2.5. Globally enabling TLS encryption in MariaDB clients
If your MariaDB server supports TLS encryption, configure your clients to establish only secure connections and to verify the server certificate. This procedure describes how to enable TLS support for all users on the server.
2.5.1. Configuring the MariaDB client to use TLS encryption by default
On RHEL, you can globally configure that the MariaDB client uses TLS encryption and verifies that the Common Name (CN) in the server certificate matches the hostname the user connects to. This prevents man-in-the-middle attacks.
Conditions préalables
- The MariaDB server has TLS support enabled.
- If the certificate authority (CA) that issued the server’s certificate is not trusted by RHEL, the CA certificate has been copied to the client.
Procédure
If RHEL does not trust the CA that issued the server’s certificate:
Copy the CA certificate to the
/etc/pki/ca-trust/source/anchors/
directory:# cp <path>/ca.crt.pem /etc/pki/ca-trust/source/anchors/
Set permissions that enable all users to read the CA certificate file:
# chmod 644 /etc/pki/ca-trust/source/anchors/ca.crt.pem
Rebuild the CA trust database:
# update-ca-trust
Create the
/etc/my.cnf.d/mariadb-client-tls.cnf
file with the following content:[client-mariadb] ssl ssl-verify-server-cert
These settings define that the MariaDB client uses TLS encryption (
ssl
) and that the client compares the hostname with the CN in the server certificate (ssl-verify-server-cert
).
Vérification
Connect to the server using the hostname, and display the server status:
# mysql -u root -p -h server.example.com -e status ... SSL: Cipher in use is TLS_AES_256_GCM_SHA384
If the
SSL
entry containsCipher in use is…
, the connection is encrypted.Note that the user you use in this command has permissions to authenticate remotely.
If the hostname you connect to does not match the hostname in the TLS certificate of the server, the
ssl-verify-server-cert
parameter causes the connection to fail. For example, if you connect tolocalhost
:# mysql -u root -p -h localhost -e status ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed
Ressources supplémentaires
-
The
--ssl*
parameter descriptions in themysql(1)
man page.