This section describes configuring the server for secure connections and distributing client certificate and keys files.
-
MySQL requires certificate and key files to enable secure connections. By default, MySQL servers that are compiled using OpenSSL generate these files in the data directory at startup if they are not present. (MySQL Enterprise Edition is compiled using OpenSSL.) The only requirement is that the
--ssl
option is enabled, which it is by default, and no other--ssl-
options are specified.*
-
Check the data directory of the MySQL installation to verify that server and client certificate and key files were generated:
$> cd /usr/local/mysql/data $> ls *.pem ca-key.pem client-cert.pem private_key.pem server-cert.pem ca.pem client-key.pem public_key.pem server-key.pem
ImportantGeneration of certificate files by MySQL helps lower the barrier to using TLS. However, these certificates are self-signed, which is not very secure. After you gain experience using the files generated by MySQL, consider obtaining a CA certificate from a registered certificate authority.
-
These options identify the certificate and key files the server uses when establishing a secure connection:
-
ssl-ca=ca.pem
Identifies the Certificate Authority (CA) certificate.
-
ssl-cert=server-cert.pem
Identifies the server public key certificate.
-
ssl-key=server-key.pem
Identifies the server private key.
To configure these options explicitly, add them under the
[mysqld]
option group in the MySQL configuration file (/etc/my.cnf
):ssl_ca=ca.pem ssl_cert=server-cert.pem ssl_key=server-key.pem
-
-
-
By default, the MySQL server accepts TCP/IP connections from MySQL user accounts on all server host IPv6 and IPv4 interfaces. You can make this configuration more restrictive by setting the
bind_address
configuration option to a specific IPv4 or IPv6 address so that the server only accepts TCP/IP connections on that address.For example, to have the MySQL server only accept connections on a specific IPv4 address, add an entry similar to this under the
[mysqld]
option group in the MySQL configuration file (/etc/my.cnf
):bind_address=192.0.2.24
In this case, clients can connect to the server using
--host=192.0.2.24
. Connections on other server host addresses are not permitted.For more information about
bind_address
configuration, see Server Command Options. -
The
tls_version
option defines protocols permitted by the server for encrypted connections. To ensure that clients connect to the server using TLSv1.2, which provides greater security than earlier TLS versions, settls_version
to TLSv1.2. When compiled using OpenSSL 1.0.1 or higher, MySQL supports the TLSv1, TLSv1.1, and TLSv1.2 protocols.tls_version=TLSv1.2
With this setting, only clients that support TLSv1.2 are able to establish an encrypted connection to the server. MySQL Enterprise Edition clients in MySQL 5.7 and higher support TLSv1.2.
-
To further harden your deployment, you can use the
ssl-cipher
option limit the ciphers that a server permits for encrypted connections. For example, to permit a single cipher, add an entry similar to this under the[mysqld]
option group in the MySQL configuration file (/etc/my.cnf
):ssl_cipher=DHE-RSA-AES128-GCM-SHA256
To specify more than one cipher, separate cipher names with colons.
You can determine which ciphers a given server supports by establishing an encrypted connection to the server and issuing the following statement to check the value of the
Ssl_cipher_list
status variable:mysql> SHOW SESSION STATUS LIKE 'Ssl_cipher_list'\G
For more information about ciphers, see Encrypted Connection TLS Protocols and Ciphers.
-
Optionally, to require that all clients connect to the server securely, you can enable the
require_secure_transport
option. When this option is enabled, the server only permits TCP/IP connections that use TLS, or that use a socket file (on Unix) or shared memory (on Windows). Connections that use insecure transport are prohibited, including unencrypted connections that use RSA key pair-based password exchange.The
require_secure_transport
option is not used in this deployment so that RSA key pair-based password exchange over an unencrypted connection can be demonstrated. (See Using RSA Key Pair-Based Password Exchange Over an Unencrypted Connection.)NoteEnabling
require_secure_transport
prevents TCP/IP connections that do not use TLS. Requiring all TCP/IP connections to use TLS may impact performance due to associated network and CPU costs. -
Restart the server to apply the configuration changes:
$> systemctl restart mysqld
Client certificate and key files are created in the MySQL data
directory by default. Permissions for the data directory enable
access only to the mysql
account that runs
the MySQL server, so client programs cannot use files located
there. To make the files available to clients, either distribute
the files to client hosts or place them on a mounted partition
that is accessible to clients. The files should reside in a
directory that is readable (but not writable) by the client. Use
a secure channel when distributing the files to ensure they are
not tampered with during transit.
The client certificate and key files to distribute include:
ca.pem
(CA certificate)client-cert.pem
(Client certificate)client-key.pem
(Client private key)
The ca.pem
,
client-cert.pem
, and
client-key.pem
files are used later to
establish an encrypted connection to the server.
Optionally, also distribute the RSA public key file
(public_key.pem
). For OpenSSL-compiled
mysql clients that authenticate using the
sha256_password
plugin, this file is used for
RSA key pair-based password exchange with the server over an
unencrypted connection.
The location of the files on the client host or mounted partition is required later when connecting to the server.