Difference between pages "OpenSSL" and "MySQL"

From Wikislax
(Difference between pages)
Jump to: navigation, search
 
(Using MySQL)
 
Line 1: Line 1:
 
{{RightTOC}}
 
{{RightTOC}}
  
== What is OpenSSL ? ==
+
== What is MySQL ? ==
  
[http://www.openssl.org/ OpenSSL] is an OpenSource implementation of the TLS and SSL protocols. It is used as a base for securitizing the communications (authenticating, cyphering, signing) of the rest of the OpenSource server software. However, following a record of security issues, the security and quality of the software appears more uncertain. In 2013, WikiLeaks published documents obtained by Edward Snowden, which revealed that since 2010, the NSA had effectively broken/bypassed SSL/TLS by possibly exploiting vulnerabilities such as HeartBleed.
+
[http://www.mysql.com MySQL] is the traditional Database software companion to Apache and PHP. MySQL was previously a property of MySQL AB but was acquired by Oracle Corporation in 2010. This created some worries in the OpenSource community, which led to create a fork, [https://mariadb.org/ MariaDB], which is a plug-in replacement for MySQL and the one included in the Slackware distribution.
  
Since OpenSSL 1.0.1g, members of the [http://http://www.openbsd.org/ OpenBSD] project forked OpenSSL to create a project named [http://www.libressl.org/ LibreSSL] that can be used as a plugin replacement for OpenSSL.
+
== Installing MySQL ==
  
To make things a bit less worrying, OpenSSL is part of the base Slackware distribution and so benefits from the [http://www.slackware.com/security/ Slackware security advisories]. The official documentation can be found on the official http site [http://www.openssl.org openssl.org] but is somewhat cryptic. '''man openssl''' is a better option.
+
The quickest way to install MySQL is to NOT install it and use instead [https://mariadb.org/ MariaDB], included with Slackware. If this is your choice, please note that '''/usr''' will be the root directory of the software instead of '''/usr/local/mysql''', and proceed to [[MySQL#Running SQL|Running SQL]].
  
From an historic point of view, the SSL suite of protocols was created by Netscape to securitize communications made over TCP/IP. SSL affords encrypting the data and authenticating the parties on the wire using various methods and algorithms. SSL was the base layer to ensure confidentiality of essential TCP protocols such as '''smtp http pop3 nntp imap ldap'''. SSL encapsulates these services (and others…) using alternate protocol names and port numbers. '''BUT''' the SSL protocols were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is TLS v1.2.
+
'''apr''' and '''apr-util''', used by apache, refer to MySQL so the latter must be installed first. [http://dev.mysql.com/downloads/mysql/ Download] the latest stable version, choosing "Source Code" when asked to Select platform. [http://dev.mysql.com/doc/ Documentation] is available from the web site. Here MySQL is compiled with OpenSSL support to be able to encrypt MySQL connections on port 3306 (just in case, as we don't intend to open port 3306 to the external world at the moment).
  
{| {{thead}}
+
# groupadd mysql
|-
+
# useradd -g mysql mysql
! {{chead}} | Protocol
+
  # tar -C /usr/local -xvf mysql-x.y.z.tar.gz
! {{chead}} | Port #
+
  # cd /usr/local/mysql-x.y.z
! {{chead}} | Secure Protocol
+
  # chown -R root:root .
! {{chead}} | Secure Port #
+
  # less INSTALL-SOURCE
! {{chead}} | Service
+
  # rm CMakeCache.txt
|-
 
|SMTP||25||SMTPS||465||Mail exchange
 
|-
 
|HTTP||80||HTTPS||443||Web browsing
 
|-
 
|POP3||110||POP3S||995||Mail retrieval
 
|-
 
|NTTP||119||NTTPS||563||News exchange
 
|-
 
|IMAP||143||IMAPS||993||Mail retrieval
 
|-
 
|LDAP||389||LDAPS||636||Ldap Directory
 
|}
 
 
 
<br clear=all>
 
 
 
== Use only TLS ==
 
 
 
<u>Please note</u> : the SSL protocols were superseded by [https://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and are now deprecated due to security weaknesses. SSL should not be used any longer. Instead, use TLS. Current version is v1.2
 
 
 
== Compiling OpenSSL ==
 
 
 
