Oracle 8i | Oracle 9i | Oracle 10g | Oracle 11g | Oracle 12c | Miscellaneous | PL/SQL | SQL | Oracle RAC | Oracle Apps | Linux

MySQL : Configure SSL Connections

This article describes how to enable SSL connections to MySQL.

Related articles.

Server Configuration

Log on to the server and check the current SSL configuration.

# mysql --user=root --password

mysql> SHOW VARIABLES LIKE 'have_ssl';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_ssl      | DISABLED |
+---------------+----------+
1 row in set (0.00 sec)

mysql>

This means the installation supports SSL, but it is currently disabled.

Create the relevant certificates as described in Example 1 on the Setting Up SSL Certificates and Keys for MySQL page of the documentation. The text below is a reproduction of that method.

# Create location for certificates
mkdir -p /home/mysql/certs/
cd /home/mysql/certs/

# Create CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 \
        -key ca-key.pem -out ca-cert.pem

# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
        -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 \
        -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 \
        -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 \
        -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

# Verify certificates
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

When prompted I used the following details.

Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:West Midlands
Locality Name (eg, city) [Default City]:Birmingham
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Department
**** Only use the ".localdomain" on the first certificate! ****
Common Name (eg, your name or your server's hostname) []:ol6-mysql.localdomain
Email Address []:me@mycompany.com

When prompted for the extra attributes, I supplied a password, but no optional company name.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:MyPassword1
An optional company name []:

Add the following into the "/etc/my.cnf" file, under the "[mysqld]" section.

# SSL Settings
ssl-ca=/home/mysql/certs/ca-cert.pem
ssl-cert=/home/mysql/certs/server-cert.pem
ssl-key=/home/mysql/certs/server-key.pem

Add in the following client section to the "/etc/my.cnf" file.

[client]
# SSL Settings
ssl-ca=/home/mysql/certs/ca-cert.pem
ssl-cert=/home/mysql/certs/client-cert.pem
ssl-key=/home/mysql/certs/client-key.pem

Restart the mysqld service.

# service mysqld restart

Check the SSL configuration of the server again.

# mysql --user=root --password

mysql> SHOW VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl      | YES   |
+---------------+-------+
1 row in set (0.00 sec)

mysql>

SSL connectivity is now enabled on the server.

User Creation

Once SSL is configured, any connection to MySQL can optionally choose to use SSL or X509. The use of SSL can be forced using REQUIRE. Using REQUIRE SSL means the client must have access to the "ca-cert.pem" certificate. Using "REQUIRE X509" means the client also needs access to the client certificate and key. We can test this using the following users.

DROP USER 'ssltest'@'%';
CREATE USER 'ssltest'@'%' IDENTIFIED BY 'MyPassword1';
GRANT USAGE ON *.* TO 'ssltest'@'%' REQUIRE ssl;
FLUSH PRIVILEGES;

DROP USER 'x509test'@'%';
CREATE USER 'x509test'@'%' IDENTIFIED BY 'MyPassword1';
GRANT USAGE ON *.* TO 'x509test'@'%' REQUIRE X509;
FLUSH PRIVILEGES;

SSL Connections From Clients

The presence of the SSL configuration in the "[client]" section of the "my.cnf" file means we can test the connection very simply from the server.

$ mysql --user=ssltest --password

Once connected, we can see the connection is using SSL by issuing the following command.

mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value              |
+---------------+--------------------+
| Ssl_cipher    | DHE-RSA-AES256-SHA |
+---------------+--------------------+
1 row in set (0.00 sec)

mysql>

Alternatively, using "/s" from the command prompt will include the SSL configuration amonst other things.

mysql> \s
...
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
...
mysql>

Attempting to access the user without SSL will result in an error.

$ mysql --user=ssltest --password --ssl=0
Enter password:
ERROR 1045 (28000): Access denied for user 'ssltest'@'localhost' (using password: YES)
-bash-4.1$

From a client machine, we need access to the "ca-cert.pem" to make a connection to the "ssltest" user.

C:> mysql --host=fin-db-dev1 --user=ssltest --password ^
      --ssl-ca=c:\ca-cert.pem

Making a connection to the "x509test" user requires the client certificate and key also.

C:> mysql --host=fin-db-dev1 --user=x509test --password ^
      --ssl-ca=c:\ca-cert.pem --ssl-cert=c:\client-cert.pem --ssl-key=c:\client-key.pem

Instead of applying them to the command line, the SSL details can be added to a local option file. For example, a file called "C:\my.cnf" could be created with the following contents.

[client]
# SSL Settings
ssl-ca=C:\ca-cert.pem
ssl-cert=C:\client-cert.pem
ssl-key=C:\client-key.pem

Connections could now be made as follows.

C:> mysql --defaults-extra-file=c:\my.cnf --host=fin-db-dev1 --user=ssltest --password

For more information see:

Hope this helps. Regards Tim...

Back to the Top.