Enable TLS for MySQL clients

TLS is also known as SSL (Secure Sockets Layer). It refers to transport layer security.

When an unencrypted connection exists between a MySQL client and server, someone with network access can observe all traffic and examine the data sent or received between the client and server. When users wish to transmit information over the network in a secure manner, unencrypted connections are not accepted.

In order to make any type of data unreadable, encryption must be used. Encryption algorithms often contain security elements that help resist many known attacks, some of which include changing the order of encrypted messages or replaying data twice. MySQL supports encrypted connections that occur between the client and server, both of which use the TLS protocol. But MySQL does not use the SSL protocol for encrypted connections because the encryption is weak.

TLS uses encryption algorithms to ensure that data received on public networks is trustworthy data. It has many methods to detect changes, loss or replay of data. TLS also uses authentication algorithms with the X.509 standard.

Steps to Enable TLS

MySQL encrypts per connection. Encryption for a given user can be optional or mandatory. This allows users to choose an encrypted or unencrypted connection depending on the application's requirements.

Let us understand how to enable TLS for MySQL client:

• When starting the server, the ssl-cert and ssl-key parameters must be specified in the configuration file.
• The certificate or key is signed and generated using OpenSSL.
• This key can also be generated using the mysql_ssl_rsa_setup tool in MySQL:

mysql_ssl_rsa_setup --datadir=./certs

If the parameters are correct, a secure connection will be passed as output, which is enabled on startup.
• Reload certificates, keys, and CAs - Execute the ALTER INSTANCE RELOAD TLS statement on the server instance. This ensures that the server instance does not need to be reloaded.
• After successful execution of an established connection, the newly loaded certificate, key and CA take effect.
• Configure the MySQL client to use an encrypted connection - by default attempts to establish an encrypted connection. If the server does not support encrypted connections, an unencrypted connection is automatically returned.
• The client's connection behavior can be changed using the --ssl-mode parameter:

  --ssl-mode=REQUIRED- Tells that en encrypted connection is needed.

Requires authentication to be enabled: If the ssl-ca parameter is not specified, by default the client or The server does not authenticate.

• The ssl-cert and ssl-key parameters must be specified in the server.
• Specify the --ssl-ca parameter in the MySQL client.
• Specify --ssl-mode as VERIFY_CA in the MySQL client.
• The server-configured certificate (ssl-cert) is signed by the CA specified by the client's --ssl-ca parameter.
• Otherwise, authentication fails.

To authenticate MySQL clients from the server:

• Specify the ssl-cert, ssl-key, and ssl-ca parameters in the server.
• Specify the --ssl-cert and --ssl-key parameters in the client.
• The certificate configured by the server and the certificate configured by the client are signed by the ssl-ca specified by the server.
• Server-to-client authentication is optional. If the client does not present its attestation certificate during the TLS handshake, the TLS connection will still be established.
• Check if the current connection uses any encryption.

The above is the detailed content of Enable TLS for MySQL clients. For more information, please follow other related articles on the PHP Chinese website!