Re: encrypt barnyard connections

[Joerg Weber <j.weber () infos de>]

Hi,


> i would to encrypt the barnyard connection to the the mysql database.
> -is this possible over stunnel?
This works just fine for me without any issues.
You can run Stunnel with certificates and strict cert checking.

On the snort-box do something like
stunnel -c -d 127.0.0.1:3306 -r mysql-server-here:3307 -s stunnel -g
stunnel

and on the remote mysql box
/usr/sbin/stunnel -p /usr/share/ssl/stunnel/server.pem -P/tmp/ -d 3307
-r 127.0.01:3306 -s stunnel -g stunnel

or, with strict cert checking, something like this on the client
/usr/sbin/stunnel -c -d 127.0.01:3306 -r mysql-server-here:3307 -v 3 -A
/usr/share/ssl/stunnel/server.cert -p /usr/share/ssl/stunnel/client.pem
-P /var/run/stunnel.pid -s stunnel -g stunnel

on the remote mysql box
/usr/sbin/stunnel -A /usr/share/ssl/stunnel/all.cert -p
/usr/share/ssl/stunnel/server.pem -d 3307 -r 127.0.0.1:3306 -v 3 -P
/var/run/stunnel.pid -s stunnel -g stunnel

Now, if you distribute the proper certs to the client and the server,
your connection is ssl-encrypted and connections are allowed with the
proper certs only.

Works like a charm for me.

Oh, it's very possible I goofed up on the pasted lines, you gotta check
the parameters of course ;)

Cheers!

-- 
Joerg Weber
Network Security

infoServe GmbH
Nell-Breuning-Allee 6
D-66115 Saarbruecken

T: (0681) 8 80 08 - 0
F: (0681) 8 80 08 - 59
www.infos.de
E: j.weber () infos de

Attachment: signature.asc
Description: This is a digitally signed message part