SSL Connections
|
|
The connection between the client and the server is by default not encrypted. In most network architectures, this would not be a risk because the connection between the database client and server is not public. But there are instances where data needs to be moved over public lines, and an unencrypted connection potentially allows someone to view the data as it is moved.
MySQL can be configured to support SSL connections, although this does impact on performance. To do this, perform the following steps:
-
Install the openssl library, which can be found at www.openssl.org/.
-
Configure MySQL with the --with-vio --with-openssl option.
If you need to check whether an existing installation of MySQL supports SSL (or whether your installation has worked), check to see whether the variable have_openssl is YES:
mysql> SHOW VARIABLES LIKE '%ssl'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | have_openssl | YES | +---------------+-------+ 1 row in set (0.00 sec)
Once SSL is supported, you can make use of it with various grant options (see Table 14.5).
| Option | Description |
|---|---|
| REQUIRE SSL | The client must connect with SSL encryption. |
| REQUIRE X509 | The client has to have a valid certificate to connect. |
| REQUIRE ISSUER cert_issuer | The client has to have a valid certificate issued by cert_issuer to connect. |
| REQUIRE SUBJECT cert_subject | The client has to have a valid certificate with the subject cert_subject. |
| REQUIRE CIPHER cipher | The client has to make use of the specified cipher. |
REQUIRE SSL is the least restrictive of the SSL options. SSL encryption of any kind is acceptable. This would be useful where you don't want to send plain text, but simple encryption of the connection is sufficient:
mysql> GRANT ALL PRIVILEGES ON securedb.* TO root@localhost IDENTIFIED BY "g00r002b" REQUIRE SSL; Query OK, 0 rows affected (0.01 sec)
REQUIRE X509 is the same, but it is marginally more restrictive because the certificate must be a valid one:
mysql> GRANT ALL PRIVILEGES ON securedb.* TO root@localhost IDENTIFIED BY "g00r002b" REQUIRE X509; Query OK, 0 rows affected (0.01 sec)
REQUIRE ISSUER and REQUIRE SUBJECT are more secure because the certificate has to come from a specific issuer or contain a specific subject:
mysql> GRANT ALL PRIVILEGES ON securedb.* TO root@localhost IDENTIFIED BY "g00r002b" REQUIRE ISSUER "C=ZA, ST=Western Cape, L=Cape Town, O=Mars Inc CN=Lilian Nomvete/Email=lilian@marsorbust.co.za"; Query OK, 0 rows affected (0.01 sec) mysql> GRANT ALL PRIVILEGES ON securedb.* TO root@localhost IDENTIFIED BY "g00r002b" REQUIRE SUBJECT "C=ZA, ST=Western Cape, L=Cape Town, O=Mars Inc CN=Benedict Mhlala/Email=benedict@marsorbust.co.za"; Query OK, 0 rows affected (0.01 sec)
REQUIRE CIPHER allows you to ensure that weak SSL algorithms are not used, as you can specify a specific cipher:
mysql> GRANT ALL PRIVILEGES ON securedb.* TO root@localhost IDENTIFIED BY "g00r002b" REQUIRE CIPHER "EDH-RSA-DES-CBC3-SHA"; Query OK, 0 rows affected (0.01 sec)
You can specify any or all of the previous options at the same time (the AND is optional):
mysql> GRANT ALL PRIVILEGES ON securedb.* TO root@localhost IDENTIFIED BY "g00r002b" REQUIRE ISSUER "C=ZA, ST=Western Cape, L=Cape Town, O=Mars Inc CN=Lilian Nomvete/Email=lilian@marsorbust.co.za" AND SUBJECT "C=ZA, ST=Western Cape, L=Cape Town, O=Mars Inc CN=Benedict Mhlala/Email=benedict@marsorbust.co.za" AND CIPHER "EDH-RSA-DES-CBC3-SHA"; Query OK, 0 rows affected (0.01 sec)
|
|