OpenSSL is part of the base Slackware distribution and so benefits from the [http://www.slackware.com/security/ Slackware security advisories], which makes it very easy to upgrade to the most secure version at any time. If for some reason you'd nevertheless like to compile it from source, here's how to do it :
 
 
 
<font color=red>Beware : to avoid breaking other software in the distribution, openssl-x.y.z can be replaced only by a minor fix update. Be sure to check the current version number using '''ls /usr/lib/*ssl*''' first.</font>
 
 
 
Installing OpenSSL is otherwise quite straigthforward :
 
 
 
  # tar -C /usr/local -xvf openssl-x.y.z.tar.gz
 
  # cd /usr/local
 
# chown -R root openssl-x.y.z
 
  # chgrp -R root openssl-x.y.z
 
  # cd openssl-x.y.z
 
  # vi README
 
# vi INSTALL
 
 
  # make clean
 
  # make clean
  # ./config --prefix=/usr/local --openssldir=/etc/ssl shared
+
  # cmake . -DCMAKE_INSTALL_PREFIX=/usr/local/mysql -DINSTALL_LIBDIR=lib64 \
 +
-DINSTALL_PLUGINDIR=lib64/plugin -DMYSQL_DATADIR=/var/lib/mysql \
 +
-DDEFAULT_CHARSET=latin1 -DDEFAULT_COLLATION=latin1_swedish_ci \
 +
-DMYSQL_UNIX_ADDR=/var/run/mysql/mysql.sock -DWITH_SSL=yes
 
  # make
 
  # make
  # make test
+
  # removepkg /var/log/packages/mysql-5.1.46-x86_64-2
# cd /var/log/packages
 
# removepkg openssl-x.y.z-X86_64-2
 
# removepkg openssl-solibs-x.y.z-X86_64-2
 
# cd /usr/local/openssl-x.y.z
 
 
  # make install
 
  # make install
 
  # make clean
 
  # make clean
  # cd ../lib
+
  # cp -R /usr/local/mysql/man /usr/local
# mv libssl* ../lib64
+
  # cp support-files/my-default.cnf /etc/my.cnf
# mv libcrypto* ../lib64
+
# chmod u+x scripts/mysql_install_db
# cd pkgconfig
+
  # scripts/mysql_install_db --user=mysql --basedir=/usr/local/mysql --datadir=/var/lib/mysql
# mv *ssl.pc ../../lib64/pkgconfig
 
# mv *crypto.pc ../../lib64/pkgconfig
 
# cd /usr/lib64
 
# ln -sf /usr/local/lib64/libssl.so.1.0.0 libssl.so.1
 
# ln -sf /usr/local/lib64/libcrypto.so.1.0.0 libcrypto.so.1
 
# ldconfig
 
# cd /etc/ssl
 
  # cp -r man /usr/local
 
# rm -r man
 
# reboot
 
 
 
'''reboot''' affords making sure that nothing was missed by the install and that the system is able to boot normally. If anything went wrong be ready to manually fix your system, for example by reinstalling the default Slackware OpenSSL package using '''installpkg'''.
 
 
 
== Using OpenSSL ==
 
 
 
Except for managing certificates (see the next paragraph) OpenSSL is not used directly but thru libraries to encapsulate other protocols such as '''smtp http pop3 nntp imap ldap'''.
 
 
 
== Using Certificates ==
 
 
 
Using a server certificate will afford remote '''smtp http pop3 nntp imap ldap''' clients to make sure that they are connected to the right site. The server certificate contains the full domain name and other information, signed by a Certificate Authority.
 
 
 
To effect the real checking the clients need to get copies of the server and Certificate Authority certificates. The server certificate comes as part of the TLS protocol. The Certificate Authority certificate however must be present on the client.
 
 
 
This is the case for most commercial Certificate Authority certificates, that are preinstalled. Being your own Certificate Authority will save the cost of purchasing a server certificate and renewing it yearly, but it will be necessary to install the Certificate Authority certificate on every client using your services.
 
 
 
The home of the '''OpenSSL''' configuration is '''/etc/ssl'''. It initially include directories '''certs misc private''' to store the certificates, and a configuration file '''openssl.cnf''', that must be edited first. You might want to change dir and certificate to these values :
 
 
 
  dir = /etc/ssl # Where everything is kept
 
certificate = $dir/certs/cacert.pem # The CA certificate
 
  
<big><u>To create a self-signed certification authority certificate :</u></big>
+
== Configuring MySQL ==
  
<font color=red>Beware : for the certification to work, it is not possible to create a certification authority certificate and a server certificate with the same DN (X500 Directory Name).</font>
+
MySQL ('''5.6.24''') works correctly out of the box so there is nothing to do really. In the past we had to edit '''/etc/my.cnf''' to uncomment line '''#skip-networking''' to prevent MySQL network connections. We also had to include in this file, after the '''[client]''' tag a line '''default-character-set=''charset_name''''' (for instance '''utf8''' or '''latin1''') to eliminate this warning when launching a client :
  
  # '''cd /etc/ssl'''
+
  # mysql -u root -p
# '''openssl req -new -x509 -days 3650 -keyout private/cakey.pem -out certs/cacert.pem -config openssl.cnf'''
+
  Enter password:  
+
  '''mysql: Unknown OS character set 'ISO-8859-15'.'''
Generating a 1024 bit RSA private key
+
  '''mysql: Switching to the default character set 'latin1'.'''
.........++++++
+
  Welcome to the MySQL monitor. Commands end with ; or \g.
.............++++++
+
  . . .
writing new private key to 'private/cakey.pem'
 
  Enter PEM pass phrase:
 
  Verifying - Enter PEM pass phrase:
 
-----
 
You are about to be asked to enter information that will be incorporated
 
into your certificate request.
 
What you are about to enter is what is called a Distinguished Name or a DN.
 
There are quite a few fields but you can leave some blank
 
For some fields there will be a default value,
 
If you enter '.', the field will be left blank.
 
-----
 
Country Name (2 letter code) [AU]:'''FR'''
 
State or Province Name (full name) [Some-State]:'''.'''
 
  Locality Name (eg, city) []:'''Rennes'''
 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Studioware'''
 
  Organizational Unit Name (eg, section) []:'''CA'''
 
  Common Name (eg, YOUR name) []:'''Studioware.com'''
 
  Email Address []:'''nospam@studioware.com'''
 
  
<big><u>To create a server certificate request :</u></big>
+
This is no longer necessary, so let us directly update '''/etc/rc.d/rc.mysqld''' with new paths and options :
  
<font color=red> Beware : for a server certificate, the common name must be the fully qualified domain name. A reverse DNS entry should also exist.</font>
+
# Start mysqld:
 +
mysqld_start() {
 +
  if [ -x /usr'''/local/mysql'''/bin/mysqld_safe ]; then
 +
    # If there is an old PID file (no mysqld running), clean it up:
 +
    if [ -r /var/run/mysql/mysql.pid ]; then
 +
      if ! ps axc | grep mysqld 1> /dev/null 2> /dev/null ; then
 +
        echo "Cleaning up old /var/run/mysql/mysql.pid."
 +
        rm -f /var/run/mysql/mysql.pid
 +
      fi
 +
    fi
 +
    /usr'''/local/mysql'''/bin/mysqld_safe '''--character_set_server=utf8''' \
 +
        '''--basedir=/usr/local/mysql''' --datadir=/var/lib/mysql \
 +
        --pid-file=/var/run/mysql/mysql.pid $SKIP &
 +
  fi
 +
}
  
# '''cd /etc/ssl'''
+
== Running SQL ==
# '''mkdir newcerts'''
 
# '''openssl req -new -keyout newcerts/mtakey.pem -out newcerts/mtareq.pem -days 365 -config openssl.cnf'''
 
 
Generating a 1024 bit RSA private key
 
................................++++++
 
..................++++++
 
writing new private key to 'newkey.pem'
 
Enter PEM pass phrase:
 
Verifying - Enter PEM pass phrase:
 
-----
 
You are about to be asked to enter information that will be incorporated
 
into your certificate request.
 
What you are about to enter is what is called a Distinguished Name or a DN.
 
There are quite a few fields but you can leave some blank
 
For some fields there will be a default value,
 
If you enter '.', the field will be left blank.
 
-----
 
Country Name (2 letter code) [AU]:'''FR'''
 
State or Province Name (full name) [Some-State]:'''.'''
 
