Friday, September 1, 2017

securing mysql with SSL/TLS

With databases and application  servers, we find  that most org do NOT  deploy SSL/TLS encryption. This post will demo  how easy it's to  set a  mysql server up for   SSL/TLS. Most  DBAs I've  meet thinks;


  •  its hard to setup and configure
  •  are just plain lazy
  •  feels it's offer zero-security benefits
  •  or a combination of ALL thee above :)




You will need the following for the server;

CA-cert
Server-cert
Server-key

You will need the following for the client(s);

CA-cert
Client-cert
Cient-key


1st here's my simplified  my.cnf cfg  ( this is very basic lean down conf )


[mysqld] 
bind-address = *
ssl-ca=/etc/ssl/ca.pem
ssl-cert=/etc/ssl/server-cert.pem
ssl-key=/etc/ssl/server-key.pem


Now to check for SSL support you need to  show global variables and match on SSL. If your  successful upon a restart the  DISABLE will be ENABLE and SSL support will be included in the mysql server services








Now we can test for basic  access with the root account and by specifying  SSL;






To lock this down for just a  database user account, you will grant  ( them  )  permission and set  required SSL for that user(s).








And now compare a SSL and non_SSL  access 



If a user that's required  SSL tries without  SSL certificates ( he/she ) will  get a reject message similar to  the below;





Yes it's really that simple. 


In a real professional environment, you will craft unique client-certificates  & 1 per  users  and ensure that the user has secured and protected his  key via a passphrase. 

If you  want to revoke his access revoke the cert and  remove his access.


  For  the   mysql services ensure the mysql  user that runs the daemon can read the server-private-keyfile .... I seen this  issue being the #1 problem when setting up  mysql w/SSL-TLS. chown and chmod the permission  for the priv-key   and  just for the mysql-services account



Ken Felix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \




No comments:

Post a Comment