We Keep Coding

How to use encrypted connection with MySQL on Docker

I'm struggling to get a Dockerised MySQL instance to support SSL.
The service in my docker-compose file looks like this:
mysql:
image: mysql:5.7
container_name: mysql
command: --default-authentication-plugin=mysql_native_password --ssl-ca=/etc/ssl/mysql/ca.pem --ssl-cert=/etc/ssl/mysql/server-cert.pem --ssl-key=/etc/ssl/mysql/server-key.pem
restart: always
expose:
- 3306
environment:
MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD}"
MYSQL_DATABASE: "${MYSQL_DATABASE}"
MYSQL_USER: "${MYSQL_USER}"
MYSQL_PASSWORD: "${MYSQL_PASSWORD}"
volumes:
- "./data/db:/var/lib/mysql"
- "./config/mysql/my.cnf:/etc/mysql/conf.d/ssl.cnf"
- "./config/mysql/certs:/etc/ssl/mysql"
When I start up the stack I get these errors from the MySQL container:
[ERROR] SSL error: Unable to get private key from '/etc/ssl/mysql/server-key.pem'
[Warning] Failed to set up SSL because of the following SSL library error: Unable to get private key
I've tried to chown the key from root to mysql and then bring up the stack again, but that doesn't seem to work.
I generated the key files from the commands at https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html, like this:
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
-nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
The files on the host have the following permissions:
drwxrwxr-x 2 andrew andrew 4096 Dec 11 10:25 ./
drwxrwxr-x 3 andrew andrew 4096 Dec 10 19:27 ../
-rw-rw-r-- 1 999 docker 1675 Dec 10 19:20 ca-key.pem
-rw-rw-r-- 1 999 docker 1294 Dec 10 19:20 ca.pem
-rw-rw-r-- 1 999 docker 1123 Dec 10 19:20 client-cert.pem
-rw-rw-r-- 1 999 docker 1679 Dec 10 19:20 client-key.pem
-rw-rw-r-- 1 999 docker 989 Dec 10 19:20 client-req.pem
-rw-rw-r-- 1 999 docker 1127 Dec 10 19:20 server-cert.pem
-rw------- 1 999 docker 1675 Dec 11 10:25 server.key
-rw-rw-r-- 1 999 docker 1704 Dec 11 09:43 server-key.pem
-rw-rw-r-- 1 999 docker 956 Dec 11 09:43 server-req.pem
This happens if I manually generate the certificates and mount them as a volume, or if I run a shell on the container and run the command mysql_ssl_rsa_setup --datadir=/etc/ssl/mysql --verbose (after clearing out the certificates that I created). In other words when I run openssl verify -CAfile ca.pem server-cert.pem client-cert.pem I see that both certificates are "OK" (no matter which way I generate them).
Why can't MySQL find the private key from that file?

There were two problems.
When I generated the certificate it had the wrong permissions. Running chown 999:docker on the certificates helps let MySQL read it in the container. When I was using the MySQL tool to generate certificates I was skipping this step.
The second problem was that the common name (CN) of the CA certificate needs to be different from the CN of the server certificate.
In the section where it gives the commands to generate the certificates, the MySQL manual says:
To generate test files, you can press Enter to all prompts. To
generate files for production use, you should provide nonempty
responses.
But a little higher on the page it has a warning about the CN needing to be different.

how openshift ldap auth provider trust self-signed certificate without a rootca signed

I'm trying to config openshift with my internal ldaps server as an IDP.
But the thing is my internal ldaps is self-signed without any root ca signed.
In master-config.yaml, I tried to config the self-signed certificate as ca attribute, but it always complain:
login.go:162] Error authenticating "xifeng" with provider "customer_own_ldap": LDAP Result Code 200 "": x509: certificate signed by unknown authority.
I understand the ca attribute in master-config.yaml might expect a ca-bundle certificate. but my case here its a self-signed cert.
Please advise how I can solve this issue ?

curl -cacert works fine, find below:
curl -v --cacert xf_ldaps_ca.crt ldaps://bogon:1636
About to connect() to bogon port 1636 (#0)
Trying 172.16.50.169...
Connected to bogon (172.16.50.169) port 1636 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: xf_ldaps_ca.crt
CApath: none
NSS: client certificate not found (nickname not specified)
SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Server certificate:
subject: CN=bogon,O=OpenDJ RSA Self-Signed Certificate
start date: Dec 23 12:11:19 2016 GMT
expire date: Dec 18 12:11:19 2036 GMT
common name: bogon
issuer: CN=bogon,O=OpenDJ RSA Self-Signed Certificate
LDAP local: ldaps://bogon:1636/
DN:
objectClass: top
objectClass: ds-root-dse
Connection #0 to host bogon left intact
openssl x509 -in xf_ldaps_ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1440710020 (0x55df7d84)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=OpenDJ RSA Self-Signed Certificate, CN=bogon
Validity
Not Before: Dec 23 12:11:19 2016 GMT
Not After : Dec 18 12:11:19 2036 GMT
Subject: O=OpenDJ RSA Self-Signed Certificate, CN=bogon
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9e:a4:46:41:d2:9d:32:ae:e3:60:f9:13:ac:40:
--------------
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
8c:c4:34:2b:af:dd:ec:bc:f0:68:6a:95:53:02:74:d9:9f:5e:
----------------
E1223 20:58:37.810976 12227 login.go:162] Error authenticating "xftest" with provider "xf_ldaps_test": LDAP Result Code 200 "": x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "bogon")

Can I use openssl s_client to retrieve the CA certificate for MySQL?

