manual.texi begin to clean up the SSL section

parent 8160291c
...@@ -1760,8 +1760,8 @@ applications. Using the embedded MySQL server library, one can ...@@ -1760,8 +1760,8 @@ applications. Using the embedded MySQL server library, one can
embed MySQL Server into various applications and electronics devices, where embed MySQL Server into various applications and electronics devices, where
the end user has no knowledge of there actually being an underlying the end user has no knowledge of there actually being an underlying
database. Embedded MySQL Server is ideal for use behind database. Embedded MySQL Server is ideal for use behind
the scenes in internet appliances, public kiosks, turnkey the scenes in Internet appliances, public kiosks, turnkey
hardware/software combination units, high performance internet hardware/software combination units, high performance Internet
servers, self-contained databases distributed on CD-ROM, etc. servers, self-contained databases distributed on CD-ROM, etc.
Many users of @code{libmysqld} will benefit from the MySQL Many users of @code{libmysqld} will benefit from the MySQL
...@@ -17403,51 +17403,52 @@ file. ...@@ -17403,51 +17403,52 @@ file.
@node Secure basics, Secure requirements, Secure connections, Secure connections @node Secure basics, Secure requirements, Secure connections, Secure connections
@subsubsection Basics @subsubsection Basics
Beginning with version 4.0.0,
MySQL has support for SSL encrypted connections. To understand how MySQL MySQL has support for SSL encrypted connections. To understand how MySQL
uses SSL, we need to explain some basics about SSL and X509. People who uses SSL, it's necessary to explain some basic SSL and X509 concepts. People
are already aware of it can skip this part. who are already familiar with them can skip this part.
By default, MySQL uses unencrypted connections between client and By default, MySQL uses unencrypted connections between the client and the
server. This means that someone could watch all your traffic and look at server. This means that someone could watch all your traffic and look at
the data being sent/received. Actually, they could even change the data the data being sent or received. They could even change the data
while it is in transit between client and server. Sometimes you need to while it is in transit between client and server. Sometimes you need to
move really secret data over public networks and in such a case using an move information over public networks in a secure fashion; in such cases,
unencrypted connection is unacceptable. using an unencrypted connection is unacceptable.
SSL is a protocol which uses different encryption algorithms to ensure SSL is a protocol that uses different encryption algorithms to ensure
that data which comes from public network can be trusted. It has that data received over a public network can be trusted. It has
mechanisms to detect any change, loss or replay of data. SSL also mechanisms to detect any change, loss or replay of data. SSL also
incorpores algorithms to recognise and provide identity verification incorporates algorithms to recognise and provide identity verification
using the X509 standard. using the X509 standard.
@cindex What is encryption @cindex What is encryption
Encryption is the way to make any kind of data unreadable. In fact, Encryption is the way to make any kind of data unreadable. In fact,
today's practice requires many additional security elements from today's practice requires many additional security elements from
encryption algorithms. They should resist many kind of known attacks encryption algorithms. They should resist many kind of known attacks
like just messing with order of encrypted messages or replaying data like just messing with the order of encrypted messages or replaying data
twice. twice.
@cindex What is X509/Certificate? @cindex What is X509/Certificate?
X509 is a standard that makes it possible to identify someone in the X509 is a standard that makes it possible to identify someone on the
Internet. It is most commonly used in e-commerce applications. In basic Internet. It is most commonly used in e-commerce applications. In basic
terms, there should be some company called "Certificate Authority" which terms, there should be some company (called a ``Certificate Authority'') that
assigns electronic certificates to anyone who needs them. Certificates assigns electronic certificates to anyone who needs them. Certificates
rely on asymmetric encryption algorithms which have two encryption keys rely on asymmetric encryption algorithms that have two encryption keys
- public and secret. A certificate owner can prove his identity by (a public key and a secret key). A certificate owner can prove his identity by
showing his certificate to other party. A certificate consists of his showing his certificate to other party. A certificate consists of its
owner's public key. Any data encrypted with this public key can only be owner's public key. Any data encrypted with this public key can be
decrypted using the corresponding secret key, which is held by the owner decrypted only using the corresponding secret key, which is held by the owner
of the certificate. of the certificate.
MySQL doesn't use encrypted on connections by default, because this MySQL doesn't use encrypted connections by default, because doing so
would make the client/server protocol much slower. Any kind of would make the client/server protocol much slower. Any kind of
additional functionality requires computer to do additional work and additional functionality requires the computer to do additional work and
encrypting data is CPU-intensive operation require time and can delay encrypting data is a CPU-intensive operation that requires time and can delay
MySQL main tasks. By default MySQL is tuned to be fast as possible. MySQL main tasks. By default MySQL is tuned to be fast as possible.
If you need more information about SSL/X509/encryption, you should use If you need more information about SSL, X509, or encryption, you should use
your favourite internet search engine and search for keywords you are your favourite Internet search engine and search for keywords in which you are
interested in. interested.
