Red Hat Summit2.4. Setting up TLS encryption on a MySQL server
By default, MySQL uses unencrypted connections. For secure connections, enable TLS support on the MySQL server and configure your clients to establish encrypted connections.
2.4.1. Placing the CA certificate, server certificate, and private key on the MySQL server
Before you can enable TLS encryption on the MySQL server, store the certificate authority (CA) certificate, the server certificate, and the private key on the MySQL server.
Prerequisites
The following files in Privacy Enhanced Mail (PEM) format have been copied to the server:
-
The private key of the server:
server.example.com.key.pem -
The server certificate:
server.example.com.crt.pem -
The Certificate Authority (CA) certificate:
ca.crt.pem
For details about creating a private key and certificate signing request (CSR), as well as about requesting a certificate from a CA, see your CA’s documentation.
-
The private key of the server:
Procedure
Store the CA and server certificates in the
/etc/pki/tls/certs/directory:# mv <path>/server.example.com.crt.pem /etc/pki/tls/certs/ # mv <path>/ca.crt.pem /etc/pki/tls/certs/Set permissions on the CA and server certificate that enable the MySQL server to read the files:
# chmod 644 /etc/pki/tls/certs/server.example.com.crt.pem /etc/pki/tls/certs/ca.crt.pemBecause certificates are part of the communication before a secure connection is established, any client can retrieve them without authentication. Therefore, you do not need to set strict permissions on the CA and server certificate files.
Store the server’s private key in the
/etc/pki/tls/private/directory:# mv <path>/server.example.com.key.pem /etc/pki/tls/private/Set secure permissions on the server’s private key:
# chmod 640 /etc/pki/tls/private/server.example.com.key.pem # chgrp mysql /etc/pki/tls/private/server.example.com.key.pemIf unauthorized users have access to the private key, connections to the MySQL server are no longer secure.
Restore the SELinux context:
# restorecon -Rv /etc/pki/tls/
2.4.2. Configuring TLS encryption on a MySQL server
By default, MySQL uses unencrypted connections. For more secure connections, you can enable Transport Layer Security (TLS) support on the MySQL server and configure your clients to establish encrypted connections.
Prerequisites
- You installed the MySQL server.
-
The
mysqldservice is running. The following files in Privacy Enhanced Mail (PEM) format exist on the server and are readable by the
mysqluser:-
The private key of the server:
/etc/pki/tls/private/server.example.com.key.pem -
The server certificate:
/etc/pki/tls/certs/server.example.com.crt.pem -
The Certificate Authority (CA) certificate
/etc/pki/tls/certs/ca.crt.pem
-
The private key of the server:
- The subject distinguished name (DN) or the subject alternative name (SAN) field in the server certificate matches the server’s host name.
Procedure
Create the
/etc/my.cnf.d/mysql-server-tls.cnffile:Add the following content to configure the paths to the private key, server and CA certificate:
[mysqld] ssl_key = /etc/pki/tls/private/server.example.com.key.pem ssl_cert = /etc/pki/tls/certs/server.example.com.crt.pem ssl_ca = /etc/pki/tls/certs/ca.crt.pemIf you have a Certificate Revocation List (CRL), configure the MySQL server to use it:
ssl_crl = /etc/pki/tls/certs/example.crl.pemOptional: Reject connection attempts without encryption. To enable this feature, append:
require_secure_transport = onOptional: Set the TLS versions the server should support. For example, to support only TLS 1.3, append:
tls_version = TLSv1.3By default, the server supports TLS 1.2 and TLS 1.3.
Restart the
mysqldservice:# systemctl restart mysqld
Verification
To simplify troubleshooting, perform the following steps on the MySQL server before you configure the local client to use TLS encryption:
Verify that MySQL now has TLS encryption enabled:
# mysql -u root -p -h <MySQL_server_hostname> -e "SHOW session status LIKE 'Ssl_cipher';" +---------------+------------------------+ | Variable_name | Value | +---------------+------------------------+ | Ssl_cipher | TLS_AES_256_GCM_SHA384 | +---------------+------------------------+If you configured the MySQL server to only support specific TLS versions, display the
tls_versionvariable:# mysql -u root -p -e "SHOW GLOBAL VARIABLES LIKE 'tls_version';" +---------------+---------+ | Variable_name | Value | +---------------+---------+ | tls_version | TLSv1.3 | +---------------+---------+Verify that the server uses the correct CA certificate, server certificate, and private key files:
# mysql -u root -e "SHOW GLOBAL VARIABLES WHERE Variable_name REGEXP '{caret}ssl_ca|{caret}ssl_cert|{caret}ssl_key';" +-----------------+-------------------------------------------------+ | Variable_name | Value | +-----------------+-------------------------------------------------+ | ssl_ca | /etc/pki/tls/certs/ca.crt.pem | | ssl_capath | | | ssl_cert | /etc/pki/tls/certs/server.example.com.crt.pem | | ssl_key | /etc/pki/tls/private/server.example.com.key.pem | +-----------------+-------------------------------------------------+
2.4.3. Requiring TLS encrypted connections for specific user accounts on a MySQL server
You can configure specific MySQL user accounts to require TLS-encrypted connections to protect sensitive data transmission.
If you cannot configure on the server that a secure transport is required for all connections (require_secure_transport = on), configure individual user accounts to require TLS encryption.
Prerequisites
- The MySQL server has TLS support enabled.
- The user you configure to require secure transport exists.
- The CA certificate is stored on the client.
Procedure
Connect as an administrative user to the MySQL server:
# mysql -u root -p -h server.example.comIf your administrative user has no permissions to access the server remotely, perform the command on the MySQL server and connect to
localhost.Use the
REQUIRE SSLclause to enforce that a user must connect by using a TLS-encrypted connection:MySQL [(none)]> ALTER USER 'example'@'%' REQUIRE SSL;
Verification
Connect to the server as the
exampleuser by using TLS encryption:# mysql -u example -p -h server.example.com ... MySQL [(none)]>If no error is shown and you have access to the interactive MySQL console, the connection with TLS succeeds.
By default, the client automatically uses TLS encryption if the server provides it. Therefore, the
--ssl-ca=ca.crt.pemand--ssl-mode=VERIFY_IDENTITYoptions are not required, but improve the security because, with these options, the client verifies the identity of the server.Attempt to connect as the
exampleuser with TLS disabled:# mysql -u example -p -h server.example.com --ssl-mode=DISABLED ERROR 1045 (28000): Access denied for user 'example'@'server.example.com' (using password: YES)The server rejected the login attempt because TLS is required for this user but disabled (
--ssl-mode=DISABLED).
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}