Locality Name (eg, city) []:'''Rennes'''
 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:'''Studioware'''
 
Organizational Unit Name (eg, section) []:'''MTA'''
 
Common Name (eg, YOUR name) []:'''inner.studioware.com'''
 
Email Address []:'''nospam@studioware.com'''
 
 
Please enter the following 'extra' attributes
 
to be sent with your certificate request
 
A challenge password []:
 
An optional company name []:
 
  
<big><u>To sign the server certificate request :</u></big>
+
If not done yet, create the mysql support files
  
  # '''cd /etc/ssl'''
+
  # mysql_install_db --user=mysql
# '''cat </dev/null >index.txt'''
 
# '''cat >serial'''
 
'''01'''
 
'''<ctrl>d'''
 
# '''cat newcerts/mtareq.pem newcerts/mtakey.pem > newcerts/mta.pem'''
 
# '''openssl ca -policy policy_anything -out newcerts/mtacert.pem -config openssl.cnf -infiles newcerts/mta.pem'''
 
Using configuration from openssl.cnf
 
Enter pass phrase for /etc/ssl/private/cakey.pem:
 
Check that the request matches the signature
 
Signature ok
 
Certificate Details:
 
        Serial Number: 1 (0x1)
 
        Validity
 
            Not Before: Jan  2 13:40:43 2007 GMT
 
            Not After : Jan  2 13:40:43 2008 GMT
 
        Subject:
 
            countryName              = FR
 
            localityName              = Rennes
 
            organizationName          = Studioware
 
            organizationalUnitName    = MTA
 
            commonName                = Jean-Pierre Menicucci
 
            emailAddress              = nospam@studioware.com
 
        X509v3 extensions:
 
            X509v3 Basic Constraints:
 
                CA:FALSE
 
            Netscape Comment:
 
                OpenSSL Generated Certificate
 
            X509v3 Subject Key Identifier:
 
                06:08:16:E7:C0:A3:D3:9A:D1:92:4A:6F:B8:6E:E8:28:47:79:BD:12
 
            X509v3 Authority Key Identifier:
 
                keyid:92:59:DF:C2:26:D6:54:46:46:A8:10:4E:56:CB:09:A2:E9:B4:86:93
 
 
Certificate is to be certified until Jan  2 13:40:43 2008 GMT (365 days)
 
Sign the certificate? [y/n]:'''y'''
 
 
1 out of 1 certificate requests certified, commit? [y/n]'''y'''
 
Write out database with 1 new entries
 
Data Base Updated
 
  
<big><u>To remove the pass phrase from the server private key :</u></big>
+
Give execution rights to the rc.mysqld script and launch the daemon :
  
<font color=red>Beware : it is necessary to remove this pass phrase so that sendmail could start without any human intervention.</font>
+
# chmod u+x /etc/rc.d/rc.mysqld
 +
# /etc/rc.d/rc.mysqld start
  
# '''openssl rsa -in newcerts/mtakey.pem -out newcerts/mtakey.pem.unsecure'''
+
== Using MySQL ==
Enter pass phrase for newcerts/mtakey.pem:
 
writing RSA key
 
  
<big><u>To move the files to the right directories with the right rights and clean up :</u></big>
+
If you have time to invest, MySQL comes with a very exhaustive [http://dev.mysql.com/doc documentation], including a tutorial. A few quick notes however :
  
# '''cd newcerts'''
+
Mysql defines a root user without an initial password. To set a password, type the following at the MySQL/MariaDB command prompt: ALTER USER 'root'@'localhost' IDENTIFIED BY 'MyN3wP4ssw0rd'; flush privileges; exit;
# '''ls'''
 
01.pem  mta.pem  mtacert.pem  mtakey.pem  mtakey.pem.unsecure  mtareq.pem
 
# '''mv mtacert.pem ../certs'''
 
# '''mv mtakey* ../private'''
 
# '''rm 01.pem mta.pem mtareq.pem'''
 
# '''cd ../certs'''
 
# '''chmod go+r *'''
 
# '''cd ../private'''
 
# '''chmod go-r *'''
 
  
When renewing an existing certificate mtakey.pem, the following commands afford making the required copies :
+
You can use '''mysql''' to configure itself. Refer to the [http://dev.mysqm.com/doc/ documentation] for the '''SQL''' syntax, or use [[phpMyAdmin]], a PHP application to manage MySql from your browser.
  
# '''cp mtakey.pem.unsecure apache.mtakey.pem.unsecure'''
+
To invoke MySQL, use '''mysql -u user''' then enter queries at the mysql> prompt, '''quit''' to terminate the invocation. Commands can be entered uppercase or lowercase. It is possible to enter formulas, for example '''select sin(pi()/4), (4+1)*5, current_date;. "\c"''' at the end of a command affords cancelling.
# '''cp mtakey.pem.unsecure asterisk.mtakey.pem.unsecure'''
 
# '''cp mtakey.pem.unsecure ldap.mtakey.pem.unsecure'''
 
# '''cp mtakey.pem.unsecure news.mtakey.pem.unsecure'''
 
# '''cp mtakey.pem.unsecure smmsp.mtakey.pem.unsecure'''
 
# '''chown apache:apache apache.mtakey.pem.unsecure'''
 
# '''chown asterisk:asterisk asterisk.mtakey.pem.unsecure'''
 
# '''chown ldap:ldap ldap.mtakey.pem.unsecure'''
 
# '''chown smmsp:smmsp smmsp.mtakey.pem.unsecure'''
 
# '''chown news:news news.mtakey.pem.unsecure'''
 
# '''cd ../certs'''
 
# '''vi mtacert.pem'''
 
d59d
 
:$
 
:r ../private/mtakey.pem.unsecure
 
:w! server.pem
 
:x
 
# '''chown cyrus:mail server.pem'''
 
# '''chmod 600 server.pem'''
 
  
<big><u>To check an external certificate</u></big>
+
Queries may be entered on several lines. When awaiting input on a new line, mysql displays '''->''' if a command completion is awaited, '''<nowiki>'></nowiki> for a string that began with a '''<nowiki>'</nowiki>, '''“>''' for a string that began with a '''“''', '''`>''' for an identifier that began with a '''`''', '''/*>''' for a comment that began with a '''/*'''.
  
For OpenSSL to use an external certification authority certificate, you need to place in your '''/etc/ssl/certs''' directory a copy of it and a symbolic link to this copy. The name of this link must be based on the certificate hash code (see http://www.sendmail.org/~ca/email/starttls.html). This can be done in this way :
+
'''show databases;''' to view a list of existing databases. '''use database''' (without a semicolon) to use a specific database. GRANT ALL ON database.* TO 'your_mysql_name'@'your_client_host'; must have been used first by the admin to grant access. '''CREATE DATABASE database;''' to create a database then '''USE database'''.
  
# C=CertificateFileName
+
Alternatively it is possible to specify the database name as the last parameter on the mysql command eg '''mysql -h host -u user -p database. select database();''' affords viewing which database is in use.
# ln -s $C `openssl x509 -noout -hash < $C`.0
 
  
<br>
+
<br/>
  
{{pFoot|[[Creating VMs]]|[[Main Page]]|[[OpenLDAP]]|}}
+
{{pFoot|[[Milter]]|[[Main Page]]|[[Apache]]}}

Revision as of 14:58, 21 January 2025

What is MySQL ?

MySQL is the traditional Database software companion to Apache and PHP. MySQL was previously a property of MySQL AB but was acquired by Oracle Corporation in 2010. This created some worries in the OpenSource community, which led to create a fork, MariaDB, which is a plug-in replacement for MySQL and the one included in the Slackware distribution.

Installing MySQL

The quickest way to install MySQL is to NOT install it and use instead MariaDB, included with Slackware. If this is your choice, please note that /usr will be the root directory of the software instead of /usr/local/mysql, and proceed to Running SQL.

apr and apr-util, used by apache, refer to MySQL so the latter must be installed first. Download the latest stable version, choosing "Source Code" when asked to Select platform. Documentation is available from the web site. Here MySQL is compiled with OpenSSL support to be able to encrypt MySQL connections on port 3306 (just in case, as we don't intend to open port 3306 to the external world at the moment). 

# groupadd mysql
# useradd -g mysql mysql
# tar -C /usr/local -xvf mysql-x.y.z.tar.gz
# cd /usr/local/mysql-x.y.z
# chown -R root:root .
# less INSTALL-SOURCE
# rm CMakeCache.txt
# make clean
# cmake . -DCMAKE_INSTALL_PREFIX=/usr/local/mysql -DINSTALL_LIBDIR=lib64 \
-DINSTALL_PLUGINDIR=lib64/plugin -DMYSQL_DATADIR=/var/lib/mysql \
-DDEFAULT_CHARSET=latin1 -DDEFAULT_COLLATION=latin1_swedish_ci \
-DMYSQL_UNIX_ADDR=/var/run/mysql/mysql.sock -DWITH_SSL=yes
# make
# removepkg /var/log/packages/mysql-5.1.46-x86_64-2
# make install
# make clean
# cp -R /usr/local/mysql/man /usr/local
# cp support-files/my-default.cnf /etc/my.cnf
# chmod u+x scripts/mysql_install_db
# scripts/mysql_install_db --user=mysql --basedir=/usr/local/mysql --datadir=/var/lib/mysql

Configuring MySQL

MySQL (5.6.24) works correctly out of the box so there is nothing to do really. In the past we had to edit /etc/my.cnf to uncomment line #skip-networking to prevent MySQL network connections. We also had to include in this file, after the [client] tag a line default-character-set=charset_name (for instance utf8 or latin1) to eliminate this warning when launching a client : 

# mysql -u root -p
Enter password: 
mysql: Unknown OS character set 'ISO-8859-15'.
mysql: Switching to the default character set 'latin1'.
Welcome to the MySQL monitor.  Commands end with ; or \g.
. . .

This is no longer necessary, so let us directly update /etc/rc.d/rc.mysqld with new paths and options : 

# Start mysqld:
mysqld_start() {
  if [ -x /usr/local/mysql/bin/mysqld_safe ]; then
    # If there is an old PID file (no mysqld running), clean it up:
    if [ -r /var/run/mysql/mysql.pid ]; then
      if ! ps axc | grep mysqld 1> /dev/null 2> /dev/null ; then
        echo "Cleaning up old /var/run/mysql/mysql.pid."
        rm -f /var/run/mysql/mysql.pid
      fi
    fi
    /usr/local/mysql/bin/mysqld_safe --character_set_server=utf8 \
        --basedir=/usr/local/mysql --datadir=/var/lib/mysql \
        --pid-file=/var/run/mysql/mysql.pid $SKIP &
  fi
}

Running SQL

If not done yet, create the mysql support files 

# mysql_install_db --user=mysql

Give execution rights to the rc.mysqld script and launch the daemon : 

# chmod u+x /etc/rc.d/rc.mysqld
# /etc/rc.d/rc.mysqld start

Using MySQL

If you have time to invest, MySQL comes with a very exhaustive documentation, including a tutorial. A few quick notes however :

Mysql defines a root user without an initial password. To set a password, type the following at the MySQL/MariaDB command prompt: ALTER USER 'root'@'localhost' IDENTIFIED BY 'MyN3wP4ssw0rd'; flush privileges; exit;

You can use mysql to configure itself. Refer to the documentation for the SQL syntax, or use phpMyAdmin, a PHP application to manage MySql from your browser.

To invoke MySQL, use mysql -u user then enter queries at the mysql> prompt, quit to terminate the invocation. Commands can be entered uppercase or lowercase. It is possible to enter formulas, for example select sin(pi()/4), (4+1)*5, current_date;. "\c" at the end of a command affords cancelling.

Queries may be entered on several lines. When awaiting input on a new line, mysql displays -> if a command completion is awaited, '> for a string that began with a ', “> for a string that began with a , `> for an identifier that began with a `, /*> for a comment that began with a /*.

show databases; to view a list of existing databases. use database (without a semicolon) to use a specific database. GRANT ALL ON database.* TO 'your_mysql_name'@'your_client_host'; must have been used first by the admin to grant access. CREATE DATABASE database; to create a database then USE database.

Alternatively it is possible to specify the database name as the last parameter on the mysql command eg mysql -h host -u user -p database. select database(); affords viewing which database is in use.


Milter Main Page Apache
Retrieved from "http://studioware.com/wikislax/index.php?title=OpenSSL&oldid=133"