Configuring and Managing SSL on Your MySQL Server
Want to learn how to configure and manage SSL on your MySQL server? Check out this tutorial to learn how in MySQL hosting!
by
Join the DZone community and get the full member experience.
Join For FreeIn this blog post, we will review the important aspects of configuring and managing SSL in MySQL hosting. These would include the default configuration, disabling SSL, and enabling and enforcing SSL on a MySQL server. Our observations are based on the community version of MySQL 5.7.21.
Default SSL Configuration in MySQL
By default, MySQL server always installs and enables SSL configuration. However, it is not enforced that clients connect using SSL. Clients can choose to connect with or without SSL as the server allows both types of connections. Let’s see how to verify this default behavior of MySQL server.
When SSL is installed and enabled on MySQL server by default, we will typically see the following:
- Presence of *.pem files in the MySQL data directory. These are the various client and server certificates and keys that are in use for SSL, as described here.
- There will be a note in the mysqld error log file during the server start, such as:
- [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
- Value of ‘have_ssl’ variable will be YES:
mysql> show variables like ‘have_ssl’;
+—————+——-+
| Variable_name | Value |
+—————+——-+
| have_ssl | YES |
+—————+——-+With respect to the MySQL client, by default, it always tries to go for encrypted network connection with the server, and if that fails, it falls back to unencrypted mode.
So, by connecting to MySQL server using the command:
mysql -h <hostname> -u <username> -pWe can check whether the current client connection is encrypted or not using the status command:
mysql> status
————–
mysql Ver 14.14 Distrib 5.7.21, for Linux (x86_64) using EditLine wrapper
Connection id: 75
Current database:
Current user: root@127.0.0.1
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ”
Using delimiter: ;
Server version: 5.7.21-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 127.0.0.1 via TCP/IP
…………………………..The SSL field highlighted above indicates that the connection is encrypted. We can, however, ask the MySQL client to connect without SSL by using the command:
mysql -h <hostname> -u <username> -p –ssl-mode=DISABLED
mysql> status
————–
Connection id: 93
Current database:
Current user: sgroot@127.0.0.1
SSL: Not in use
Current pager: stdout
Using outfile: ”
Using delimiter: ;
Server version: 5.7.21-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 127.0.0.1 via TCP/IP
……………………………When we can see that even though SSL is enabled on the server, we are able to connect to it without SSL.
Disabling SSL in MySQL
If your requirement is to completely turn off SSL on MySQL server, instead of the default option of ‘enabled, but optional mode,’ we can do the following:
- Delete the *.pem certificate and key files in the MySQL data directory.
- Start MySQL with SSL option turned off. This can be done by adding a line entry:
ssl=0 in the my.cnf file.
We can observe that:
- There will NOT be any note in mysqld logs such as :
- [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
- Value of ‘have_ssl’ variable will be DISABLED:
mysql> show variables like ‘have_ssl’;
+—————+——-+
| Variable_name | Value |
+—————+——-+
| have_ssl | DISABLED |
+—————+——-+Enforcing SSL in MySQL
We saw that though SSL was enabled by default on MySQL server, it was not enforced and we were still able to connect without SSL.
Now, by setting the require_secure_transport system variable, we will be able to enforce that server will accept only SSL connections. This can be verified by trying to connect to MySQL server with the command:
mysql -h <hostname> -u sgroot -p –ssl-mode=DISABLEDAnd, we can see that the connection would be refused with following error message from the server:
ERROR 3159 (HY000): Connections using insecure transport are prohibited while –require_secure_transport=ON.SSL Considerations for Replication Channels
By default, in a MySQL replication setup, the slaves connect to the master without encryption.
Hence, to connect to a master in a secure way for replication traffic, slaves must use MASTER_SSL=1; as part of the ‘ CHANGE MASTER TO’ command, which specifies parameters for connecting to the master. Please note that this option is also mandatory, in case your master is configured to enforce SSL connection using require_secure_transport.
Published at DZone with permission of Prasad Nagaraj, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments