How to set x509 on a QSqlDatabase Connection?

[m3rlin]

Hi,

I have broken several braincells, trying to find out how QSqlDatabase establishes a TCP/IP connection with another computer/server.

What I want to do is the following:
I want to force the socket that QSqlDatabase is using to establish a TCP/IP connection with another computer to use openssl with a predefined client-key.pem, client-x509-cert.pem, and ca-cert.pem.

I am using a MySQL v5.5 database hosted on a different computer e.g. 192.168.1.25. It is configured properly to accept (open)SSL connections.
My QT4 application runs on, and is programmed for Linux (I am using Ubuntu 11.04).
My application can establish a connection with the MySQL server without any problems - though without using SSL.

I have read the MySQL C API and understand that prior to the db.open(), you need to set the mysql_ssl_set() (see also http://developer.qt.nokia.com/forums/viewthread/415)
I have played around with the code but cannot force the connection to use my specific ca, keys and certificates.
I have also read that specifying connection options like I do (db.setConnectOptions("CLIENT_SSL=1;CLIENT_IGNORE_ SPACE=1") is limited to forcing the client to use SSL, but that there is no way to define the SSL specifics?

I hope that anyone has an idea how I can get to the socket - called by QSqlDatabase, when it establishes a connection... or can tell me how to define the connection so that it uses the pems...
Thank you in advance!

[wysota]

What exactly did you try regarding mysql_ssl_set()?

[m3rlin]

wysota,

I followed the example given for the 'sqlite3' driver (see link that I posted).

I linked to the library (libmysql) in the .pro file, and I added the QSqldriver/QMySqlDriver
I declared a QVariant obj and can read the driver handle with qdebug (which returns "MYSQL*").

I tried to play with the code below, after looking into mysql.h but MYSQL stays undeclared whatever I do...?!?
In mysql.h the MYSQL refers to a connection??

This code below allows me to connect to MySQL - but without SSL.

Qt Code:

Switch view

bool p2Sql::createConnection()
{
    QSqlDatabase db = QSqlDatabase::addDatabase("QMYSQL");
    db.setHostName(sMySqlIpAddress);
    db.setDatabaseName(sMySqlDbName);
    db.setUserName(sMySqlAdminName);
    db.setPassword(sMySqlPwd);
    db.setConnectOptions("CLIENT_SSL=1;CLIENT_IGNORE_SPACE=1");
 
    if (!db.open())
    {
        QMessageBox::critical(0, qApp->tr("Cannot open database"),
            qApp->tr("Unable to establish a database connection.\n\n"
                     "Click Cancel to exit."), QMessageBox::Cancel);
        return false;
    }
   return true;
}

bool p2Sql::createConnection()
{
    QSqlDatabase db = QSqlDatabase::addDatabase("QMYSQL");
    db.setHostName(sMySqlIpAddress);
    db.setDatabaseName(sMySqlDbName);
    db.setUserName(sMySqlAdminName);
    db.setPassword(sMySqlPwd);
    db.setConnectOptions("CLIENT_SSL=1;CLIENT_IGNORE_SPACE=1");

    if (!db.open())
    {
        QMessageBox::critical(0, qApp->tr("Cannot open database"),
            qApp->tr("Unable to establish a database connection.\n\n"
                     "Click Cancel to exit."), QMessageBox::Cancel);
        return false;
    }
   return true;
}

To copy to clipboard, switch view to plain text mode 

I tried the code (below) as I mentioned, I can't get it to work...

Qt Code:

Switch view

QVariant v = db.driver()->handle();
qdebug() << v.typename(); // returns "MYSQL*
 
MYSQL *handle = static_cast<MYSQL *>(v.data());    //what is MYSQL?, or what is the pointer to handle?
if (handle != NULL)    // handle stays undeclared even after including QSqlDriver or QMySqlDriver (which errors on the mysql.h - not found)
{
mysql_ssl_set(handle, p2pro-application-key, p2pro-application-cert, p2pro-ca-cert, NULL, NULL); // QStrings p2pro-* are set in functions in my p2Sql class.
}

QVariant v = db.driver()->handle();
qdebug() << v.typename(); // returns "MYSQL*

MYSQL *handle = static_cast<MYSQL *>(v.data());    //what is MYSQL?, or what is the pointer to handle?
if (handle != NULL)    // handle stays undeclared even after including QSqlDriver or QMySqlDriver (which errors on the mysql.h - not found)
{
mysql_ssl_set(handle, p2pro-application-key, p2pro-application-cert, p2pro-ca-cert, NULL, NULL); // QStrings p2pro-* are set in functions in my p2Sql class.
}

To copy to clipboard, switch view to plain text mode 

I assume that somehow I can add specifc arguments to QSqlDatabase as mentioned in the MySQL C API - needless to mention is not documented in Qt Documentation.
Thanks for any hints or help...

[wysota]

Did you #include <mysql.h> ? Probably not. You need to do that, it's part of mysqlclient development package. And you need to explicitly link to mysqlclient.

