight: bold;">></span></pre>
<p>Et voila ca fonctionne, le seul bémol est que pour le moment <strong>il n'est pas possible de définir un certificat pour un utilisateur précis</strong>.</p>
<p>Il est à noter que nous pouvons ajouter d'autres options afin d'accroître la sécurité :</p>
<p>REQUIRE ISSUER "issuer" restreint les tentatives de connexion : le client doit se présenter avec un certificat X509 valide, émis par l' autorité de certification "issuer". Utiliser un certificat X509 implique obligatoirement des chiffrements, donc l'option SSL est sous entendue.</p>
<p>REQUIRE SUBJECT "subject" impose au client d'avoir un certificat X509 valide, avec le sujet "subject". Si le client présente un certificat valide, mais que le "subject" est différent, la connexion est refusée.</p>
<p>REQUIRE CIPHER "cipher" est utilisé pour s'assurer que les chiffrements sont suffisamment robuste, et que la bonne longueur de clé est utilisée. SSL lui même peut être faible si des algorithmes sont utilisés avec des clés courtes. En utilisant cette option, il est possible d'imposer la méthode de chiffrement avec la connexion.</p>
<p>Les options SUBJECT, ISSUER et CIPHER peuvent être combinées avec la clause REQUIRE.</p>
<p>Lien : <a href="http://dev.mysql.com/doc/refman/5.0/fr/secure-connections.html" title="en">Mysql secure connections</a></p>
Erreur lors d'un dump Mysql "File './nav_almo7tar1381/nuke_video_stream_settings.MYD' not found (Errcode: 24) "
urn:md5:b784be8eeb95c17a4f9912217c4ffeea
2008-10-28T09:39:00+01:00
2010-02-28T21:19:50+01:00
Mohamed YACOUBI
Mysql
Errcode: 145
Errcode: 24
Got error: 1016
Got error: 1017
Got error: 1105
infogérance
linux
mysql
<p><img src="https://blog.yacoubi.fr/public/Logo/.mysql_logo_s.jpg" alt="mysql_logo.gif" style="display:block; margin:0 auto;" title="mysql_logo.gif, fév. 2010" />
<br />
Une erreur assez récurrente a lieu sur certains de nos serveurs <strong>Mysql</strong> assez chargés , lors du dump journalier.
Voici un exemple de cette erreur :</p>
<pre class="sql">nav_allkille260 - dumping : mysqldump: Got error: <span style="color: #cc66cc;">1105</span>: File <span style="color: #ff0000;">'./nav_allkille260/xoops1_image.MYD'</span> <span style="color: #993333; font-weight: bold;">NOT</span> found <span style="color: #66cc66;">(</span>Errcode: <span style="color: #cc66cc;">24</span><span style="color: #66cc66;">)</span> when <span style="color: #993333; font-weight: bold;">USING</span> <span style="color: #993333; font-weight: bold;">LOCK</span> <span style="color: #993333; font-weight: bold;">TABLES</span>
nav_almo7tar1300 - dumping : mysqldump: Got error: <span style="color: #cc66cc;">1017</span>: Ne peut trouver le fichier: <span style="color: #ff0000;">'./nav_almo7tar1300/nuke_webcams_cat.frm'</span> <span style="color: #66cc66;">(</span>Errcode: <span style="color: #cc66cc;">24</span><span style="color: #66cc66;">)</span> when <span style="color: #993333; font-weight: bold;">USING</span> <span style="color: #993333; font-weight: bold;">LOCK</span> <span style="color: #993333; font-weight: bold;">TABLES</span>
nav_almo7tar1381 - dumping : mysqldump: Got error: <span style="color: #cc66cc;">1105</span>: File <span style="color: #ff0000;">'./nav_almo7tar1381/nuke_video_stream_settings.MYD'</span> <span style="color: #993333; font-weight: bold;">NOT</span> found <span style="color: #66cc66;">(</span>Errcode: <span style="color: #cc66cc;">24</span><span style="color: #66cc66;">)</span> when <span style="color: #993333; font-weight: bold;">USING</span> <span style="color: #993333; font-weight: bold;">LOCK</span> <span style="color: #993333; font-weight: bold;">TABLES</span>
nav_bak931417 - dumping : mysqldump: Got error: <span style="color: #cc66cc;">1016</span>: Ne peut ouvrir le fichier: <span style="color: #ff0000;">'forum_baksearch_wordlist.MYI'</span>. <span style="color: #66cc66;">(</span>Errcode: <span style="color: #cc66cc;">145</span><span style="color: #66cc66;">)</span> when <span style="color: #993333; font-weight: bold;">USING</span> <span style="color: #993333; font-weight: bold;">LOCK</span> <span style="color: #993333; font-weight: bold;">TABLES</span>
nav_toutsurl - dumping : mysqldump: Got error: <span style="color: #cc66cc;">1105</span>: File <span style="color: #ff0000;">'./nav_toutsurl/phpbb_themes.MYD'</span> <span style="color: #993333; font-weight: bold;">NOT</span> found <span style="color: #66cc66;">(</span>Errcode: <span style="color: #cc66cc;">24</span><span style="color: #66cc66;">)</span> when <span style="color: #993333; font-weight: bold;">USING</span> <span style="color: #993333; font-weight: bold;">LOCK</span> <span style="color: #993333; font-weight: bold;">TABLES</span></pre>
<p>Avec le temps on s'aperçoit que les tables indiquée dans l'erreur ne sont pas toujours les même, on peut donc exclure une table corrompue.
Le problème est en réalité très simple, le nombre de fichiers ouverts par <strong>MySQL</strong> dépasse la limite maximale définie par <strong>open_files_limit</strong>.
En théorie cela peut également poser problème lors de l'utilisation du serveur, néanmoins ces serveurs hébergeant la partie <strong>Mysql</strong> pour des petits sites internet aucun problème n'est à déplorer hormis durant les backups.</p>
<p>Une fois cette option modifié dans le fichier de configuration <strong>Mysql</strong>, le problème est résolue.</p>
<ul>
<li>/etc/mysql/my.cf</li>
</ul>
<pre class="sql">set-variable <span style="color: #66cc66;">=</span> open_files_limit<span style="color: #66cc66;">=</span><span style="color: #cc66cc;">3000</span></pre>