[TCLUG] more of mysql tunneling

[Jason J]

Are you sure your ssl certificates are valid?

'openssl verify <filename>.pem'

I had some errors in the beginning when some of my certs where bad. I dont know why
the cert was bad, but I remade it with:

'openssl req -new -x509 -nodes -days 365 -out /usr/local/ssl/certs/stunnel.pem
-keyout /usr/local/ssl/certs/stunnel.pem'





Ben Lutgens wrote:

> On Mon, Mar 19, 2001 at 11:28:39PM -0600, Jason J wrote:
> >Stunnel doesnt suck. I have been using this method to tunnel my database
> >interaction for atleast 6 months.
>
> No matter what I do, it seems like it's going to connect and then I get
> SSL_connect: error:0000000000::lib(0) :func:(0) :reason(0)
> in the log on client side
> and
>
> stunnel: localhost.3306 connected from web.server.ip:some_randomportnumber
> stunnel: remote connect: Connection Refused (111)
>
> in the log on the server side. I am not trying to go through my firewall yet.
> and am running the exact same commands I see both in this mail and on
> stunnel.org
>
> >
> >Client Web Server Side:
> >IP: Any IP
> >box1# /usr/local/sbin/stunnel  -c -p /usr/local/ssl/certs/stunnel.pem -d
> >127.0.0.1:3306 -r 10.10.10.5:3306    # Only bound to local loopback, not
> >accessible from any other interfaces
> >
> >Server MySQL Side:
> >IP: 10.10.10.5
> >box2# /usr/local/sbin/stunnel -p /usr/local/ssl/certs/stunnel.pem -d
> >10.10.10.5:3306 -r 127.0.0.1:3306     # Only bound to ethX and forwards traffic
> >from ethX to local loopback
> >/usr/local/bin/safe_mysqld --bind-address=127.0.0.1    # Only bound to local
> >loopback interface, not accessible from any other interfaces
> >
> >Test:
> >box1# telnet 127.0.0.1 3306
> >Trying 127.0.0.1...
> >Connected to 127.0.0.1.
> >Escape character is '^]'.
> >?
> >3.22.32KiQ;n=&A
> >
> >3.22.32 is the version of mysql currently running on the old dev box I ran this
> >test on. So it worked.
> >
> >
> >the binding of mysql on 3306 only on 'lo' and stunnel on 3306 only on 'ethX'
> >wont conflict. Plus, you dont have to use the same port numbers anyway, I just
> >do it for convience, mysql always running on 3306.
> >
> >
> >
> >
> >Ben Lutgens wrote:
> >
> >> O.k. so I am trying to tunnel mmysql using stunnel. So far I'm convinced it's
> >> not possible. How can you bind port 3306 on your tunnel when mysql is using
> >> that port? It makes no sense to me.
> >>
> >> On the server side if you run stunnel -p $PEMFILE -d $REMOTEIP -r
> >> 127.0.0.1:3306
> >>
> >> I get "Can't bind requested address"
> >>
> >> Tunneling stuff through ssh sucks, and it seems stunnel sucks too.
> >>
> >> --
> >> Ben Lutgens             cell: 612.670.4789
> >> Sistina Software Inc.   work: 612.379.3951
> >> Code Monkey Support (A.K.A. System Administrator)
> >>
> >> "It's hard to believe that's the same frail woman who once sprained her wrist
> >> from having too much dip on a cracker!" -- Frazier Crane
> >>
> >>   ------------------------------------------------------------------------
> >>    Part 1.2Type: application/pgp-signature
> >
> >_______________________________________________
> >tclug-list mailing list
> >tclug-list at mn-linux.org
> >https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
> --
> Ben Lutgens             cell: 612.670.4789
> Sistina Software Inc.   work: 612.379.3951
> Code Monkey Support (A.K.A. System Administrator)
>
> "It's hard to believe that's the same frail woman who once sprained her wrist
> from having too much dip on a cracker!" -- Frazier Crane
>
>   ------------------------------------------------------------------------
>    Part 1.2Type: application/pgp-signature