[m3rlin]

wysota,

I erroneously included libmysqlclient.a. I changed that to be libmysqlclient.so.16.0.0, and I did indeed not include mysql.h from the include directory of the c-api. So the program compiles, but still no SSL.
I checked that using the code below:
const char *cipher_name;

Qt Code:

Switch view

MYSQL *handle = static_cast<MYSQL *>(v.data());
    cipher_name = mysql_get_ssl_cipher(handle);
    qDebug() << "The cipher name is " << cipher_name;

MYSQL *handle = static_cast<MYSQL *>(v.data());
    cipher_name = mysql_get_ssl_cipher(handle);
    qDebug() << "The cipher name is " << cipher_name;

To copy to clipboard, switch view to plain text mode 

I will have to re-visit the GRANT definition for the account and see if REQUIRE X509 is set..

[wysota]

First check if your mysql client library is compiled with SSL support, then check if the server advertises SSL support and finally show your code that sets the key, certificate and ca data.

[m3rlin]

The client library was compiled with ssl support from the get-go, also the server advertises SSL support. I can only establish an SSL connection from the terminal, using either GRANT... REQUIRE x509, or GRANT... REQUIRE SSL. The terminal command: SHOW STATUS LIKE 'Ssl_cipher' replies with the cipher used.

When I attempt to establish a connection through my application, and using SSL, the program reports no SSL connection and no cipher used. The connection is refused. The MySQL Log file is not very clear about the error, it says connection rejected without further specifying a reason.
Do I have to continue to use the C API mysql_real_connect(...) or can I use QSqlDatabase with a command like db.open()?
I assumed that the connection was established by calling the QSqlDatabase object..

[Lesiok]

Did You read about QSqlDatabase::setConnectOptions method ?

[wysota]

You can use Qt API once you properly initialize the keys with mysql_ssl_set.

[m3rlin]

@wysota, that's what I thought.
I might be experiencing problems with how the .pem files are presented in QT. I used an absolute path for key, cert, and ca-cert in mysql_ssl_set(handle, "path to key", "path to cert", "path to ca-cert", NULL, NULL);

I also tried adding the keys to QtResources and called them with ":/path/...key.pem or ...cert.pem or ca...pem". I also tried adding the cipher. MySQL still keeps refusing the connection when demanding SLL/x509.

Qt Code:

Switch view

QVariant v = db.driver()->handle();
MYSQL *handle = static_cast<MYSQL *>(v.data());
if (handle != NULL)   // handle = mysql*
{
mysql_ssl_set(handle, ".ssl/p2pro-application-key.pem", ".sll/p2pro-application-cert.pem", ".ssl/p2pro-ca-cert.pem", NULL, "DHE-RSA-AES256-SHA");
}

QVariant v = db.driver()->handle();
MYSQL *handle = static_cast<MYSQL *>(v.data());
if (handle != NULL)   // handle = mysql*
{
mysql_ssl_set(handle, ".ssl/p2pro-application-key.pem", ".sll/p2pro-application-cert.pem", ".ssl/p2pro-ca-cert.pem", NULL, "DHE-RSA-AES256-SHA");
}

To copy to clipboard, switch view to plain text mode 

I might need to try the mysql_real_connect() to see if the problem lies with Qt?!? Any other suggestions are welcome. Thx so far for your help.

@Lesiok:
See my code belowm especially this line:

Qt Code:

Switch view

db.setConnectOptions("CLIENT_SSL=1;CLIENT_IGNORE_SPACE=1");

db.setConnectOptions("CLIENT_SSL=1;CLIENT_IGNORE_SPACE=1");

To copy to clipboard, switch view to plain text mode 

[wysota]

I don't think mysql_ssl_set() expects paths. I would assume that it expects the data itself.

[m3rlin]

@wysota
I hope not MySQL reference on C API says:

20.9.3.67. mysql_ssl_set()

Qt Code:

Switch view

my_bool mysql_ssl_set(MYSQL *mysql, const char *key, const char *cert, const char *ca, const char *capath, const char *cipher)

my_bool mysql_ssl_set(MYSQL *mysql, const char *key, const char *cert, const char *ca, const char *capath, const char *cipher)

To copy to clipboard, switch view to plain text mode 

Description

mysql_ssl_set() is used for establishing secure connections using SSL. It must be called before mysql_real_connect().
mysql_ssl_set() does nothing unless SSL support is enabled in the client library.
mysql is the connection handler returned from mysql_init(). The other parameters are specified as follows:

key is the path name to the key file.
cert is the path name to the certificate file.
ca is the path name to the certificate authority file.
capath is the path name to a directory that contains trusted SSL CA certificates in pem format.
cipher is a list of permissible ciphers to use for SSL encryption.

Any unused SSL parameters may be given as NULL.

Return Values
This function always returns 0. If SSL setup is incorrect, mysql_real_connect() returns an error when you attempt to connect.