In this blog post, we review some of the important aspects of configuring and managing SSL in MySQL hosting. These would include the default configuration, disabling SSL, and enabling and enforcing SSL on a MySQL server. Our observations are based on the community version of MySQL 5.7.21.
Default SSL Configuration in MySQL
By default, MySQL server always installs and enables SSL configuration. However, it is not enforced that clients connect using SSL. Clients can choose to connect with or without SSL as the server allows both types of connections. Let’s see how to verify this default behavior of MySQL server.
When SSL is installed and enabled on MySQL server by default, we will typically see the following:
- Presence of *.pem files in the MySQL data directory. These are the various client and server certificates and keys that are in use for SSL as described here.
- There will be a note in the mysqld error log file during the server start, such as:
- [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
- Value of ‘have_ssl’ variable will be YES:
mysql> show variables like ‘have_ssl’;
+—————+——-+
| Variable_name | Value |
+—————+——-+
| have_ssl | YES |
+—————+——-+
With respect to MySQL client, by default, it always tries to go for encrypted network connection with the server, and if that fails, it falls back to unencrypted mode.
So, by connecting to MySQL server using the command:
mysql -h <hostname> -u <username> -p
We can check whether the current client connection is encrypted or not using the status command:
mysql> status
————–
mysql Ver 14.14 Distrib 5.7.21, for Linux (x86_64) using EditLine wrapper
Connection id: 75
Current database:
Current user: [email protected]
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ”
Using delimiter: ;
Server version: 5.7.21-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 127.0.0.1 via TCP/IP
…………………………..
The SSL field highlighted above indicates that the connection is encrypted. We can, however, ask the MySQL client to connect without SSL by using the command:
mysql -h <hostname> -u <username> -p –ssl-mode=DISABLED
mysql> status
————–
Connection id: 93
Current database:
Current user: [email protected]
SSL: Not in use
Current pager: stdout
Using outfile: ”
Using delimiter: ;
Server version: 5.7.21-log MySQL Community Server (GPL)
Protocol version: 10
Connection: 127.0.0.1 via TCP/IP
……………………………
We can see that even though SSL is enabled on the server, we are able to connect to it without SSL.
MySQL Tutorial - How To Configure and Manage SSL on Your #MySQL ServerClick To TweetDisabling SSL in MySQL
If your requirement is to completely turn off SSL on MySQL server instead of the default option of ‘enabled, but optional mode’, we can do the following:
- Delete the *.pem certificate and key files in the MySQL data directory.
- Start MySQL with SSL option turned off. This can be done by adding a line entry:
ssl=0 in the my.cnf file.
We can observe that:
- There will NOT be any note in mysqld logs such as :
- [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.
- Value of ‘have_ssl’ variable will be DISABLED:
mysql> show variables like ‘have_ssl’;
+—————+——-+
| Variable_name | Value |
+—————+——-+
| have_ssl | DISABLED |
+—————+——-+
Enforcing SSL in MySQL
We saw that though SSL was enabled by default on MySQL server, it was not enforced and we were still able to connect without SSL.
Now, by setting the require_secure_transport system variable, we will be able to enforce that server will accept only SSL connections. This can be verified by trying to connect to MySQL server with the command:
mysql -h <hostname> -u sgroot -p –ssl-mode=DISABLED
And, we can see that the connection would be refused with following error message from the server:
ERROR 3159 (HY000): Connections using insecure transport are prohibited while –require_secure_transport=ON.
SSL Considerations for Replication Channels
By default, in a MySQL replication setup, the slaves connect to the master without encryption.
Hence to connect to a master in a secure way for replication traffic, slaves must use MASTER_SSL=1; as part of the ‘CHANGE MASTER TO’ command which specifies parameters for connecting to the master. Please note that this option is also mandatory in case your master is configured to enforce SSL connection using require_secure_transport.
