Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
mariadb
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
mariadb
Commits
1c207def
Commit
1c207def
authored
Aug 16, 2002
by
unknown
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
manual.texi begin to clean up the SSL section
Docs/manual.texi: begin to clean up the SSL section
parent
bccec229
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
46 additions
and
42 deletions
+46
-42
Docs/manual.texi
Docs/manual.texi
+46
-42
No files found.
Docs/manual.texi
View file @
1c207def
...
...
@@ -1760,8 +1760,8 @@ applications. Using the embedded MySQL server library, one can
embed MySQL Server into various applications and electronics devices, where
the end user has no knowledge of there actually being an underlying
database. Embedded MySQL Server is ideal for use behind
the scenes in
i
nternet appliances, public kiosks, turnkey
hardware/software combination units, high performance
i
nternet
the scenes in
I
nternet appliances, public kiosks, turnkey
hardware/software combination units, high performance
I
nternet
servers, self-contained databases distributed on CD-ROM, etc.
Many users of @code{libmysqld} will benefit from the MySQL
...
...
@@ -17403,51 +17403,52 @@ file.
@node Secure basics, Secure requirements, Secure connections, Secure connections
@subsubsection Basics
Beginning with version 4.0.0,
MySQL has support for SSL encrypted connections. To understand how MySQL
uses SSL,
we need to explain some basics about SSL and X509. People who
are already aware of it
can skip this part.
uses SSL,
it's necessary to explain some basic SSL and X509 concepts. People
who are already familiar with them
can skip this part.
By default, MySQL uses unencrypted connections between
client and
By default, MySQL uses unencrypted connections between
the client and the
server. This means that someone could watch all your traffic and look at
the data being sent
/received. Actually, t
hey could even change the data
the data being sent
or received. T
hey could even change the data
while it is in transit between client and server. Sometimes you need to
move
really secret data over public networks and in such a case using an
unencrypted connection is unacceptable.
move
information over public networks in a secure fashion; in such cases,
u
sing an u
nencrypted connection is unacceptable.
SSL is a protocol
which
uses different encryption algorithms to ensure
that data
which comes from
public network can be trusted. It has
SSL is a protocol
that
uses different encryption algorithms to ensure
that data
received over a
public network can be trusted. It has
mechanisms to detect any change, loss or replay of data. SSL also
incorpores algorithms to recognise and provide identity verification
incorpor
at
es algorithms to recognise and provide identity verification
using the X509 standard.
@cindex What is encryption
Encryption is the way to make any kind of data unreadable. In fact,
today's practice requires many additional security elements from
encryption algorithms. They should resist many kind of known attacks
like just messing with order of encrypted messages or replaying data
like just messing with
the
order of encrypted messages or replaying data
twice.
@cindex What is X509/Certificate?
X509 is a standard that makes it possible to identify someone
i
n the
X509 is a standard that makes it possible to identify someone
o
n the
Internet. It is most commonly used in e-commerce applications. In basic
terms, there should be some company
called "Certificate Authority" which
terms, there should be some company
(called a ``Certificate Authority'') that
assigns electronic certificates to anyone who needs them. Certificates
rely on asymmetric encryption algorithms
which
have two encryption keys
- public and secret
. A certificate owner can prove his identity by
showing his certificate to other party. A certificate consists of
hi
s
owner's public key. Any data encrypted with this public key can
only
be
decrypted using the corresponding secret key, which is held by the owner
rely on asymmetric encryption algorithms
that
have two encryption keys
(a public key and a secret key)
. A certificate owner can prove his identity by
showing his certificate to other party. A certificate consists of
it
s
owner's public key. Any data encrypted with this public key can be
decrypted
only
using the corresponding secret key, which is held by the owner
of the certificate.
MySQL doesn't use encrypted
on connections by default, because this
MySQL doesn't use encrypted
connections by default, because doing so
would make the client/server protocol much slower. Any kind of
additional functionality requires computer to do additional work and
encrypting data is
CPU-intensive operation require
time and can delay
additional functionality requires
the
computer to do additional work and
encrypting data is
a CPU-intensive operation that requires
time and can delay
MySQL main tasks. By default MySQL is tuned to be fast as possible.
If you need more information about SSL
/X509/
encryption, you should use
your favourite
internet search engine and search for keywords
you are
interested
in
.
If you need more information about SSL
, X509, or
encryption, you should use
your favourite
Internet search engine and search for keywords in which
you are
interested.
@node Secure requirements, Secure GRANT, Secure basics, Secure connections
@subsubsection Requirements
...
...
@@ -17462,10 +17463,12 @@ Install the OpenSSL library. We have tested MySQL with OpenSSL 0.9.6.
Configure MySQL with @code{--with-vio --with-openssl}.
@item
If you are using an old MySQL installation, you have to update your
@code{mysql.user} table with some new columns. You can do this by
@code{mysql.user} table with some new
SSL-related
columns. You can do this by
running the @code{mysql_fix_privilege_tables.sh} script.
This is necessary if your grant tables date from a version prior to MySQL
4.0.0.
@item
You can check if a running
mysqld
server supports OpenSSL by
You can check if a running
@code{mysqld}
server supports OpenSSL by
examining if @code{SHOW VARIABLES LIKE 'have_openssl'} returns @code{YES}.
@end enumerate
...
...
@@ -17485,8 +17488,8 @@ There are different possibilities to limit connections:
@itemize @bullet
@item
Without any SSL
/
X509 options, all kind of encrypted/unencrypted
connections are allowed if username and password are valid.
Without any SSL
or
X509 options, all kind of encrypted/unencrypted
connections are allowed if
the
username and password are valid.
@item
@code{REQUIRE SSL} option limits the server to allow only SSL
...
...
@@ -17499,7 +17502,7 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
@end example
@item
@code{REQUIRE X509} means that
client should have
valid certificate
@code{REQUIRE X509} means that
the client should have a
valid certificate
but we do not care about the exact certificate, issuer or subject.
The only restriction is that it should be possible to verify its
signature with one of the CA certificates.
...
...
@@ -17510,10 +17513,10 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
@end example
@item
@code{REQUIRE ISSUER
issuer} makes connection more restrictive: now
client must present a valid X509 certificate issued by CA "issuer"
.
Using X509 certificates always implies encryption, so the
option "SSL"
is
not neccessary anymore
.
@code{REQUIRE ISSUER
"issuer"} places a restriction on connection attempts:
The client must present a valid X509 certificate issued by CA @code{"issuer"}
.
Using X509 certificates always implies encryption, so the
@code{SSL} option
is
unneccessary
.
@example
mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...
...
@@ -17523,10 +17526,10 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
@end example
@item
@code{REQUIRE SUBJECT
subject
} requires clients to have valid X509
certificate with subject
"subject" on it. If client have valid
certificate
but having different "subject" then the connection is
still not
allowed.
@code{REQUIRE SUBJECT
"subject"
} requires clients to have valid X509
certificate with subject
@code{"subject"} on it. If the client presents a
certificate
that is valid but has a different @code{"subject"}, the connection
is dis
allowed.
@example
mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...
...
@@ -17537,7 +17540,7 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
@end example
@item
@code{REQUIRE CIPHER
cipher
} is needed to assure enough strong ciphers
@code{REQUIRE CIPHER
"cipher"
} is needed to assure enough strong ciphers
and keylengths will be used. SSL itself can be weak if old algorithms
with short encryption keys are used. Using this option, we can ask for
some exact cipher method to allow a connection.
...
...
@@ -17548,7 +17551,8 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
-> REQUIRE CIPHER "EDH-RSA-DES-CBC3-SHA";
@end example
Also it is allowed to combine these options with each other like this:
The @code{SUBJECT}, @code{ISSUER}, and @code{CIPHER} options can be
combined in the @code{REQUIRE} clause like this:
@example
mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...
...
@@ -17561,8 +17565,8 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
-> AND CIPHER "EDH-RSA-DES-CBC3-SHA";
@end example
But it is not allowed to use any option twice. Only different
options can be mixed
.
The order of the options does not matter, but no option can be specified
twice
.
@end itemize
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment