Connector/c++ with SSL? - ssl

How to connect to MySql using Connector/c++ over SSL?
I read about mysql_ssl_set(): seems to work only with Connector/c.
I have openSSL enabled and working for require SSL users on MySql. And I can connect remotely to MySql using Connector/c++, but cannot see how to modify parameters of sql::Connection to reference certs for SSL.
Excellent tutorial from Giri Mandalika at MySql DevZone and docs on Connector/c++ don't mention SSL, which surprised me because SSL is well documented for Connector/c...or did I miss something obvious?
I realize sql::Driver::Connect() is overloaded, with the less-commonly discussed method taking one parameter sql::ConnectOptionsMap &options. Following that trail, I found just one discussion on point: Ulf Wendel/Thomas Pollak question-and-solution here (http://forums.mysql.com/read.php?167,367519,369534#msg-369534).
Did not work for me: when I incorporated it and tried to build (VC2008, WIN7) the build had warnings and failed.
I traced the exact causes as:
sql::ConnectPropertyVal generates locally defined symbol warning; and
std::map causes fatal error LNK1120: 1 unresolved externals.
With so many users out there of Connector/c++, I hoped others in the community might also be interested in how to use SSL with Connector/c++. Appreciate any ideas or help.

Spoke to Giri Mandalika (on the original development team), who mentioned that SSL support was originally planned but not completed for Connector/c++.
In case others who want SSL find this question, I worked around the problem only by using Connector/c, the underlying C api which Connector/C++ was designed to wrap.
As more than six months have elapsed without any community member coming up with a specific solution to use SSL with Connector/c++ (other than the overload solution referenced in my question), I guess I have to conclude that it just isn't possible, and mark my own question as "Answered" by me.

Related

Rpi4 and Ejabberd external registration

Some friends and I want to leave WhatsApp for good and as I've been playing around with my Rpi4 for years now, I thought I'd use that to set up an XMPP-Server for us to use, to have a secure and customizable experience.
I've tried it with ejabberd and installed it from the repo. I also tried to compile the newest version, but I get an error output every time.
It works fine so far, but it differs from what I've seen online.
My problem is, that registration from outside doesn't work at all. I can register from ejabberdctl, but that's it. On the tested clients it says "server doesn't allow registration", although I have enabled everything that says anything about registration allowance.
System: Raspberry Pi 4 (4GB)
OS: TwisterOS 1.9.6 (Based on Raspbian 32bit)
Ejabberd Version: 18.12.1-2
Config files:
Ejabberd.yml https://textuploader.com/18mqx
Ejabberdctl.cfg https://textuploader.com/18mqz
When the "mod_register" line is enabled/uncommented (or any other not by default enabled mod), ejabberdctl live gives following output: [error] Cannot load /etc/ejabberd/ejabberd.yml: Syntax error on line 272 at position 2: did not find expected key
I am very thankful for any help, whether it's getting my current version to allow registration or compiling the current version which seems easier to work with, as all of the solutions I've seen on the internet won't work with my version.
Kind Regards,
Arokan
I figured it out. You won't believe it...
The prewritten spaces in
" ## mod_register: "
seem to not have been spaces but something else, though they weren't wide as tabs but exactly as spaces.
So I deleted the spaces before mod_register: and hammered the space key myself. After that, everything worked out perfectly and other modules do as well in the same way.
tl;dr: Replace the pseudo spaces with own spaces.

How to find the ssl / tls master key

I tried posting this on ask.openstack but it has been stuck in the moderator for 5 days now. I thought I'd try here.
I was trying to debug a Nova issue and wanted to decode the SSL / TLS packets being exchanged using Wireshark. Part of the changes I was making was setting Nova up to use SSL / TLS and I wanted to be sure that part of it I had set correctly. I eventually figure out my issues from the various log files but I'm somewhat assuming that being able to watch the network traffic may help in some very difficult cases.
The exchange uses TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 at one point. According to this security stackexchannge question, there is a "pre-master secret" or various other terms. I've wrestled with this before in a previous life doing IPSec. Usually you can set debug in the application and it will spew out the secret into the log file. I tried "debug = true" under Default in nova.conf and got lots of debug but no secret. There was two items that looked interesting that were reported as **** in the log: keystone_authtoken.memcache_secret_key and neutron.metadata_proxy_shared_secret. I wasn't sure if those were the secrets I was looking for or not. In this case, I'm looking at the nova-api traffic going to port 8774.
Also, since all of openstack is Python and uses the same "request" and "certifi" packages, it may be possible to generalize this to all of the openstack components.
nova --version report 9.1.1

