Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
mariadb
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
mariadb
Commits
d2b61a78
Commit
d2b61a78
authored
Aug 16, 2002
by
paul@teton.kitebird.com
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
manual.texi begin to clean up the SSL section
parent
8160291c
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
46 additions
and
42 deletions
+46
-42
Docs/manual.texi
Docs/manual.texi
+46
-42
No files found.
Docs/manual.texi
View file @
d2b61a78
...
@@ -1760,8 +1760,8 @@ applications. Using the embedded MySQL server library, one can
...
@@ -1760,8 +1760,8 @@ applications. Using the embedded MySQL server library, one can
embed MySQL Server into various applications and electronics devices, where
embed MySQL Server into various applications and electronics devices, where
the end user has no knowledge of there actually being an underlying
the end user has no knowledge of there actually being an underlying
database. Embedded MySQL Server is ideal for use behind
database. Embedded MySQL Server is ideal for use behind
the scenes in
i
nternet appliances, public kiosks, turnkey
the scenes in
I
nternet appliances, public kiosks, turnkey
hardware/software combination units, high performance
i
nternet
hardware/software combination units, high performance
I
nternet
servers, self-contained databases distributed on CD-ROM, etc.
servers, self-contained databases distributed on CD-ROM, etc.
Many users of @code{libmysqld} will benefit from the MySQL
Many users of @code{libmysqld} will benefit from the MySQL
...
@@ -17403,51 +17403,52 @@ file.
...
@@ -17403,51 +17403,52 @@ file.
@node Secure basics, Secure requirements, Secure connections, Secure connections
@node Secure basics, Secure requirements, Secure connections, Secure connections
@subsubsection Basics
@subsubsection Basics
Beginning with version 4.0.0,
MySQL has support for SSL encrypted connections. To understand how MySQL
MySQL has support for SSL encrypted connections. To understand how MySQL
uses SSL,
we need to explain some basics about SSL and X509. People who
uses SSL,
it's necessary to explain some basic SSL and X509 concepts. People
are already aware of it
can skip this part.
who are already familiar with them
can skip this part.
By default, MySQL uses unencrypted connections between
client and
By default, MySQL uses unencrypted connections between
the client and the
server. This means that someone could watch all your traffic and look at
server. This means that someone could watch all your traffic and look at
the data being sent
/received. Actually, t
hey could even change the data
the data being sent
or received. T
hey could even change the data
while it is in transit between client and server. Sometimes you need to
while it is in transit between client and server. Sometimes you need to
move
really secret data over public networks and in such a case using an
move
information over public networks in a secure fashion; in such cases,
unencrypted connection is unacceptable.
u
sing an u
nencrypted connection is unacceptable.
SSL is a protocol
which
uses different encryption algorithms to ensure
SSL is a protocol
that
uses different encryption algorithms to ensure
that data
which comes from
public network can be trusted. It has
that data
received over a
public network can be trusted. It has
mechanisms to detect any change, loss or replay of data. SSL also
mechanisms to detect any change, loss or replay of data. SSL also
incorpores algorithms to recognise and provide identity verification
incorpor
at
es algorithms to recognise and provide identity verification
using the X509 standard.
using the X509 standard.
@cindex What is encryption
@cindex What is encryption
Encryption is the way to make any kind of data unreadable. In fact,
Encryption is the way to make any kind of data unreadable. In fact,
today's practice requires many additional security elements from
today's practice requires many additional security elements from
encryption algorithms. They should resist many kind of known attacks
encryption algorithms. They should resist many kind of known attacks
like just messing with order of encrypted messages or replaying data
like just messing with
the
order of encrypted messages or replaying data
twice.
twice.
@cindex What is X509/Certificate?
@cindex What is X509/Certificate?
X509 is a standard that makes it possible to identify someone
i
n the
X509 is a standard that makes it possible to identify someone
o
n the
Internet. It is most commonly used in e-commerce applications. In basic
Internet. It is most commonly used in e-commerce applications. In basic
terms, there should be some company
called "Certificate Authority" which
terms, there should be some company
(called a ``Certificate Authority'') that
assigns electronic certificates to anyone who needs them. Certificates
assigns electronic certificates to anyone who needs them. Certificates
rely on asymmetric encryption algorithms
which
have two encryption keys
rely on asymmetric encryption algorithms
that
have two encryption keys
- public and secret
. A certificate owner can prove his identity by
(a public key and a secret key)
. A certificate owner can prove his identity by
showing his certificate to other party. A certificate consists of
hi
s
showing his certificate to other party. A certificate consists of
it
s
owner's public key. Any data encrypted with this public key can
only
be
owner's public key. Any data encrypted with this public key can be
decrypted using the corresponding secret key, which is held by the owner
decrypted
only
using the corresponding secret key, which is held by the owner
of the certificate.
of the certificate.
MySQL doesn't use encrypted
on connections by default, because this
MySQL doesn't use encrypted
connections by default, because doing so
would make the client/server protocol much slower. Any kind of
would make the client/server protocol much slower. Any kind of
additional functionality requires computer to do additional work and
additional functionality requires
the
computer to do additional work and
encrypting data is
CPU-intensive operation require
time and can delay
encrypting data is
a CPU-intensive operation that requires
time and can delay
MySQL main tasks. By default MySQL is tuned to be fast as possible.
MySQL main tasks. By default MySQL is tuned to be fast as possible.
