MySQL has support for SSL encrypted connetions. To understand how MySQL
MySQL has support for SSL encrypted connections. To understand how MySQL
uses SSL we need to explain some basics about SSL and X509. People who
uses SSL, we need to explain some basics about SSL and X509. People who
are already aware of it can skip this chapter.
are already aware of it can skip this part.
By default, MySQL uses unencrypted connections between client and
By default, MySQL uses unencrypted connections between client and
server. This means that someone could watch all your traffic and look at
server. This means that someone could watch all your traffic and look at
...
@@ -18615,7 +18615,7 @@ If you are using an old MySQL installation, you have to update your
...
@@ -18615,7 +18615,7 @@ If you are using an old MySQL installation, you have to update your
running the @code{mysql_fix_privilege_tables.sh} script.
running the @code{mysql_fix_privilege_tables.sh} script.
@item
@item
You can check if a running mysqld server supports @code{openssl} by
You can check if a running mysqld server supports @code{openssl} by
examining if @code{show variables like 'have_openssl'} returns @code{YES}.
examining if @code{SHOW VARIABLES LIKE 'have_openssl'} returns @code{YES}.
@end enumerate
@end enumerate
...
@@ -18626,73 +18626,85 @@ examining if @code{show variables like 'have_openssl'} returns @code{YES}.
...
@@ -18626,73 +18626,85 @@ examining if @code{show variables like 'have_openssl'} returns @code{YES}.
@findex REQUIRE GRANT option
@findex REQUIRE GRANT option
@findex GRANT statemenet
@findex GRANT statemenet
MySQL can check x509 certificate attributes additionally to most used
MySQL can check X509 certificate attributes in addition to the
username/password scheme. All the usual options are still required
normal username/password scheme. All the usual options are still
(username, password, IP address mask, database/table name).
required (username, password, IP address mask, database/table name).
There are different possibilities to limit connections:
There are different possibilities to limit connections:
@itemize @bullet
@itemize @bullet
@item
@item
Without any SSL/X509 options all kind of encrypted/unencrypted
Without any SSL/X509 options, all kind of encrypted/unencrypted
connections are allowed if username and password are valid.
connections are allowed if username and password are valid.
@item
@item
@code{REQUIRE SSL} option makes SSL encrypted connection must. Note that
@code{REQUIRE SSL} option limits the server to allow only SSL
this requirement can be omitted of there are any other ACL record which
encrypted connections. Note that this option can be omitted
allows non-SSL connection.
if there are any ACL records which allow non-SSL connections.
@example
@example
GRANT ALL PRIVILEGES ON test.* TO root@@localhost IDENTIFIED BY
GRANT ALL PRIVILEGES ON test.* TO root@@localhost
"goodsecret" REQUIRE SSL
IDENTIFIED BY "goodsecret" REQUIRE SSL
@end example
@end example
@item
@item
@code{REQUIRE X509} Requiring X509 certificate means that client
@code{REQUIRE X509} means that client should have valid certificate
should have valid certificate but we do not care about exact
but we do not care about the exact certificate, issuer or subject.
certificate, issuer or subject. Only restriction is it should be
The only restriction is that it should be possible to verify its
possible to verify its signature with some of our CA certificates.
signature with one of the CA certificates.
@example
@example
GRANT ALL PRIVILEGES ON test.* TO root@@localhost IDENTIFIED BY "goodsecret" REQUIRE X509
GRANT ALL PRIVILEGES ON test.* TO root@@localhost
IDENTIFIED BY "goodsecret" REQUIRE X509
@end example
@end example
@item
@item
@code{REQUIRE ISSUER issuer} makes connection more restrictive: now
@code{REQUIRE ISSUER issuer} makes connection more restrictive: now
client must present valid x509 certificate issued by CA "issuer". Using
client must present a valid X509 certificate issued by CA "issuer".
x509 certificates always implies encryption, so option "SSL" is not
Using X509 certificates always implies encryption, so the option "SSL"
neccessary anymore.
is not neccessary anymore.
@example
@example
GRANT ALL PRIVILEGES ON test.* TO root@@localhost IDENTIFIED BY "goodsecret" REQUIRE ISSUER "C=FI, ST=Some-State, L=Helsinki, O=MySQL Finland AB, CN=Tonu Samuel/Email=tonu@@mysql.com"
GRANT ALL PRIVILEGES ON test.* TO root@@localhost
IDENTIFIED BY "goodsecret"
REQUIRE ISSUER "C=FI, ST=Some-State, L=Helsinki,
O=MySQL Finland AB, CN=Tonu Samuel/Email=tonu@@mysql.com"
@end example
@end example
@item
@item
@code{REQUIRE SUBJECT subject} requires clients to have valid x509
@code{REQUIRE SUBJECT subject} requires clients to have valid X509
certificate with subject "subject" on it. If client have valid
certificate with subject "subject" on it. If client have valid
certificate but having different "subject" then connection is still not
certificate but having different "subject" then the connection is
allowed.
still not allowed.
@example
@example
GRANT ALL PRIVILEGES ON test.* TO root@@localhost IDENTIFIED BY "goodsecret" REQUIRE SUBJECT "C=EE, ST=Some-State, L=Tallinn, O=MySQL demo client certificate, CN=Tonu Samuel/Email=tonu@@mysql.com"