Dr.Racket for SICP

I am setting up DR.Racket for SICP. By following this guide
http://docs.racket-lang.org/sicp-manual /index.html?q=sicp#%28part._.Introduction_to_the__lang_sicp_language%29
But I am not able to download sicp package. Following is the error message I recieved after hitting install.
Resolving "sicp" via https://download.racket-lang.org/releases/6.11/catalog/
ssl-connect: connect failed (error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed)
Please explain what to do?
Apologies if I'm telling you things you already know: it appears that certificate validation failed while contacting the racket package server.
There are several things that could cause this, but I have a sneaking suspicion that you have some kind of proxy standing between you and the server that is rewriting your traffic. Is this possible?
One way to test this would be to try installing the package on a different computer, connected to a different network.
(FWIW, I just tested this installation myself, and didn't encounter this problem. So, at a minimum, it's not that the world is broken :).)

Unable to add apache Nifi in ambari?

I am trying to add Apache Nifi in ambari but continuously failing with error Error occured during stack advisor command invocation:
Unable to delete directory /var/run/ambari-server/stack-recommendations/1.
There is a similar thread with the same error in hortonworks community, I have tried everything mentioned in that thread but unable to fix it. My sandbox is installed in vmware workstation 12 player. I also tried to create and remove directory manually but it is failing with the error invalid argument. Created a thread for this error also on stackexchange. Please help!!!
Here is a link to Hortonworks forum thread. And it seems like sandbox is just broken:
This is due to a docker issue in this 2.5 sandbox build. It will be
fixed in next revision of the sandbox.
There are also some workarounds described (like use older HDP 2.4 or establishing own cluser based on the HDP 2.5 docker image)
Updated sandbox arrived: http://hortonworks.com/downloads
Trust me, active member of community see your posts in multiple locations. In a good, no Big Brother ways :) but cross-posting is an old as world ... Well, you got it.
Did you see a notice for this service in Ambari? Telling it's been deprecated? Same note in the github. There's a good reason for that, it's now been implemented properly by the dev team and with many more features. I.e. all the action is there now.
I think I replied a similar question, though not sure it was yours, take a look in HCC.

I/O Exception: Server Key ColdFusion Issue

I’m a long-time reader here but a newbie at posting a question. Hopefully I’ll cover everything you guys need to hopefully help.
Background information:
We are running ColdFusion 10 on two servers that are load balanced (I’m not sure how they are load balanced – they are not clustered and are not using sticky sessions, this much I know). Unfortunately, I do not have access to our CF server admin at all; I have to rely on others.
I’ve implemented a punch out system that allows our users to connect to a vendor’s site to shop, then returns their items to our cart on our site. This has been working in our development servers without any issues. Everything worked well when we tested this in production as well. However, when we moved it into production last week, we started getting an error, but only when the code was running off of ONE of the load balanced servers. The error we received back from the vendor site stated that the error detail was: “I/O Exception: Server Key”. All of the research I conducted led me to believe that our CF servers needed the vendors cert (it is an https connection), so I told this to our server guy. He reinstalled the certs (he had said that they were there) and that did seem to solve the problem. I was successfully able to punch out to our vendor site from both of our load balanced servers.
We did a bit more testing (which all seemed fine) and then put it back into production this morning only to have the same issue occur. On one of the servers, this is working and on the other one it is not. My server guy tells me that the vendor certs are currently in place in the ColdFusion keystore.
Here is the cfhttp call I’m using:
<cfhttp url="#vendorURL#" method="POST" throwOnError="no" result="returnedObj">
<cfhttpparam type="XML" name="xmlPunchoutData" value="#trim(RequestPunchoutXML)#" />
</cfhttp>
Where ‘RequestPunchoutXML’ has a xml structure requesting a punch out from the vendor.
This looks possibly related: ColdFusion 10 - CFHTTP - Random peer not authenticated on SSL calls (cacerts file updated) but the error I'm getting isn't this one, though I think that they are probably related.
Questions: Any idea what is going on here? Could a badly set up load balancer be the issue here? Is it possible that the cfhttp call is starting from one of the servers and getting the response returned to the other? Could there be some reason that the certs are failing? Is this some other issue altogether that I have not yet identified? Any thoughts/ideas/suggestions would be greatly helpful.
Thanks in advance,
Janice