Friday, September 1, 2017

securing mysql with SSL/TLS

With databases and application  servers, we find  that most org do NOT  deploy SSL/TLS encryption. This post will demo  how easy it's to  set a  mysql server up for   SSL/TLS. Most  DBAs I've  meet thinks;

  •  its hard to setup and configure
  •  are just plain lazy
  •  feels it's offer zero-security benefits
  •  or a combination of ALL thee above :)

You will need the following for the server;


You will need the following for the client(s);


1st here's my simplified  my.cnf cfg  ( this is very basic lean down conf )

bind-address = *

Now to check for SSL support you need to  show global variables and match on SSL. If your  successful upon a restart the  DISABLE will be ENABLE and SSL support will be included in the mysql server services

Now we can test for basic  access with the root account and by specifying  SSL;

To lock this down for just a  database user account, you will grant  ( them  )  permission and set  required SSL for that user(s).

And now compare a SSL and non_SSL  access 

If a user that's required  SSL tries without  SSL certificates ( he/she ) will  get a reject message similar to  the below;

Yes it's really that simple. 

In a real professional environment, you will craft unique client-certificates  & 1 per  users  and ensure that the user has secured and protected his  key via a passphrase. 

If you  want to revoke his access revoke the cert and  remove his access.

  For  the   mysql services ensure the mysql  user that runs the daemon can read the server-private-keyfile .... I seen this  issue being the #1 problem when setting up  mysql w/SSL-TLS. chown and chmod the permission  for the priv-key   and  just for the mysql-services account

Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

No comments:

Post a Comment