I am trying to use SSL connection to MySQL server. Server version is 5.7.21 and SLL enabled, not forced. There are no client certificate files installed, server provides certificates according to MySQL documentation. UniDAC version 7.2.5 for Delphi 7.
If TUniConnection SpecificOptions['Protocol'] is set to mpSSL, remote computer can connect. Two questions:
1) looks that if OpenSLL toolkit is installed to Win 7 remote computer, SLL connection works, otherwise it fails. On remote Win 8.1 computer SSL connection works even OpenSSL is not installed. What SSL dll-files are required or are there any external dll-files needed for SSL connection?
2) How to force client connection to use SSL in case server accepts both? If SSL fails, connection protocol is now automatically changed to mpTCP and it's difficult to find this has happened.
mpSSL protocol on MySQL connection
Re: mpSSL protocol on MySQL connection
1. MyDAC uses the following OpenSSL libraries: libeay32.dll and ssleay32.dll. You can deploy the library data with your application so that you do not depend on the availability of these libraries on your computer. But using OpenSSL libraries to create an SSL connection with MySQL server can lead to various problems. For example, OpenSSL version can be not supported by MySQL server, the bitness of the supplied OpenSSL libraries can differ from the bitness of your application, etc.
To solve the problems, you can use the SecureBridge components. SecureBridge allows you to establish secure connections within a single application without any external files. You can learn how to use SecureBridge with MyDAC in the "Secure connections" topic of MyDAC help.
2. The ability to create an SSL connection with MySQL server primarily depends on the server settings, which must be configured accordingly: SSL support is enabled and a user is created with the requirement to connect via SSL. Therefore, to solve your problem, you should create a user with the requirement to connect via SSL. The requirement for the use of certificates when setting up an SSL connection depends on the user's settings. For more information on this issue, please refer to the MySQL server documentation. To obtain the necessary data for setting up SSL, please contact the technical support of MySQL server.
Note, MyDAC does not reset the TMyConnection.Options.Protocol property.
To solve the problems, you can use the SecureBridge components. SecureBridge allows you to establish secure connections within a single application without any external files. You can learn how to use SecureBridge with MyDAC in the "Secure connections" topic of MyDAC help.
2. The ability to create an SSL connection with MySQL server primarily depends on the server settings, which must be configured accordingly: SSL support is enabled and a user is created with the requirement to connect via SSL. Therefore, to solve your problem, you should create a user with the requirement to connect via SSL. The requirement for the use of certificates when setting up an SSL connection depends on the user's settings. For more information on this issue, please refer to the MySQL server documentation. To obtain the necessary data for setting up SSL, please contact the technical support of MySQL server.
Note, MyDAC does not reset the TMyConnection.Options.Protocol property.
Re: mpSSL protocol on MySQL connection
1) Ok, would be nice have this indicated in documentation. And according to earlier post, a more recent libraries would require modification to UniDAC source code? Without the source code version the latest possible SSL library would be 1.0.2n?
2) We understand MySQL part of this. Target server is due to other reasons configured to allow both type of connections. After connecting query "show status like ''Ssl_version'';" will give SSL version used like "TLSv1" or empty string in case no SSL. The requirement is not to allow client connection without SSL and this check shall be made by client software. Certainly case would be easier, if server accepts only SLL connections. If mpSLL is defined to UniDAC, it will use mpTCP only if server allows and that's what we are trying to avoid.
2) We understand MySQL part of this. Target server is due to other reasons configured to allow both type of connections. After connecting query "show status like ''Ssl_version'';" will give SSL version used like "TLSv1" or empty string in case no SSL. The requirement is not to allow client connection without SSL and this check shall be made by client software. Certainly case would be easier, if server accepts only SLL connections. If mpSLL is defined to UniDAC, it will use mpTCP only if server allows and that's what we are trying to avoid.
Re: mpSSL protocol on MySQL connection
1. The information about using OpenSSL files: https://www.devart.com/mydac/docs/index ... ptions.htm
Yes, you are right, at the moment, the latest OpenSSL version supported by UniDAC is OpenSSL 1.0.2n.
2. TMyConnection does not allow to know secured or not secured connection was established. Therefore, after connecting, you can execute a query to the server, for example SHOW STATUS LIKE 'Ssl_cipher' and, if the query returns an empty string, it disconnects.
If you are using the TMySSLIOHandler component to create a secure connection to MySQL, then you can use the TMySSLIOHandler.IsSecure proeprty to define if SSL is used.
Yes, you are right, at the moment, the latest OpenSSL version supported by UniDAC is OpenSSL 1.0.2n.
2. TMyConnection does not allow to know secured or not secured connection was established. Therefore, after connecting, you can execute a query to the server, for example SHOW STATUS LIKE 'Ssl_cipher' and, if the query returns an empty string, it disconnects.
If you are using the TMySSLIOHandler component to create a secure connection to MySQL, then you can use the TMySSLIOHandler.IsSecure proeprty to define if SSL is used.