MySQL Secure Deployment Guide  /  Configuring MySQL to Use Secure Connections

Chapter 12 Configuring MySQL to Use Secure Connections

This section describes configuring the server for secure connections and distributing client certificate and keys files.

Configuring the Server for Secure Connections

  1. MySQL requires certificate and key files to enable secure connections. By default, MySQL servers that are compiled using OpenSSL generate these files in the data directory at startup if they are not present. (MySQL Enterprise Edition is compiled using OpenSSL.) The only requirement is that the --ssl option is enabled, which it is by default, and no other --ssl-* options are specified.

    1. Check the data directory of the MySQL installation to verify that server and client certificate and key files were generated:

      $> cd /usr/local/mysql/data
      $> ls *.pem
      ca-key.pem  client-cert.pem  private_key.pem  server-cert.pem
      ca.pem      client-key.pem   public_key.pem   server-key.pem
      Important

      Generation of certificate files by MySQL helps lower the barrier to using TLS. However, these certificates are self-signed, which is not very secure. After you gain experience using the files generated by MySQL, consider obtaining a CA certificate from a registered certificate authority.

    2. These options identify the certificate and key files the server uses when establishing a secure connection:

      • ssl-ca=ca.pem

        Identifies the Certificate Authority (CA) certificate.

      • ssl-cert=server-cert.pem

        Identifies the server public key certificate.

      • ssl-key=server-key.pem

        Identifies the server private key.

      To configure these options explicitly, add them under the [mysqld] option group in the MySQL configuration file (/etc/my.cnf):

      ssl_ca=ca.pem
      ssl_cert=server-cert.pem
      ssl_key=server-key.pem
  2. By default, the MySQL server accepts TCP/IP connections from MySQL user accounts on all server host IPv6 and IPv4 interfaces. You can make this configuration more restrictive by setting the bind_address configuration option to a specific IPv4 or IPv6 address so that the server only accepts TCP/IP connections on that address.

    For example, to have the MySQL server only accept connections on a specific IPv4 address, add an entry similar to this under the [mysqld] option group in the MySQL configuration file (/etc/my.cnf):

    bind_address=192.0.2.24

    In this case, clients can connect to the server using --host=192.0.2.24. Connections on other server host addresses are not permitted.

    For more information about bind_address configuration, see Server Command Options.

  3. The tls_version option defines protocols permitted by the server for encrypted connections. To ensure that clients connect to the server using TLSv1.3, which provides greater security than earlier TLS versions, set tls_version to TLSv1.3. When compiled using OpenSSL 1.1.1 or higher, MySQL supports the TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3 protocols.

    tls_version=TLSv1.3

    With this setting, only clients that support TLSv1.3 are able to establish an encrypted connection to the server. Support for the TLSv1.3 protocol is available as of MySQL 8.0.16 for MySQL servers and clients compiled with OpenSSL 1.1.1 or higher.

  4. To further harden your deployment, you can use the tls_ciphersuites variable to limit the ciphersuites that the server permits for encrypted connections that use TLSv1.3. For example, to permit a single ciphersuite, add an entry similar to this under the [mysqld] option group in the MySQL configuration file (/etc/my.cnf):

    tls_ciphersuites=TLS_AES_128_GCM_SHA256

    To specify more than one ciphersuite, separate ciphersuite names with colons.

    You can determine which ciphersuites a given server supports by establishing an encrypted connection to the server and issuing the following statement to check the value of the Ssl_cipher_list status variable:

    mysql> SHOW SESSION STATUS LIKE 'Ssl_cipher_list'\G

    For encrypted connections that use TLSv1.3, OpenSSL 1.1.1 and higher supports the following ciphersuites, the first three of which are enabled by default:

    TLS_AES_128_GCM_SHA256
    TLS_AES_256_GCM_SHA384
    TLS_CHACHA20_POLY1305_SHA256
    TLS_AES_128_CCM_SHA256
    TLS_AES_128_CCM_8_SHA256
    Note

    Ciphersuite support was added in MySQL 8.0.16 for encrypted connections that use TLSv1.3. If you use TLSv1.2 or lower, use the --ssl-cipher option to configure a specific cipher instead of using tls_ciphersuites.

    Optionally, you can use the --tls-ciphersuites option to limit the ciphersuites that client programs permit for encrypted connections that use TLSv1.3.

    For more information about ciphers and ciphersuites, see Encrypted Connection TLS Protocols and Ciphers.

  5. Optionally, to require that all clients connect to the server securely, you can enable the require_secure_transport option. When this option is enabled, the server only permits TCP/IP connections that use TLS, or that use a socket file (on Unix) or shared memory (on Windows). Connections that use insecure transport are prohibited, including unencrypted connections that use RSA key pair-based password exchange.

    The require_secure_transport option is not used in this deployment so that RSA key pair-based password exchange over an unencrypted connection can be demonstrated. (See Using RSA Key Pair-Based Password Exchange Over an Unencrypted Connection.)

    Note

    Enabling require_secure_transport prevents TCP/IP connections that do not use TLS. Requiring all TCP/IP connections to use TLS may impact performance due to associated network and CPU costs.

  6. Restart the server to apply the configuration changes:

    $> systemctl restart mysqld

Distributing Client Certificate and Key Files

Client certificate and key files are created in the MySQL data directory by default. Permissions for the data directory enable access only to the mysql account that runs the MySQL server, so client programs cannot use files located there. To make the files available to clients, either distribute the files to client hosts or place them on a mounted partition that is accessible to clients. The files should reside in a directory that is readable (but not writable) by the client. Use a secure channel when distributing the files to ensure they are not tampered with during transit.

The client certificate and key files to distribute include:

  • ca.pem (CA certificate)

  • client-cert.pem (Client certificate)

  • client-key.pem (Client private key)

The ca.pem, client-cert.pem, and client-key.pem files are used later to establish an encrypted connection to the server.

Optionally, also distribute the RSA public key file (public_key.pem). For OpenSSL-compiled mysql clients that authenticate using the sha256_password plugin, this file is used for RSA key pair-based password exchange with the server over an unencrypted connection.

The location of the files on the client host or mounted partition is required later when connecting to the server.