Embedded Files
To setup SSL connections for MySQL you need three things...
A Certificate Authority (CA) certificate
A server public key certificate file
A server private key file
NOTE: As of MySQL 5.7.35, the TLSv1 and TLSv1.1 connection protocols are deprecated and support for them is subject to removal in a future MySQL version. (1)
You can also block deprecated TLS versions at a UNIX level.
Basic Configuration
Basic Configuration
/etc/my.cnf
/etc/my.cnf
# TLS
ssl-ca = CA.cer
ssl-cert = cert.pem
ssl-key = key.pem
tls-version = TLSv1.2
Other variables...
require_secure_transport
ssl_capath
ssl_cipher
ssl_crl
ssl_crlpath
tls_ciphersuites
Assumes all certificates and keys are in /var/lib/mysql (or your specified datadir) with the following UNIX level permissions...
chmod 644 CA.cerchmod 644 cert.pemchmod 600 key.pem
chmod 644 CA.cerchmod 644 cert.pemchmod 600 key.pem
If you leave ssl-ca, ssl-cert and ssl-key unset, MySQL will use the auto generated (in your data_dir) default certs and keys...
ca-key.pemca.pemclient-cert.pemclient-key.pemprivate_key.pempublic_key.pemserver-cert.pemserver-key.pem
ca-key.pemca.pemclient-cert.pemclient-key.pemprivate_key.pempublic_key.pemserver-cert.pemserver-key.pem
tls-version can be a comma separated list of versions e.g. TLSv1.2,TLSv1.3. Note that TLS1.3 is only valid if MySQL is compiled with openssl 1.1.1 or higher. Check with...ldd $(which mysqld) | grep libssl
Troubleshooting
Troubleshooting
These messages are common in the mysql.log at instance startup when the instance reads SSL/TLS config from my.cnf...
[Warning] [MY-013414] [Server] Server SSL certificate doesn't verify: certificate has expired.
Check with...openssl x509 -enddate -noout -in cert.pem
[Warning] [MY-010068] [Server] CA certificate CA.cer is self signed.
[System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
[Warning] A deprecated TLS version TLSv1 is enabled. Please use TLSv1.2 or higher.
[Warning] A deprecated TLS version TLSv1.1 is enabled. Please use TLSv1.2 or higher.
Check with...SHOW GLOBAL VARIABLES LIKE 'tls_version';
Fix by setting this in the /etc/my.cnf and restarting MySQL...tls_version=TLSv1.2
Status Variables
Status Variables
The following status variables are relevant...
tls_library_version
SELECT variable_name, variable_value
FROM performance_schema.global_status
WHERE variable_name LIKE 'current_tls%';
Bibliography & References
Bibliography & References
https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.htmlhttps://dev.mysql.com/doc/refman/8.0/en/server-status-variable-reference.htmlhttps://docs.banyansecurity.io/docs/feature-guides/infrastructure/databases/cert-auth-mysql/(1) https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-protocols-ciphers.htmlhttps://serverfault.com/questions/477677/how-to-determine-which-ssl-library-mysql-is-using
Page updated
Google Sites
Report abuse