Can I use openssl s_client to retrieve the CA certificate for MySQL?
I have access to the remote database server using the following
mysql -u theuser -h thehost --ssl --ssl-cipher=DHE-RSA-AES256-SHA -p thedatabase
Now I want to do to connect to it using JDBC.
I realize that I need to insert the public certificate into my Java key store. However, I cannot figure out how to retrieve the public certificate. I realize it sits on the remote server in /etc/mysql/ca.pem or a similar place. But, I don't have permission to read that file or even ssh into the machine.
I've tried
openssl s_client -cipher DHE-RSA-AES256-SHA -connect thehost:3306
and some variations. I always get errors. For example
CONNECTED(00000003)
30495:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/
Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:

Can I use openssl s_client to retrieve the CA certificate for MySQL?
You probably can't.
A well configured server will send the server certificate and all intermediate certificates required to build a path to the root CA. You have to have the root CA certificate already.
For example:
$ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
...
The server sent the server's certificate. Its shown above as 0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications. S means its the Subject, while I means its the issuer.
The server sent two intermediate certificates at 1 and 2. However, we need to have the Issuer of certificate 2 locally to build the path for validation. The Issuer of certificate 2 goes by the Common Name "AddTrust External CA Root".
"AddTrust External CA Root" can be downloaded from Comodo's site at [Root] AddTrust External CA Root
It the server sent the root CA, then a bad guy could tamper with the chain and a client would be no wiser. They could swap-in their own CA and use an evil chain.
We can clear the verify error:num=20:unable to get local issuer certificate by fetching the root CA, and then using -CAfile:
$ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com \
-CAfile addtrustexternalcaroot.pem
It will result in a Verify Ok (0).

Yes, OpenSSL version 1.1.1 (released on 11 Sep 2018) now supports fetching the server certificate from a MySQL server.
openssl s_client -starttls mysql -connect thehost:3306
Source: answer by Paul Tobias

How to connect dovecot on 993 port using squirrelmail

I am trying to connect dovecot on 993 port but dovecot shows below error;
dovecot: imap-login: Disconnected (no auth attempts in 60 secs): user=<>, rip=192.***.***.***, lip=192.***.***.***, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<3k6jgTwVLwDAqL+E>
squirrelmail config;
$imap_auth_mech = 'login';
$use_imap_tls = 1;
$imapServerAddress = 'dovecot.server';
$imapPort = 993;
When I try to telnet and openssl on squirrelmail server;
[root#aa ~]# telnet dovecot.server 993
Trying 192.***.***.***...
Connected to dovecot.server.
Escape character is '^]'.
[root#aa ~]# openssl s_client -connect dovecot.server:993
...
...
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Note: 143 port works fine by the way.

Check your PHP error log for things like this:
PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ..
PHP Warning: fsockopen(): Failed to enable crypto ..
PHP Warning: fsockopen(): unable to connect to tls://dovecot.server:993 (Unknown error) ..
If that's the case, the openssl library isn't able to verify your server's cert. It's easily fixed by adding the certificate for the connection to your local cert stash. You can find out where that is with <PRE><?php var_dump(openssl_get_cert_locations()); ?> </pre> and looking at the ini_cafile setting.
You can get your server's cert with this command:
openssl x509 -in <(openssl s_client -connect dovecot.server:993 -prexit 2>/dev/null) > /tmp/cacert.pem
Add it to the cert file, and you should be going.
One caveat: the certificate CN MUST match the hostname that you're using to connect to the server! If it's self-signed, make sure it's using dovecot.server as the CN.

openssl client SMTP with gmail port 587, no response (250 OK) from after <crlf>.<crlf>

I've been trying to use openssl to establish a connection with smtp.gmail.com port 587 or 465 with:
openssl s_client -host smtp.gmail.com -port 587 -starttls smtp
and the authentication, mail from, rcpt to, and data were all successful. but my problem is, after i write . in a new line, no 250 OK response from the server.
here is the process:
CONNECTED(00000003)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
(certification)
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1910 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 28E597C0025A93C82AD4A7C517F699B37D106D760597467B522C1041F1BC17C8
Session-ID-ctx:
Master-Key: 1CC83A8A4B7864DF9BBD9E9742B4E5A5937941EB2A28B88A1D4214920B77AC976D3ADC2DA7B60CF8BD6BC2B0712A42A2
Key-Arg : None
Start Time: 1296911515
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 ENHANCEDSTATUSCODES
ehlo
250-mx.google.com at your service, [121.94.150.147]
250-SIZE 35651584
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH
250 ENHANCEDSTATUSCODES
auth login
334 VXNlcm5hbWU6
<my email>
334 UGFzc3dvcmQ6
<my password>
235 2.7.0 Accepted
mail from:<email>
250 2.1.0 OK t14sm1471936icd.10
rcpt to:<email>
250 2.1.5 OK t14sm1471936icd.10
data
from: someone <email>
354 Go ahead t14sm1471936icd.10
to : someone <email>
subject: test
test
test2
.
451 4.4.2 Timeout - closing connection. t14sm1471936icd.10
read:errno=0
I am using cygwin in win7 32.
I've been searching for all of the possible keywords on google but no solution comes out.
PLEASE HELP!

Maybe add the '-crlf' option to the comand line :
openssl s_client -host smtp.gmail.com -port 587 -starttls smtp -crlf