If you need more information about SSL
/X509/
encryption, you should use
If you need more information about SSL
, X509, or
encryption, you should use
your favourite
internet search engine and search for keywords
you are
your favourite
Internet search engine and search for keywords in which
you are
interested
in
.
interested.
@node Secure requirements, Secure GRANT, Secure basics, Secure connections
@node Secure requirements, Secure GRANT, Secure basics, Secure connections
@subsubsection Requirements
@subsubsection Requirements
...
@@ -17462,10 +17463,12 @@ Install the OpenSSL library. We have tested MySQL with OpenSSL 0.9.6.
...
@@ -17462,10 +17463,12 @@ Install the OpenSSL library. We have tested MySQL with OpenSSL 0.9.6.
Configure MySQL with @code{--with-vio --with-openssl}.
Configure MySQL with @code{--with-vio --with-openssl}.
@item
@item
If you are using an old MySQL installation, you have to update your
If you are using an old MySQL installation, you have to update your
@code{mysql.user} table with some new columns. You can do this by
@code{mysql.user} table with some new
SSL-related
columns. You can do this by
running the @code{mysql_fix_privilege_tables.sh} script.
running the @code{mysql_fix_privilege_tables.sh} script.
This is necessary if your grant tables date from a version prior to MySQL
4.0.0.
@item
@item
You can check if a running
mysqld
server supports OpenSSL by
You can check if a running
@code{mysqld}
server supports OpenSSL by
examining if @code{SHOW VARIABLES LIKE 'have_openssl'} returns @code{YES}.
examining if @code{SHOW VARIABLES LIKE 'have_openssl'} returns @code{YES}.
@end enumerate
@end enumerate
...
@@ -17485,8 +17488,8 @@ There are different possibilities to limit connections:
...
@@ -17485,8 +17488,8 @@ There are different possibilities to limit connections:
@itemize @bullet
@itemize @bullet
@item
@item
Without any SSL
/
X509 options, all kind of encrypted/unencrypted
Without any SSL
or
X509 options, all kind of encrypted/unencrypted
connections are allowed if username and password are valid.
connections are allowed if
the
username and password are valid.
@item
@item
@code{REQUIRE SSL} option limits the server to allow only SSL
@code{REQUIRE SSL} option limits the server to allow only SSL
...
@@ -17499,7 +17502,7 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...
@@ -17499,7 +17502,7 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
@end example
@end example
@item
@item
@code{REQUIRE X509} means that
client should have
valid certificate
@code{REQUIRE X509} means that
the client should have a
valid certificate
but we do not care about the exact certificate, issuer or subject.
but we do not care about the exact certificate, issuer or subject.
The only restriction is that it should be possible to verify its
The only restriction is that it should be possible to verify its
signature with one of the CA certificates.
signature with one of the CA certificates.
...
@@ -17510,10 +17513,10 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...
@@ -17510,10 +17513,10 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
@end example
@end example
@item
@item
@code{REQUIRE ISSUER
issuer} makes connection more restrictive: now
@code{REQUIRE ISSUER
"issuer"} places a restriction on connection attempts:
client must present a valid X509 certificate issued by CA "issuer"
.
The client must present a valid X509 certificate issued by CA @code{"issuer"}
.
Using X509 certificates always implies encryption, so the
option "SSL"
Using X509 certificates always implies encryption, so the
@code{SSL} option
is
not neccessary anymore
.
is
unneccessary
.
@example
@example
mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...
@@ -17523,10 +17526,10 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...
@@ -17523,10 +17526,10 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
@end example
@end example
@item
@item
@code{REQUIRE SUBJECT
subject
} requires clients to have valid X509
@code{REQUIRE SUBJECT
"subject"
} requires clients to have valid X509
certificate with subject
"subject" on it. If client have valid
certificate with subject
@code{"subject"} on it. If the client presents a
certificate
but having different "subject" then the connection is
certificate
that is valid but has a different @code{"subject"}, the connection
still not
allowed.
is dis
allowed.
@example
@example
mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...
@@ -17537,7 +17540,7 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...
@@ -17537,7 +17540,7 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
@end example
@end example
@item
@item
@code{REQUIRE CIPHER
cipher
} is needed to assure enough strong ciphers
@code{REQUIRE CIPHER
"cipher"
} is needed to assure enough strong ciphers
and keylengths will be used. SSL itself can be weak if old algorithms
and keylengths will be used. SSL itself can be weak if old algorithms
with short encryption keys are used. Using this option, we can ask for
with short encryption keys are used. Using this option, we can ask for
some exact cipher method to allow a connection.
some exact cipher method to allow a connection.
...
@@ -17548,7 +17551,8 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...
@@ -17548,7 +17551,8 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
-> REQUIRE CIPHER "EDH-RSA-DES-CBC3-SHA";
-> REQUIRE CIPHER "EDH-RSA-DES-CBC3-SHA";
@end example
@end example
Also it is allowed to combine these options with each other like this:
The @code{SUBJECT}, @code{ISSUER}, and @code{CIPHER} options can be
combined in the @code{REQUIRE} clause like this:
@example
@example
mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...
@@ -17561,8 +17565,8 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...
@@ -17561,8 +17565,8 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
-> AND CIPHER "EDH-RSA-DES-CBC3-SHA";
-> AND CIPHER "EDH-RSA-DES-CBC3-SHA";
@end example
@end example
But it is not allowed to use any option twice. Only different
The order of the options does not matter, but no option can be specified
options can be mixed
.
twice
.
@end itemize
@end itemize
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment