17 June 2008

SSL in MySQL connections

Last week I wanted to figure out how to use SSL certificates in MySQL connections. This is well-documented on the MySQL Web site, but here are a few wrinkles I experienced while figuring out how to get this working (this was with MySQL5 on CentOS5 and RHEL5).

After creating the certificate authority (CA) certificate/keyfile pair, you can specify them in the mysqld section of /etc/my.cnf:
ssl-ca=/etc/pki/CA/ca-cert.pem
ssl-cert=/etc/pki/tls/certs/mysql-server-cert.pem
ssl-key=/etc/pki/tls/private/mysql-server-key.pem


When making certificates for a client connecting locally (e.g., ssluser@localhost), it's important to supply localhost as the "common name" when prompted by openssl. (Yes, it's probably pretty silly to use SSL for a connection over the loopback interface, but you might be in this situation if you were testing.)

If you want to specify the CA (whose signature must appear in client certificates) when setting up a MySQL user (as you might when using the require x509 syntax), the fields should be separated by backslashes ('/'): grant usage on *.* to ssluser@localhost require issuer '/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/CN=www.example.com/emailAddress=webmaster@example.com';
The following command will more-or-less correctly format the issuer for the grant statement:

openssl x509 -text -in /path/to/ca-cert.pem | grep Issuer \
| cut -d':' -f2 | sed -e 's/, /\//g'


Using issuer and subject items imply x509, and it's an error to try using x509 and issuer.

Depending on the require clause in the grant statement, you can use one or more of the following to connect to the SSL-enabled server:


  1. mysql -u ssluser -p

  2. mysql -u ssluser --ssl-ca=ca-cert.pem -p

  3. mysql -u ssluser --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -p



If you use require none or omit the require clause, you can use any of the three connection commands. If you use require ssl, you can use #2 or #3. And if you use require x509, you have to use #3 (note that #3 includes the --ssl-ca option). After connecting, type status (or just \s) and make sure that the SSL item says something encryptiony (mine says Cipher in use is DHE-RSA-AES256-SHA).

Unless client certificates are really necessary (extra client-level authentication), it's probably adequate just to use require ssl and to have the client provide the CA certificate (this appears to provide as high a level of encryption as the client certificate does). But note that you still need to generate the server certificate and key, even if you're not using client certificates.

7 comments:

Anonymous said...

if i using mysql in windows. how i configure ssl in mysql?

mbrisby said...

I assume it's a similar procedure, but I've never run MySQL in Windows. Sorry.

zerikv said...

Thanks a lot Carl. You have saved my time with the trick about the slashs in the issuer and the subject.

sebbu said...

if i want to access mysql from php with ssl AND x509 identification, is it possible ?

mbrisby said...

@sebbu, "REQUIRE X509" implies "REQUIRE SSL"

Neeraj Verma said...

Will this allow clients to login by just providing the certificate and not be required to enter a password? If not then how would I achieve this?

mbrisby said...

No, enabling client certificates doesn't bypass password authentication. If you want a user to be able to log in without a password, just don't set a password for that user.