Table of Contents
With an unencrypted connection between the MySQL client and the server, someone with access to the network could watch all your traffic and inspect the data being sent or received between client and server.
When you must move information over a network in a secure fashion, an unencrypted connection is unacceptable. To make any kind of data unreadable, use encryption. Encryption algorithms must include security elements to resist many kinds of known attacks such as changing the order of encrypted messages or replaying data twice.
MySQL supports secure (encrypted) connections between clients and the server using the TLS (Transport Layer Security) protocol. TLS is sometimes referred to as SSL (Secure Sockets Layer) but MySQL does not actually use the SSL protocol for secure connections because it provides weak encryption (see Section 6.3, “Secure Connection Protocols and Ciphers”).
TLS uses encryption algorithms to ensure that data received over a public network can be trusted. It has mechanisms to detect data change, loss, or replay. TLS also incorporates algorithms that provide identity verification using the X509 standard.
X509 makes it possible to identify someone on the Internet. In basic terms, there should be some entity called a “Certificate Authority” (or CA) that assigns electronic certificates to anyone who needs them. Certificates rely on asymmetric encryption algorithms that have two encryption keys (a public key and a secret key). A certificate owner can present the certificate to another party as proof of identity. A certificate consists of its owner's public key. Any data encrypted using this public key can be decrypted only using the corresponding secret key, which is held by the owner of the certificate.
MySQL can be compiled for secure-connection support using OpenSSL or yaSSL. For a comparison of the two packages, see Section 6.1, “OpenSSL Versus yaSSL” For information about the encryption protocols and ciphers each package supports, see Section 6.3, “Secure Connection Protocols and Ciphers”.
MySQL performs encryption on a per-connection basis, and use of
encryption for a given user can be optional or mandatory. This
enables you to choose an encrypted or unencrypted connection
according to the requirements of individual applications. For
information on how to require users to use encrypted connections,
see the discussion of the REQUIRE clause of the
GRANT statement in
GRANT Syntax.
Encrypted connections are not used by default. For applications that require the security provided by encrypted connections, the extra computation to encrypt the data is worthwhile.
Secure connections are available through the MySQL C API using the
mysql_ssl_set() and
mysql_options() functions. See
mysql_ssl_set(), and
mysql_options().
Replication uses the C API, so secure connections can be used between master and slave servers. See Setting Up Replication to Use Secure Connections.
It is also possible to connect securely from within an SSH connection to the MySQL server host. For an example, see Section 6.7, “Connecting to MySQL Remotely from Windows with SSH”.
MySQL can be compiled using OpenSSL or yaSSL, both of which enable secure conections based on the OpenSSL API:
MySQL Enterprise Edition binary distributions are compiled using yaSSL.
MySQL Community Edition binary distributions are compiled using yaSSL.
MySQL Community Edition source distributions can be compiled using either OpenSSL or yaSSL (see Section 6.2, “Building MySQL with Support for Secure Connections”).
OpenSSL and yaSSL offer the same basic functionality, but
additional features are available in MySQL distributions compiled
using OpenSSL: OpenSSL supports a wider range of encryption
ciphers from which to choose for the
--ssl-cipher option, and supports
the --ssl-capath option. See
Section 6.5, “Command Options for Secure Connections”.
To use SSL connections between the MySQL server and client programs, your system must support either OpenSSL or yaSSL:
MySQL Enterprise Edition binary distributions are compiled using yaSSL.
MySQL Community Edition binary distributions are compiled using yaSSL.
MySQL Community Edition source distributions can be compiled using either OpenSSL or yaSSL.
If you compile MySQL from a source distribution, CMake configures the distribution to use yaSSL by default. To compile using OpenSSL instead, use this procedure:
Ensure OpenSSL 1.0.1 or higher is installed on your system. To obtain OpenSSL, visit http://www.openssl.org.
To use OpenSSL, add the
-DWITH_SSL=system option to the
CMake command you normally use to configure
the MySQL source distribution. For example:
shell> cmake . -DWITH_SSL=system
That command configures the distribution to use the installed OpenSSL library. See MySQL Source-Configuration Options.
Compile and install the distribution.
To check whether a mysqld server supports
secure connections, examine the value of the
have_ssl system variable:
mysql> SHOW VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl | YES |
+---------------+-------+
If the value is YES, the server supports secure
connections. If the value is DISABLED, the
server is capable of supporting secure connections but was not
started with the appropriate
--ssl- options to
enable secure connections to be used; see
Section 6.4, “Configuring MySQL to Use Secure Connections”.
xxx
To determine which encryption protocol and cipher are in use for
an encrypted connection, use the following statements to check the
values of the Ssl_version and
Ssl_cipher status variables:
mysql>SHOW SESSION STATUS LIKE 'Ssl_version';+---------------+-------+ | Variable_name | Value | +---------------+-------+ | Ssl_version | TLSv1 | +---------------+-------+ mysql>SHOW SESSION STATUS LIKE 'Ssl_cipher';+---------------+--------------------+ | Variable_name | Value | +---------------+--------------------+ | Ssl_cipher | DHE-RSA-AES256-SHA | +---------------+--------------------+
If the connection is not encrypted, both variables have an empty value.
MySQL supports encrypted connections using the TLSv1 protocol. As of MySQL 5.5.42, it explicitly disables SSL 2.0 and SSL 3.0 because they provide weak encryption.
To determine which ciphers a given server supports, use the
following statement to check the value of the
Ssl_cipher_list status variable:
SHOW SESSION STATUS LIKE 'Ssl_cipher_list';
The set of available ciphers depends on your MySQL version and whether MySQL was compiled using OpenSSL or yaSSL, and (for OpenSSL) the library version used to compile MySQL.
MySQL passes this cipher list to OpenSSL:
AES256-GCM-SHA384 AES256-SHA AES256-SHA256 CAMELLIA256-SHA DES-CBC3-SHA DHE-DSS-AES256-GCM-SHA384 DHE-DSS-AES256-SHA DHE-DSS-AES256-SHA256 DHE-DSS-CAMELLIA256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-CAMELLIA256-SHA ECDH-ECDSA-AES256-GCM-SHA384 ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES256-SHA384 ECDH-ECDSA-DES-CBC3-SHA ECDH-RSA-AES256-GCM-SHA384 ECDH-RSA-AES256-SHA ECDH-RSA-AES256-SHA384 ECDH-RSA-DES-CBC3-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-DES-CBC3-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA PSK-3DES-EDE-CBC-SHA PSK-AES256-CBC-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-DSS-AES-128-CBC-SHA SRP-DSS-AES-256-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA SRP-RSA-AES-128-CBC-S SRP-RSA-AES-256-CBC-SHA
MySQL passes this cipher list to yaSSL:
AES128-RMD AES128-SHA AES256-RMD AES256-SHA DES-CBC-SHA DES-CBC3-RMD DES-CBC3-SHA DHE-RSA-AES128-RMD DHE-RSA-AES128-SHA DHE-RSA-AES256-RMD DHE-RSA-AES256-SHA DHE-RSA-DES-CBC3-RMD EDH-RSA-DES-CBC-SHA EDH-RSA-DES-CBC3-SHA RC4-MD5 RC4-SHA
To enable secure connections, your MySQL distribution must be built with SSL support, as described in Section 6.2, “Building MySQL with Support for Secure Connections”. In addition, the proper options must be used to specify the appropriate certificate and key files. For a complete list of options related to establishment of secure connections, see Section 6.5, “Command Options for Secure Connections”.
If you need to create the required SSL files, see Section 6.6, “Creating SSL Certificates and Keys Using openssl”.
To start the MySQL server so that it permits clients to connect securely, use options that identify the certificate and key files the server uses when establishing a secure connection:
--ssl-ca identifies the
Certificate Authority (CA) certificate.
--ssl-cert identifies the
server public key certificate. This can be sent to the client
and authenticated against the CA certificate that it has.
--ssl-key identifies the
server private key.
For example, start the server with these lines in the
my.cnf file, changing the file names as
necessary:
[mysqld] ssl-ca=ca.pem ssl-cert=server-cert.pem ssl-key=server-key.pem
Each option names a file in PEM format. If you have a MySQL source
distribution, you can test your setup using the demonstration
certificate and key files in its
mysql-test/std_data directory.
For client programs, options for secure connections are similar to
those used on the server side, but
--ssl-cert and
--ssl-key identify the client
public and private key:
--ssl-ca identifies the
Certificate Authority (CA) certificate. This option, if used,
must specify the same certificate used by the server.
--ssl-cert identifies the
client public key certificate.
--ssl-key identifies the
client private key.
To connect securely to a MySQL server that supports secure
connections, the options that a client must specify depend on the
encryption requirements of the MySQL account used by the client.
(See the discussion of the REQUIRE clause in
GRANT Syntax.)
Suppose that you want to connect using an account that has no
special encryption requirements or was created using a
GRANT statement that includes the
REQUIRE SSL option. As a recommended set of
secure-connection options, start the server with at least
--ssl-cert and
--ssl-key, and invoke the client
with --ssl-ca. A client can
connect securely like this:
shell> mysql --ssl-ca=ca.pem
To require that a client certificate also be specified, create the
account using the REQUIRE X509 option. Then the
client must also specify the proper client key and certificate
files or the server will reject the connection:
shell>mysql --ssl-ca=ca.pem \--ssl-cert=client-cert.pem \--ssl-key=client-key.pem
To prevent use of encryption and override other
--ssl- options,
invoke the client program with
xxx--ssl=0 or a synonym
(--skip-ssl,
--disable-ssl):
shell> mysql --ssl=0
A client can determine whether the current connection with the
server uses encryption by checking the value of the
Ssl_cipher status variable. If
the value is empty, the connection is not encrypted. Otherwise,
the connection is encrypted and the value indicates the encryption
cipher. For example:
mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA |
+---------------+--------------------+
For the mysql client, an alternative is to use
the STATUS or \s command and
check the SSL line:
mysql> \s
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...
