Rechercher
SupportConsoleDéveloppeursCommencer un essaiContact

2.5. Globally enabling TLS encryption in MariaDB clients

download PDF

If your MariaDB server supports TLS encryption, configure your clients to establish only secure connections and to verify the server certificate. This procedure describes how to enable TLS support for all users on the server.

2.5.1. Configuring the MariaDB client to use TLS encryption by default

On RHEL, you can globally configure that the MariaDB client uses TLS encryption and verifies that the Common Name (CN) in the server certificate matches the hostname the user connects to. This prevents man-in-the-middle attacks.

Conditions préalables

  • The MariaDB server has TLS support enabled.
  • If the certificate authority (CA) that issued the server’s certificate is not trusted by RHEL, the CA certificate has been copied to the client.

Procédure

  1. If RHEL does not trust the CA that issued the server’s certificate:

    1. Copy the CA certificate to the /etc/pki/ca-trust/source/anchors/ directory: 

      # cp <path>/ca.crt.pem /etc/pki/ca-trust/source/anchors/

    2. Set permissions that enable all users to read the CA certificate file: 

      # chmod 644 /etc/pki/ca-trust/source/anchors/ca.crt.pem

    3. Rebuild the CA trust database: 

      # update-ca-trust

  2. Create the /etc/my.cnf.d/mariadb-client-tls.cnf file with the following content: 

    [client-mariadb]
ssl
ssl-verify-server-cert

    These settings define that the MariaDB client uses TLS encryption (ssl) and that the client compares the hostname with the CN in the server certificate (ssl-verify-server-cert).

Vérification

  • Connect to the server using the hostname, and display the server status: 

    # mysql -u root -p -h server.example.com -e status
...
SSL:        Cipher in use is TLS_AES_256_GCM_SHA384

    If the SSL entry contains Cipher in use is…​, the connection is encrypted.

    Note that the user you use in this command has permissions to authenticate remotely.

    If the hostname you connect to does not match the hostname in the TLS certificate of the server, the ssl-verify-server-cert parameter causes the connection to fail. For example, if you connect to localhost: 

    # mysql -u root -p -h localhost -e status
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed

Ressources supplémentaires

  • The --ssl* parameter descriptions in the mysql(1) man page.
Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.