@node Secure requirements, Secure GRANT, Secure basics, Secure connections @node Secure requirements, Secure GRANT, Secure basics, Secure connections
@subsubsection Requirements @subsubsection Requirements
...@@ -17462,10 +17463,12 @@ Install the OpenSSL library. We have tested MySQL with OpenSSL 0.9.6. ...@@ -17462,10 +17463,12 @@ Install the OpenSSL library. We have tested MySQL with OpenSSL 0.9.6.
Configure MySQL with @code{--with-vio --with-openssl}. Configure MySQL with @code{--with-vio --with-openssl}.
@item @item
If you are using an old MySQL installation, you have to update your If you are using an old MySQL installation, you have to update your
@code{mysql.user} table with some new columns. You can do this by @code{mysql.user} table with some new SSL-related columns. You can do this by
running the @code{mysql_fix_privilege_tables.sh} script. running the @code{mysql_fix_privilege_tables.sh} script.
This is necessary if your grant tables date from a version prior to MySQL
4.0.0.
@item @item
You can check if a running mysqld server supports OpenSSL by You can check if a running @code{mysqld} server supports OpenSSL by
examining if @code{SHOW VARIABLES LIKE 'have_openssl'} returns @code{YES}. examining if @code{SHOW VARIABLES LIKE 'have_openssl'} returns @code{YES}.
@end enumerate @end enumerate
...@@ -17485,8 +17488,8 @@ There are different possibilities to limit connections: ...@@ -17485,8 +17488,8 @@ There are different possibilities to limit connections:
@itemize @bullet @itemize @bullet
@item @item
Without any SSL/X509 options, all kind of encrypted/unencrypted Without any SSL or X509 options, all kind of encrypted/unencrypted
connections are allowed if username and password are valid. connections are allowed if the username and password are valid.
@item @item
@code{REQUIRE SSL} option limits the server to allow only SSL @code{REQUIRE SSL} option limits the server to allow only SSL
...@@ -17499,7 +17502,7 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost ...@@ -17499,7 +17502,7 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
@end example @end example
@item @item
@code{REQUIRE X509} means that client should have valid certificate @code{REQUIRE X509} means that the client should have a valid certificate
but we do not care about the exact certificate, issuer or subject. but we do not care about the exact certificate, issuer or subject.
The only restriction is that it should be possible to verify its The only restriction is that it should be possible to verify its
signature with one of the CA certificates. signature with one of the CA certificates.
...@@ -17510,10 +17513,10 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost ...@@ -17510,10 +17513,10 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
@end example @end example
@item @item
@code{REQUIRE ISSUER issuer} makes connection more restrictive: now @code{REQUIRE ISSUER "issuer"} places a restriction on connection attempts:
client must present a valid X509 certificate issued by CA "issuer". The client must present a valid X509 certificate issued by CA @code{"issuer"}.
Using X509 certificates always implies encryption, so the option "SSL" Using X509 certificates always implies encryption, so the @code{SSL} option
is not neccessary anymore. is unneccessary.
@example @example
mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...@@ -17523,10 +17526,10 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost ...@@ -17523,10 +17526,10 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
@end example @end example
@item @item
@code{REQUIRE SUBJECT subject} requires clients to have valid X509 @code{REQUIRE SUBJECT "subject"} requires clients to have valid X509
certificate with subject "subject" on it. If client have valid certificate with subject @code{"subject"} on it. If the client presents a
certificate but having different "subject" then the connection is certificate that is valid but has a different @code{"subject"}, the connection
still not allowed. is disallowed.
@example @example
mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...@@ -17537,7 +17540,7 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost ...@@ -17537,7 +17540,7 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
@end example @end example
@item @item
@code{REQUIRE CIPHER cipher} is needed to assure enough strong ciphers @code{REQUIRE CIPHER "cipher"} is needed to assure enough strong ciphers
and keylengths will be used. SSL itself can be weak if old algorithms and keylengths will be used. SSL itself can be weak if old algorithms
with short encryption keys are used. Using this option, we can ask for with short encryption keys are used. Using this option, we can ask for
some exact cipher method to allow a connection. some exact cipher method to allow a connection.
...@@ -17548,7 +17551,8 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost ...@@ -17548,7 +17551,8 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
-> REQUIRE CIPHER "EDH-RSA-DES-CBC3-SHA"; -> REQUIRE CIPHER "EDH-RSA-DES-CBC3-SHA";
@end example @end example
Also it is allowed to combine these options with each other like this: The @code{SUBJECT}, @code{ISSUER}, and @code{CIPHER} options can be
combined in the @code{REQUIRE} clause like this:
@example @example
mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
...@@ -17561,8 +17565,8 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost ...@@ -17561,8 +17565,8 @@ mysql> GRANT ALL PRIVILEGES ON test.* TO root@@localhost
-> AND CIPHER "EDH-RSA-DES-CBC3-SHA"; -> AND CIPHER "EDH-RSA-DES-CBC3-SHA";
@end example @end example
But it is not allowed to use any option twice. Only different The order of the options does not matter, but no option can be specified
options can be mixed. twice.
@end itemize @end itemize
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment