WL#7699: Auto-enable SSL for MySQL Enterprise Server

Affects: Server-5.7   —   Status: Complete

OpenSSL exposes APIs for generation of SSL certs and RSA keys.  This allows the
possibility for MySQL Server, when compiled with OpenSSL, to automatically
generate necessary SSL certificates and RSA keys needed for secure deployments.
 As a result, SSL (and SHA-256 authentication using RSA key mode) will be
enabled by default for all commercial installations of MySQL Server.



FR1:  New server configuration options, --auto_generate_certs and
plugin option --sha256_password_auto_generate_rsa_keys will be added.

FR1.1:  Both options will be global in scope and read-only.

FR1.2:  Valid option values are ON(1) or OFF(0)

FR1.3:  Default value will be ON

FR2: Default locations for the following SSL and RSA-related artifacts will be
defined:

 * ssl-ca = DATADIR/ca.pem
 * CA key (not server option) = DATADIR/ca-key.pem
 * ssl-cert = DATADIR/server-cert.pem
 * ssl-key = DATADIR/server-key.pem
 * client certificate (not server option) = DATADIR/client-cert.pem
 * client key (not server option) = DATADIR/client-key.pem
 * sha256_password_private_key_path = DATADIR/private_key.pem
 * sha256_password_public_key_path = DATADIR/public_key.pem
 
FR3:  Default locations for SSL certificates will not apply (or be referenced)
if the --auto_generate_certs option is set to OFF.

FR4:  Explicitly-defined options will take priority over default locations at
all times.

FR5:  Default locations for SSL artifacts (ssl-ca, ssl-cert, ssl-key) will be
ignored if any SSL option are explicitly defined.

FR6:  Default locations for RSA artifacts (sha256_passsword_private_key_path,
sha256_passsword_public_key_path) will be ignored if respective RSA option is
defined.

FR7:  MySQL Server will generate appropriate SSL artifacts when
--auto_generate_certs = ON, the default location for SSL artifacts is not
ignored (reference FR5), and the corresponding SSL configuration option is not
explicitly defined.

FR7.1:  Generated SSL artifacts will be written to the default locations defined
in FR2.

FR7.2:  Generated SSL artifacts will use 2048-bit keys.

FR7.3:  Generated SSL artifacts will use CN = "MySQL_Server__
Auto_Generated_[CA|Server|Client]_Certificate", with the appropriate server
version and certification type defined.

FR7.4:  Generated SSL artifacts will have blank values for Country (C), State or
Province (ST), Organization (O), Organization Unit Name (OU) and email address.

FR7.5:  Generated SSL artifacts will be valid for one year from generation.

FR7.6:  Generated SSL artifacts will have different Serial Numbers for each
cert/key pair (1 for CA, 2 for Server, 3 for Client)

FR8:  MySQL Server will generate appropriate RSA artifacts when
--sha256_password_auto_generate_rsa_keys = ON, the RSA options are default
values, and both RSA public and private key do not exist in the DATADIR.

FR8.1:  Generated RSA artifacts will be written to the default locations defined
in FR2.

FR8.2:  Generated RSA artifacts will use 2048-bit keys.

FR9:  SSL and RSA artifacts automatically discovered and used by the server
should update the corresponding server variables (ssl-ca, ssl-cert, ssl-key,
sha256_passsword_private_key_path, sha256_passsword_public_key_path) to
reference the used artifact location.

FR10:  SSL and RSA artifacts automatically generated and used by the server
should update the corresponding server variables (ssl-ca, ssl-cert, ssl-key,
sha256_passsword_private_key_path, sha256_passsword_public_key_path) to
reference the used artifact location.

FR11:  The server will note in a server log entry when SSL or RSA artifacts are
generated automatically.

FR11.1:  This note will reference best practices documentation for secure
deployments, noting limitations of the generated certificates (duration, identity).

FR12:  The server will note in a server log entry when SSL or RSA artifacts are
discovered (rather than explicitly defined) and used.
I-1. A new server option : auto_generate_certs and a new plugin option :
sha256_password_auto_generate_rsa_keys will be introduced with following
properties:
a. Accepts value : ON(1) and OFF(0)
b. Read Only Global variable
c. These options are available only if server is compiled with OpenSSL
d. Default value : ON

I-2. These options will be checked at the time of server start-up

I-3. If --auto-generate-certs is set to ON(1), SSL certificates will be
generated if :
a. None of the following parameters is specified.
ssl-ca, ssl-capath, ssl-cert, ssl-key, ssl-cipher, ssl-crl, ssl-crlpath

AND

b. Following files does not exist in DATA directory.
ca.pem, server-cert.pem, server-key.pem

I-4. If --sha256_password_auto_generate_rsa_keys is set to ON(1), RSA keys will
be generated if :
a. None of the following parameters is specified.
sha256_password_rsa_private_key_path, sha256_password_rsa_public_key_path

AND

b. Following files does not exist in DATA directory.
private_key.pem, public_key.pem

I-5. List of generated files and their permission :

ca.pem : -rw-r--r--
ca-key.pem : -rw-------
server.pem : -rw-r--r--
server-key.pem : -rw-------
client.pem : -rw-r--r--
client-key.pem : -rw-------
private_key.pem : -rw-------
public_key.pem : -rw-r--r--

I-6. If SSL files are generated automatically or if ca.pem, server-cert.pem,
server-key.pem are found in DATA directory, values of following variables
will be modified.

--ssl-ca => ca.pem
--ssl-cert => server-cert.pem
--ssl-key => server-key.pem

I-7. If RSA key pair is generated automatically, there is no need to update
paths related to private/public key as default location and names are already 
set.

Documentation should be generated describing procedures for further hardening of
SSL deployments.  This should highlight the need to use a trusted CA, secure
distribution (or generation) of keys, and tracking certificate expiration.