Skip to main content

MySQL 8.0 : SSL/TLS Setting

 [1] . Configure MySQL.

[root@www ~]# mkdir /var/lib/mysql/pki

[root@www ~]# cp /etc/letsencrypt/live/www.srv.world/* /var/lib/mysql/pki/

[root@www ~]# chown -R mysql. /var/lib/mysql/pki
[root@www ~]# vi /etc/my.cnf.d/mysql-server.cnf
# add under [mysqld] section

[mysqld]
ssl-ca=/var/lib/mysql/pki/chain.pem
ssl-cert=/var/lib/mysql/pki/cert.pem
ssl-key=/var/lib/mysql/pki/privkey.pem
[root@www ~]# systemctl restart mysqld
# verify settings

[root@www ~]# mysql -u root -p

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.0.17 Source distribution

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# OK if status is like follows
mysql> show variables like '%ssl%';
+--------------------+--------------------------------+
| Variable_name      | Value                          |
+--------------------+--------------------------------+
| have_openssl       | YES                            |
| have_ssl           | YES                            |
| mysqlx_ssl_ca      |                                |
| mysqlx_ssl_capath  |                                |
| mysqlx_ssl_cert    |                                |
| mysqlx_ssl_cipher  |                                |
| mysqlx_ssl_crl     |                                |
| mysqlx_ssl_crlpath |                                |
| mysqlx_ssl_key     |                                |
| ssl_ca             | /var/lib/mysql/pki/chain.pem   |
| ssl_capath         |                                |
| ssl_cert           | /var/lib/mysql/pki/cert.pem    |
| ssl_cipher         |                                |
| ssl_crl            |                                |
| ssl_crlpath        |                                |
| ssl_fips_mode      | OFF                            |
| ssl_key            | /var/lib/mysql/pki/privkey.pem |
+--------------------+--------------------------------+
17 rows in set (0.01 sec)

[2].   To connect with SSL/TLS from Clients, connect with specifying [--ssl-mode] option.

 
[root@www ~]# mysql -u root -p --ssl-mode=required --protocol=tcp

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 8.0.17 Source distribution

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# show status
mysql> show status like 'ssl_cipher';
+---------------+------------------------+
| Variable_name | Value                  |
+---------------+------------------------+
| Ssl_cipher    | TLS_AES_256_GCM_SHA384 |
+---------------+------------------------+
1 row in set (0.00 sec)

mysql> exit
Bye

# for no SSL/TLS connection

[root@www ~]# mysql -u root -p

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 8.0.17 Source distribution

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# value is empty
mysql> show status like 'ssl_cipher';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| Ssl_cipher    |       |
+---------------+-------+
1 row in set (0.00 sec)

[4] . To force require users to connect with SSL/TLS, set like follows.

 
[root@www ~]# mysql -u root -p

Enter password:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.0.17 Source distribution

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# create a user who is required SSL/TLS
mysql> create user redhat identified by 'password' require ssl;
Query OK, 0 rows affected (0.12 sec)

# show status SSL/TLS required users set [ssl_type] [ANY]
mysql> select user,host,ssl_type from mysql.user;
+------------------+-----------+----------+
| user             | host      | ssl_type |
+------------------+-----------+----------+
| redhat           | %         | ANY      |
| cent             | %         |          |
| mysql.infoschema | localhost |          |
| mysql.session    | localhost |          |
| mysql.sys        | localhost |      

Comments

Post a Comment

Popular posts from this blog

C++ How to use Date and Time

The C++ standard library does not provide a proper date type. C++ inherits the structs and functions for date and time manipulation from C. To access date and time related functions and structures, you would need to include <ctime> header file in your C++ program. There are four time-related types: clock_t, time_t, size_t , and tm . The types clock_t, size_t and time_t are capable of representing the system time and date as some sort of integer. The structure type tm holds the date and time in the form of a C structure having the following elements: struct tm { int tm_sec ; // seconds of minutes from 0 to 61 int tm_min ; // minutes of hour from 0 to 59 int tm_hour ; // hours of day from 0 to 24 int tm_mday ; // day of month from 1 to 31 int tm_mon ; // month of year from 0 to 11 int tm_year ; // year since 1900 int tm_wday ; // days since sunday int tm_yday ; // days since January 1st int tm_isdst ; // hours of daylight savin...
Post a Comment
Read more

PERL Some good framework

1. Catalyst is the most popular agile Perl MVC web framework that encourages rapid development and clean design without getting in your way. Catalyst | Perl MVC web application framework 2. Mojolicious is a next generation web framework for the Perl programming language. Back in the early days of the web, many people learned Perl because of a wonderful Perl   ... Mojolicious - Perl real-time web framework 3. Documents for Perl  The Perl Archive Network, the gateway to all things Perl. The canonical location for Perl code and modules. The Comprehensive Perl Archive Network - www. cpan .org
Post a Comment
Read more

C++ References

A reference variable is an alias, that is, another name for an already existing variable. Once a reference is initialized with a variable, either the variable name or the reference name may be used to refer to the variable. C++ References vs Pointers: References are often confused with pointers but three major differences between references and pointers are: You cannot have NULL references. You must always be able to assume that a reference is connected to a legitimate piece of storage. Once a reference is initialized to an object, it cannot be changed to refer to another object. Pointers can be pointed to another object at any time. A reference must be initialized when it is created. Pointers can be initialized at any time. Creating References in C++: Think of a variable name as a label attached to the variable's location in memory. You can then think of a reference as a second label attached to that memory location. Therefore, you can access the contents of the variabl...
Post a Comment
Read more