Commit ce347166 authored by monty@hundin.mysql.fi's avatar monty@hundin.mysql.fi

merge

parents c2f6d577 052784e4
...@@ -30,3 +30,4 @@ tonu@hundin.mysql.fi ...@@ -30,3 +30,4 @@ tonu@hundin.mysql.fi
tonu@volk.internalnet tonu@volk.internalnet
tonu@x153.internalnet tonu@x153.internalnet
tonu@x3.internalnet tonu@x3.internalnet
Administrator@fred.
...@@ -528,8 +528,8 @@ and @code{dvips}. The PDF version is produced with @code{pdftex}. ...@@ -528,8 +528,8 @@ and @code{dvips}. The PDF version is produced with @code{pdftex}.
@cindex Texinfo @cindex Texinfo
This manual is written and maintained by David Axmark, Michael (Monty) This manual is written and maintained by David Axmark, Michael (Monty)
Widenius, Jeremy Cole, and Paul DuBois. For other contributors, Widenius, Jeremy Cole, Arjen Lentz, and Paul DuBois. For other
see @ref{Credits}. contributors, see @ref{Credits}.
@node Manual conventions, History, Manual-info, MySQL and MySQL AB @node Manual conventions, History, Manual-info, MySQL and MySQL AB
...@@ -16859,7 +16859,6 @@ MySQL grant tables. ...@@ -16859,7 +16859,6 @@ MySQL grant tables.
For a description of using @code{REQUIRE}, see @xref{Secure connections}. For a description of using @code{REQUIRE}, see @xref{Secure connections}.
@node User names, Privilege changes, GRANT, User Account Management @node User names, Privilege changes, GRANT, User Account Management
@subsection MySQL User Names and Passwords @subsection MySQL User Names and Passwords
...@@ -17449,43 +17448,42 @@ uses SSL we need to explain some basics about SSL and X509. People who ...@@ -17449,43 +17448,42 @@ uses SSL we need to explain some basics about SSL and X509. People who
are already aware of it can skip this chapter. are already aware of it can skip this chapter.
By default, MySQL uses unencrypted connections between client and By default, MySQL uses unencrypted connections between client and
server. This means that anyone on the way can listen and read all your server. This means that someone could watch all your traffic and look at
data which moves there. Even more, some people can change content of the data being sent/received. Actually, they could even change the data
data while it is moving between client and server. Sometime you may need while it is in transit between client and server. Sometimes you need to
to move really secret data over public networks and such publicity is move really secret data over public networks and in such a case using an
unacceptable. unencrypted connection is unacceptable.
SSL is a protocol which uses different encryption algorithms to ensure SSL is a protocol which uses different encryption algorithms to ensure
that data which comes from public network can be trusted. It have that data which comes from public network can be trusted. It has
mechanisms to detect any change, loss or replay of data. SSL also mechanisms to detect any change, loss or replay of data. SSL also
incorpores algorithms to recognize and verification of identity using incorpores algorithms to recognize and provide identity verification
X509 standard. using the X509 standard.
@cindex What is encryption @cindex What is encryption
Encryption is the way to make any kind of data unreadable. Even more, Encryption is the way to make any kind of data unreadable. In fact,
today's practice require many additional security elements from today's practice requires many additional security elements from
encryption algorithms. They should resist many kind of known attacks encryption algorithms. They should resist many kind of known attacks
like just messing with order of encrypted messages or replaying data like just messing with order of encrypted messages or replaying data
twice. twice.
@cindex What is X509/Certificate? @cindex What is X509/Certificate?
X509 is standard which makes possible to identity someone in the X509 is a standard that makes it possible to identify someone in the
Internet. Mostly it is used in e-commerce over the Internet. Shortly Internet. It is most commonly used in e-commerce applications. In basic
speaking there should be some company called "Certificate Authority" terms, there should be some company called "Certificate Authority" which
which assigns electronic certificates to everyone who assigns electronic certificates to anyone who needs them. Certificates
needs. Certificates rely on asymmetric encryption algorithms which have rely on asymmetric encryption algorithms which have two encryption keys
two encryption keys - public and secret. Certificate owner can prove his - public and secret. A certificate owner can prove his identity by
identity showing certificate to other party. Certificate consists his showing his certificate to other party. A certificate consists of his
owner public key. Any data encrypted with it can be decrypted only by owner's public key. Any data encrypted with this public key can only be
secret key holder. decrypted using the corresponding secret key, which is held by the owner
of the certificate.
@cindex Possible questions:
MySQL doesn't use encrypted on connections by default, because this
MySQL doesn't use encrypted on connections by default because this would would make the client/server protocol much slower. Any kind of
make the client/server protocol much slower. Any kind of additional additional functionality requires computer to do additional work and
functionality requires computer to do additional work and encrypting encrypting data is CPU-intensive operation require time and can delay
data is CPU-intensive operation which can overcome MySQL own work and MySQL main tasks. By default MySQL is tuned to be fast as possible.
consumed time. By default MySQL is tuned to be fast as possible.
If you need more information about SSL/X509/encryption, you should use If you need more information about SSL/X509/encryption, you should use
your favourite internet search engine and search for keywords you are your favourite internet search engine and search for keywords you are
...@@ -17520,8 +17518,8 @@ examining if @code{show variables like 'have_openssl'} returns @code{YES}. ...@@ -17520,8 +17518,8 @@ examining if @code{show variables like 'have_openssl'} returns @code{YES}.
@findex GRANT statemenet @findex GRANT statemenet
MySQL can check x509 certificate attributes additionally to most used MySQL can check x509 certificate attributes additionally to most used
username/password cheme. All usual options are still required (username, username/password scheme. All the usual options are still required
password, IP address mask, database/table name). (username, password, IP address mask, database/table name).
There are different possibilities to limit connections: There are different possibilities to limit connections:
...@@ -17561,7 +17559,7 @@ GRANT ALL PRIVILEGES ON test.* TO root@@localhost IDENTIFIED BY "goodsecret" REQ ...@@ -17561,7 +17559,7 @@ GRANT ALL PRIVILEGES ON test.* TO root@@localhost IDENTIFIED BY "goodsecret" REQ
@end example @end example
@item @item
@code{REQUIRE SUBJECT subject} requires client to have valid x509 @code{REQUIRE SUBJECT subject} requires clients to have valid x509
certificate with subject "subject" on it. If client have valid certificate with subject "subject" on it. If client have valid
certificate but having different "subject" then connection is still not certificate but having different "subject" then connection is still not
allowed. allowed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment