How to set x509 on a QSqlDatabase Connection?

[wysota]

First check if your mysql client library is compiled with SSL support, then check if the server advertises SSL support and finally show your code that sets the key, certificate and ca data.

[m3rlin]

The client library was compiled with ssl support from the get-go, also the server advertises SSL support. I can only establish an SSL connection from the terminal, using either GRANT... REQUIRE x509, or GRANT... REQUIRE SSL. The terminal command: SHOW STATUS LIKE 'Ssl_cipher' replies with the cipher used.

When I attempt to establish a connection through my application, and using SSL, the program reports no SSL connection and no cipher used. The connection is refused. The MySQL Log file is not very clear about the error, it says connection rejected without further specifying a reason.
Do I have to continue to use the C API mysql_real_connect(...) or can I use QSqlDatabase with a command like db.open()?
I assumed that the connection was established by calling the QSqlDatabase object..

[Lesiok]

Did You read about QSqlDatabase::setConnectOptions method ?

[wysota]

You can use Qt API once you properly initialize the keys with mysql_ssl_set.

[m3rlin]

@wysota, that's what I thought.
I might be experiencing problems with how the .pem files are presented in QT. I used an absolute path for key, cert, and ca-cert in mysql_ssl_set(handle, "path to key", "path to cert", "path to ca-cert", NULL, NULL);

I also tried adding the keys to QtResources and called them with ":/path/...key.pem or ...cert.pem or ca...pem". I also tried adding the cipher. MySQL still keeps refusing the connection when demanding SLL/x509.

Qt Code:

Switch view

QVariant v = db.driver()->handle();
MYSQL *handle = static_cast<MYSQL *>(v.data());
if (handle != NULL)   // handle = mysql*
{
mysql_ssl_set(handle, ".ssl/p2pro-application-key.pem", ".sll/p2pro-application-cert.pem", ".ssl/p2pro-ca-cert.pem", NULL, "DHE-RSA-AES256-SHA");
}

QVariant v = db.driver()->handle();
MYSQL *handle = static_cast<MYSQL *>(v.data());
if (handle != NULL)   // handle = mysql*
{
mysql_ssl_set(handle, ".ssl/p2pro-application-key.pem", ".sll/p2pro-application-cert.pem", ".ssl/p2pro-ca-cert.pem", NULL, "DHE-RSA-AES256-SHA");
}

To copy to clipboard, switch view to plain text mode 

I might need to try the mysql_real_connect() to see if the problem lies with Qt?!? Any other suggestions are welcome. Thx so far for your help.

@Lesiok:
See my code belowm especially this line:

Qt Code:

Switch view

db.setConnectOptions("CLIENT_SSL=1;CLIENT_IGNORE_SPACE=1");

db.setConnectOptions("CLIENT_SSL=1;CLIENT_IGNORE_SPACE=1");

To copy to clipboard, switch view to plain text mode 

[wysota]

I don't think mysql_ssl_set() expects paths. I would assume that it expects the data itself.

[m3rlin]

@wysota
I hope not MySQL reference on C API says:

20.9.3.67. mysql_ssl_set()

Qt Code:

Switch view

my_bool mysql_ssl_set(MYSQL *mysql, const char *key, const char *cert, const char *ca, const char *capath, const char *cipher)

my_bool mysql_ssl_set(MYSQL *mysql, const char *key, const char *cert, const char *ca, const char *capath, const char *cipher)

To copy to clipboard, switch view to plain text mode 

Description

mysql_ssl_set() is used for establishing secure connections using SSL. It must be called before mysql_real_connect().
mysql_ssl_set() does nothing unless SSL support is enabled in the client library.
mysql is the connection handler returned from mysql_init(). The other parameters are specified as follows:

key is the path name to the key file.
cert is the path name to the certificate file.
ca is the path name to the certificate authority file.
capath is the path name to a directory that contains trusted SSL CA certificates in pem format.
cipher is a list of permissible ciphers to use for SSL encryption.

Any unused SSL parameters may be given as NULL.

Return Values
This function always returns 0. If SSL setup is incorrect, mysql_real_connect() returns an error when you attempt to connect.

[wysota]

Maybe the problem is that the server doesn't trust the client's certificate? Check whether the client even tries to connect to the server using SSL (use a network sniffer or check in server logs or using a firewall). And use absolute paths instead of relative ones as in your code above.

[m3rlin]

@wysota,

That would be a realistic option if I couldn't login with a terminal. Using the following command works fine however with the same certificates:

Qt Code:

Switch view

mysql --ssl-ca ca-cert.pem --ssl-cert p2pro-application-cert.pem --ssl-key p2pro-application-key.pem -u test -h 192.xxx.xxx.xxx -p

mysql --ssl-ca ca-cert.pem --ssl-cert p2pro-application-cert.pem --ssl-key p2pro-application-key.pem -u test -h 192.xxx.xxx.xxx -p

To copy to clipboard, switch view to plain text mode 

I am checking right now if the C-API mysql_real_connect() works with the same certs. If so then the problem lies with Qt. If that also doesn't work - then I will check the MySql C++ connector API. Maybe there is something else that I am overseeing...
Again thx. for your patience, help, and suggestions..

[wysota]

Qt doesn't do anything special, it just calls mysql_real_connect() You should really check whether your app tries to connect over ssl and fails or if it totally ignores ssl.

[m3rlin]

Here is what I tried and this DOES work with the same certificates:

Qt Code:

Switch view

#include <QtCore/QCoreApplication>
#include <cstdio>
#include "mysql.h"
 
int main(int argc, char *argv[])
{
    QCoreApplication a(argc, argv);
    MYSQL mysql;
    if (mysql_init(&mysql)==NULL)
          {
                  printf("Failed to initate MySQL connection");
          }
    mysql_ssl_set(&mysql, "../../p2pro/src/newcerts/p2pro-application-key.pem", "../../p2pro/src/newcerts/p2pro-application-cert.pem", "../../p2pro/src/newcerts/ca-cert.pem", NULL, "DHE-RSA-AES256-SHA");
    if (!mysql_real_connect( &mysql, "192.xxx.xxx.xxx", "test", "xxxxxxxx", "mysql", 3306, NULL, 0) )
    {
        printf("Failed to connect to MySQL: Error: %s", mysql_error(&mysql) );
    }
 
      printf("Logged on to database sucessfully");
      mysql_close(&mysql);
 
    return a.exec();
}

#include <QtCore/QCoreApplication>
#include <cstdio>
#include "mysql.h"

int main(int argc, char *argv[])
{
    QCoreApplication a(argc, argv);
    MYSQL mysql;
    if (mysql_init(&mysql)==NULL)
          {
                  printf("Failed to initate MySQL connection");
          }
    mysql_ssl_set(&mysql, "../../p2pro/src/newcerts/p2pro-application-key.pem", "../../p2pro/src/newcerts/p2pro-application-cert.pem", "../../p2pro/src/newcerts/ca-cert.pem", NULL, "DHE-RSA-AES256-SHA");
    if (!mysql_real_connect( &mysql, "192.xxx.xxx.xxx", "test", "xxxxxxxx", "mysql", 3306, NULL, 0) )
    {
        printf("Failed to connect to MySQL: Error: %s", mysql_error(&mysql) );
    }

      printf("Logged on to database sucessfully");
      mysql_close(&mysql);

    return a.exec();
}

To copy to clipboard, switch view to plain text mode 

So in summary - I will try to use a reference (this is the only difference) - instead of mysql_ssl_set(handle.... I will use mysql_ssl_set(&handle
If that doesn't work... then I need to find out why in a gui application it doesn't work - but it does in a console app...
Oh djeee.. well tomorrow I will post my results..

[wysota]

Sorry to be a spoil sport but I think you example proves exactly nothing. You don't have any reference anywhere, you are dereferening an object, effectively turning it into a pointer, which is what you already have in your Qt app. I really advise you to take my hint and check if SSL is used or not and whether your paths are correct or not. Those are the only two points of failure here.

[m3rlin]

Indeed, the referencing doesn't matter. But I did prove the following:
1. The path to the certificates is correct.
2. The way they are used in mysql_ssl_set() is correct.
3. That the program is actually using an SSL connection:
a. because MySQL Server accepted the connection, while it was configured to ONLY accept user "test", if he could supply a valid x509.
b. because the SHOW STATUS LIKE 'Ssl_cipher' replies with the cipher used, and it ONLY does that when a SSL connection is established.
c. becuase WireShark reports SSL trafic on port 3306
4. That somehow setting the QSqlDriver or QMySQlDriver handle with my code doesn't work via mysql_ssl_set().

Whom should I contact for an explanation? Where can I find documentation about the underlying structures? Maybe anyone reading this has a similar problem and found a solution? Or is it a Qt shortcoming in arguments that can be specified for QSqlDriver?

[m3rlin]

In my latest test, I now for sure know that QSqlDatabase doesn't adapt its connection to any mysql_ssl_set definitions.

I created another user test2.
I set for test2 user the following GRANT on the test database:

Qt Code:

Switch view

GRANT ALL PRIVILEGES ON test.* FOR 'test'@'192.xxx.xxx.xxx' IDENTIFIED BY 'xxxxxxxxx' REQUIRE SSL;

GRANT ALL PRIVILEGES ON test.* FOR 'test'@'192.xxx.xxx.xxx' IDENTIFIED BY 'xxxxxxxxx' REQUIRE SSL;

To copy to clipboard, switch view to plain text mode 

In my application I used:

Qt Code:

Switch view

mysql_ssl_set(handle, NULL, NULL, NULL, NULL, NULL);

mysql_ssl_set(handle, NULL, NULL, NULL, NULL, NULL);

To copy to clipboard, switch view to plain text mode 

and

Qt Code:

Switch view

db.setConnectOptions("CLIENT_SSL=1;CLIENT_IGNORE_SPACE=1;CLIENT_COMPRESS");

db.setConnectOptions("CLIENT_SSL=1;CLIENT_IGNORE_SPACE=1;CLIENT_COMPRESS");

To copy to clipboard, switch view to plain text mode 

User test2 can connect with SSL (checked by WireShark)
User test2 can also connect when CLIENT_SSL=0 but then no SSL is used (checked by WireShark)

If I however demand that test2 identifies himself by specific x509 (by REQUIRE SUBJECT or ISSUER or a combination of them) then the connection is refused by MySQL Server.
In summary, I must conclude that - QSqlDatabase doesn't allow you to specify WHICH certificate, issed by what Authority must be used. If this conclusion is true then using SSL is very limited with Qt?!?