Stunnel.org  
   
Home
About
News
Faq
Examples
Download
Patches
Support
Related
<Examples>
 

Date: Tue, 27 Feb 2001 16:37:57 -0800 (PST)
From: James W Walden <jamesw@ichips.intel.com>
Subject: Mysql encryption with stunnel 3.14

Since I've seen a few requests for information on SSL encrypting mysql
connections here and elsewhere, I thought I'd share my solution for
those who are interested. I built stunnel 3.14 with openssl 0.9.6
and used it to encrypt connections for mysql 3.22.32, all on Redhat
Linux 6.2.  My mysql clients included both the mysql client application
and the dbish application supplied with the perl DBI module.

To encrypt a connection between a mysql client and a mysql server run
two instances of stunnel, one on the client host and one on the server
host. I will refer to their hostnames by CLIENT and SERVER below. The
client stunnel receives mysql queries from the mysql client application,
encrypts them, and forwards them to port 3307 on the server host. The
server stunnel listens to port 3307, decrypts the encrypted mysql
queries, and forwards them to port 3306, the standard mysql server port.

The command to run stunnel on the client is

./stunnel -P/tmp/ -c -d 3306 -r SERVER:3307

while the command to run stunnel on the server is

./stunnel -P/tmp/ -p stunnel.pem -d 3307 -r localhost:3306

I've assumed that both the stunnel binary and the stunnel certificate
file are both in the current directory. The commands can be run as any
user as root access is not required to bind to the high ports 3306 and
3307. However, some care should be taken to secure your stunnel.pem file
so it is best to run stunnel as a specific non-login user and make
stunnel.pem owned by that user and mode 0400.

Now from CLIENT, you can access your mysql database while enjoying
the benefits of SSL encryption with the mysql client with the
following command:

mysql -h CLIENT -u YOURDBUSER -p

This command is almost identical to the one that you used before using
stunnel, but note that the host specified by the -h option is the one
running the client stunnel daemon and not the one running your mysql
server daemon.

James Walden                      |  "Fall leaves blanket ground
Sr Internet Software Engineer     |   Redmond dreams darkly, beware
IMS, JFT-104, B-7                 |   Winter brings penguins"
(503) 712-2241                    |     -- Kevin Hackman