Language

Visual Basic

C#

Show All

LanguagesMyDirect .NETmysqlnet@devart.com

Using Secure Connections

MyDirect .NET allows you to establish secure network connections. You can do it using SSL and SSH protocols. This article describes basic concepts for these technologies and how to use it in MyDirect .NET.
The article consists of following sections:

Why Using Secure Connections?

When MySQL client communicates with MySQL server, all communication (with the exception of the user password) is done in plain text. This means that anyone who gets between your client and the server can have full access to all information transmitted, and even change the data while it is in transit. In order to protect your information you need to encrypt communications between the MySQL server and the client application.

The two following alternatives are available to you:

Both ways lead to higher CPU load on client and MySQL server or SSH server.

Using SSL Connections

The Secure Sockets Layer protocol enables two parties to negotiate a 'secure' communications channel, ensuring the privacy, authenticity, and integrity of message data. The negotiation mechanism follows:

  1. The client requests a SSL connection from the server.
  2. The two parties negotiate a common ciphersuite, which consists of a key exchange algorithm, a certificate verification algorithm, an encryption algorithm, and an integrity check.
  3. The server provides its certificate so it can be authenticated by the client. Optionally, the client may provide its certificate to be authenticated by the server.
  4. The two parties compute the cryptographic parameters used in the ciphersuite, such as the secret keys needed for data encryption.
  5. The two parties exchange application data, using the generated session key, negotiated algorithms and computed cryptographic parameters.
Once the cryptographic parameters are established, the application data is transparently encrypted and checked for integrity in both directions.

To check whether your MySQL server supports SSL you can examine the value of the have_openssl system variable: 

    SHOW VARIABLES LIKE 'have_openssl'
If server returns YES, you can go on to setup client. If the response is NO, or if something refuses to work in the existing configuration, please visit http://dev.mysql.com/doc/mysql/en/secure-requirements.html for instructions on how to start up required server from scratch.

Setting Up SSL Connection

Once server is ready to use SSL connections you only have to setup client properly. You must have 3 additional files reachable: authority certificate (used to verify identity of client and server), client certificate and private key (used to encrypt and decrypt data during connection). Please refer to OpenSSL site for information about these files. The later part assumes you have valid certificates and private key.

When you create MySqlConnection object you have to add following parameter to connection string:

    Protocol=SSL

MySqlConnection.SslOptions property points to object that holds all information necessary to establish SSL connection. Here is brief explanation on what you have to specify in this object:

PropertyMeaning
SslOptions.CACertLocation of authority certificate
SslOptions.CertLocation of client certificate
SslOptions.KeyLocation of client's private key
SslOptions.CipherListList of allowed ciphers separated by colons.

Locations of certificates can be specified in three ways:

Private key can be specified only as file in the system or as compiled resource.

The property SslOptions.CipherList by default is empty, which means that client agrees to use any of available ciphers. The following ciphers are allowed in MyDirect .NET:

You can use ALL keyword to indicate whole set of ciphers. To exclude certain cipher from the set use "-" sign. For instance, value of SslOptions.CipherList property "ALL:-RC4" means that any cipher but RC4 can be used. This property allows you to control performance-security trade-off using this property. To gain better performance you can use RC2 cipher. To achieve maximal traffic security pay attention at 3DES or AES ciphers. By default MyDirect .NET tries to use ciphers beginning with most secure rather than fast ones.

The sample code below illustrates establishment of SSL connection.

[C#]

MySqlConnection myConn = new MySqlConnection("host=server;protocol=SSL;user=root;password=root;database=test");
myConn.SslOptions.CACert = "file://D:\\Temp\\CA-cert.pem";
myConn.SslOptions.Cert = "file://D:\\Temp\\SSL-client-cert.pem";
myConn.SslOptions.Key = "file://D:\\Temp\\SSL-client-key.pem";
MySqlCommand myCommand = new MySqlCommand("select count(*) from dept",myConn);
myConn.Open();
Int64 count = Convert.ToInt64(myCommand.ExecuteScalar());
Console.WriteLine(count);
myConn.Close();
Console.ReadLine();

[Visual Basic]

Dim myConn As MySqlConnection = New MySqlConnection("host=server;protocol=SSL;user=root;password=root;database=test")
myConn.SslOptions.CACert = "file://D:\\Temp\\CA-cert.pem"
myConn.SslOptions.Cert = "file://D:\\Temp\\SSL-client-cert.pem"
myConn.SslOptions.Key = "file://D:\\Temp\\SSL-client-key.pem"
Dim myCommand As MySqlCommand = New MySqlCommand("select count(*) from dept", myConn)
myConn.Open()
Dim count As Int64 = Convert.ToInt64(myCommand.ExecuteScalar())
Console.WriteLine(count)
myConn.Close()
Console.ReadLine()

Using SSH Connections

SSH connection is established between client and SSH server. SSH server in turn communicates with MySQL server in an unencrypted mode. This is called SSH tunneling. A benefit of SSH tunneling is that it allows you to connect to a MySQL server from behind a firewall when the MySQL server port is blocked. MySQL server does not need to be attuned for this type of connection and functions as usual. To connect to MySQL server a client must first be authorized on SSH server.

You can download free SSH server at www.openssh.org. The server can run either on the same machine with MySQL server or on a different one. Note that you have to create a user on SSH server to be authorized.

Setting Up SSH Connection

When you create MySqlConnection object you have to add following parameter to connection string:

    Protocol=SSH

MySqlConnection.SshOptions property points to object that holds all information necessary to connect to SSH server. Here is brief explanation on what you have to specify in this object:

PropertyMeaning
SshOptions.HostName or ip address of SSH server
SshOptions.PasswordUser password on SSH server
SshOptions.PortNumber of port on SSH server to connect
SshOptions.UserUser id on SSH server

MySQL server address that you specify in connection string is the address for SSH server to refer. For instance, if both servers are running on the same machine you have to specify "host=localhost" in the connection string.

[C#]

MySqlConnection myConn = new MySqlConnection("host=server;protocol=SSH;user=root;password=root;database=test");
myConn.SshOptions.User = "sshUser";
myConn.SshOptions.Password = "sshPassword";
myConn.SshOptions.Host = "sshServer";
MySqlCommand myCommand = new MySqlCommand("select count(*) from dept",myConn);
myConn.Open();
Int64 count = Convert.ToInt64(myCommand.ExecuteScalar());
Console.WriteLine(count);
myConn.Close();

[Visual Basic]

Dim myConn As MySqlConnection = New MySqlConnection("host=server;protocol=SSH;user=root;password=root;database=test")
myConn.SshOptions.User = "sshUser"
myConn.SshOptions.Password = "sshPassword"
myConn.SshOptions.Host = "sshServer"
Dim myCommand As MySqlCommand = New MySqlCommand("select count(*) from dept", myConn)
myConn.Open()
Dim count As Int64 = Convert.ToInt64(myCommand.ExecuteScalar())
Console.WriteLine(count)
myConn.Close()

See Also

 MySqlConnection Class  | SshOptions Class  | SslOptions Class

 

 

© 2002-2008 Devart. All rights reserved.