Configuring and Managing SSL on Your MySQL Server

In this blog post, we will review the important aspects of configuring and managing SSL in MySQL hosting. These would include the default configuration, disabling SSL, and enabling and enforcing SSL on a MySQL server. Our observations are based on the community version of MySQL 5.7.21.

Default SSL Configuration in MySQL

By default, MySQL server always installs and enables SSL configuration. However, it is not enforced that clients connect using SSL. Clients can choose to connect with or without SSL as the server allows both types of connections. Let’s see how to verify this default behavior of MySQL server.

When SSL is installed and enabled on MySQL server by default, we will typically see the following:

1. Presence of *.pem files in the MySQL data directory. These are the various client and server certificates and keys that are in use for SSL, as described here.
2. There will be a note in the mysqld error log file during the server start, such as:
   • [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
3. Value of ‘have_ssl’ variable will be YES:

mysql> show variables like ‘have_ssl’;

+—————+——-+

| Variable_name | Value |

+—————+——-+

| have_ssl | YES |

+—————+——-+

With respect to the MySQL client, by default, it always tries to go for encrypted network connection with the server, and if that fails, it falls back to unencrypted mode.

So, by connecting to MySQL server using the command:

mysql -h <hostname> -u <username> -p

We can check whether the current client connection is encrypted or not using the status command:

mysql> status

————–

mysql Ver 14.14 Distrib 5.7.21, for Linux (x86_64) using EditLine wrapper

Connection id: 75

Current database:

Current user: root@127.0.0.1

SSL: Cipher in use is DHE-RSA-AES256-SHA

Current pager: stdout

Using outfile: ”

Using delimiter: ;

Server version: 5.7.21-log MySQL Community Server (GPL)

Protocol version: 10

Connection: 127.0.0.1 via TCP/IP

…………………………..

The SSL field highlighted above indicates that the connection is encrypted. We can, however, ask the MySQL client to connect without SSL by using the command:

mysql -h <hostname> -u <username> -p –ssl-mode=DISABLED

mysql> status

————–

Connection id: 93

Current database:

Current user: sgroot@127.0.0.1

SSL: Not in use

Current pager: stdout

Using outfile: ”

Using delimiter: ;

Server version: 5.7.21-log MySQL Community Server (GPL)

Protocol version: 10

Connection: 127.0.0.1 via TCP/IP

……………………………

When we can see that even though SSL is enabled on the server, we are able to connect to it without SSL.

Disabling SSL in MySQL

If your requirement is to completely turn off SSL on MySQL server, instead of the default option of ‘enabled, but optional mode,’ we can do the following:

1. Delete the *.pem certificate and key files in the MySQL data directory.
2. Start MySQL with SSL option turned off. This can be done by adding a line entry:

 ssl=0 in the my.cnf file. 

We can observe that:

1. There will NOT be any note in mysqld logs such as :
   • [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
2. Value of ‘have_ssl’ variable will be DISABLED:

mysql> show variables like ‘have_ssl’;

+—————+——-+

| Variable_name | Value |

+—————+——-+

| have_ssl | DISABLED |

+—————+——-+

Enforcing SSL in MySQL

We saw that though SSL was enabled by default on MySQL server, it was not enforced and we were still able to connect without SSL.

Now, by setting the require_secure_transport system variable, we will be able to enforce that server will accept only SSL connections. This can be verified by trying to connect to MySQL server with the command:

mysql -h <hostname> -u sgroot -p –ssl-mode=DISABLED

And, we can see that the connection would be refused with following error message from the server: 

ERROR 3159 (HY000): Connections using insecure transport are prohibited while –require_secure_transport=ON.

SSL Considerations for Replication Channels

By default, in a MySQL replication setup, the slaves connect to the master without encryption.

Hence, to connect to a master in a secure way for replication traffic, slaves must use  MASTER_SSL=1; as part of the ‘ CHANGE MASTER TO’ command, which specifies parameters for connecting to the master. Please note that this option is also mandatory, in case your master is configured to enforce SSL connection using require_secure_transport.