Or:
mysql> \s
...
SSL: Not in use
...
The C API enables application programs to use secure connections:
To establish a secure connection, use the
mysql_ssl_set() C API function
to set the appropriate certificate options before calling
mysql_real_connect(). See
mysql_ssl_set().
To determine whether encryption is in use after the connection
is established, use
mysql_get_ssl_cipher(). A
non-NULL return value indicates an
encrypted connection and names the cipher used for encryption.
A NULL return value indicates that
encryption is not being used. See
mysql_get_ssl_cipher().
Replication uses the C API, so secure connections can be used between master and slave servers. See Setting Up Replication to Use Secure Connections.
This section describes options that specify whether to use secure connections and the names of certificate and key files. These options can be given on the command line or in an option file. They are not available unless MySQL has been built with SSL support. See Section 6.2, “Building MySQL with Support for Secure Connections”. For examples of suggested use and how to check whether a connection is secure, see Section 6.4, “Configuring MySQL to Use Secure Connections”.
Table 6.1 Secure-Connection Option Summary
| Format | Description | Introduced |
|---|---|---|
| --skip-ssl | Do not use secure connection | |
| --ssl | Enable secure connection | |
| --ssl-ca | Path of file that contains list of trusted SSL CAs | |
| --ssl-capath | Path of directory that contains trusted SSL CA certificates in PEM format | |
| --ssl-cert | Path of file that contains X509 certificate in PEM format | |
| --ssl-cipher | List of permitted ciphers to use for connection encryption | |
| --ssl-key | Path of file that contains X509 key in PEM format | |
| --ssl-mode | Security state of connection to server | 5.5.49 |
| --ssl-verify-server-cert | Verify server certificate Common Name value against host name used when connecting to server |
For the MySQL server, this option specifies that the server permits but does not require secure connections.
For MySQL client programs, this option permits but does not require the client to connect to the server using encryption. Therefore, this option is not sufficient in itself to cause a secure connection to be used. For example, if you specify this option for a client program but the server has not been configured to support secure connections, the client falls back to an unencrypted connection.
As a recommended set of options to enable secure connections,
use at least --ssl-cert and
--ssl-key on the server side
and --ssl-ca on the client
side. See Section 6.4, “Configuring MySQL to Use Secure Connections”.
--ssl may be implied by other
--ssl- options,
as indicated in the descriptions for those options.
xxx
The --ssl option in negated
form overrides other
--ssl- options
and indicates that encryption should not
be used. To do this, specify the option as
xxx--ssl=0 or a synonym
(--skip-ssl,
--disable-ssl).
For example, you might have options specified in the
[client] group of your option file to use
secure connections by default when you invoke MySQL client
programs. To use an unencrypted connection instead, invoke the
client program with
--ssl=0 on the
command line to override the options in the option file.
To require use of secure connections by a MySQL account, use a
GRANT statement for the account
that includes at least a REQUIRE SSL
clause. Connections for the account will be rejected unless
MySQL supports secure connections and the server and client
have been started with the proper secure-connection options.
The REQUIRE clause permits other
encryption-related options, which can be used to enforce
stricter requirements than REQUIRE SSL. For
additional details about which command options may or must be
specified by clients that connect using accounts configured
using the various REQUIRE options, see the
description of REQUIRE in
GRANT Syntax.
The path to a file in PEM format that contains a list of
trusted SSL certificate authorities. This option implies
--ssl.
If you use encryption when establishing a client connection,
to tell the client not to authenticate the server certificate,
specify neither --ssl-ca nor
--ssl-capath. The server still
verifies the client according to any applicable requirements
established for the client account, and it still uses any
--ssl-ca or
--ssl-capath option values
specified at server startup.
The path to a directory that contains trusted SSL certificate
authority certificates in PEM format. This option implies
--ssl.
If you use encryption when establishing a client connection,
to tell the client not to authenticate the server certificate,
specify neither --ssl-ca nor
--ssl-capath. The server still
verifies the client according to any applicable requirements
established for the client account, and it still uses any
--ssl-ca or
--ssl-capath option values
specified at server startup.
MySQL distributions compiled using OpenSSL support the
--ssl-capath option (see
Section 6.1, “OpenSSL Versus yaSSL”). Distributions
compiled using yaSSL do not because yaSSL does not look in any
directory and does not follow a chained certificate tree.
yaSSL requires that all components of the CA certificate tree
be contained within a single CA certificate tree and that each
certificate in the file has a unique SubjectName value. To
work around this yaSSL limitation, concatenate the individual
certificate files comprising the certificate tree into a new
file and specify that file as the value of the
--ssl-ca option.
The name of the SSL certificate file in PEM format to use for
establishing a secure connection. This option implies
--ssl.
A list of permissible ciphers to use for connection
encryption. If no cipher in the list is supported, encrypted
connections will not work. This option implies
--ssl.
For greatest portability,
cipher_list should be a list of one
or more cipher names, separated by colons. This format is
understood both by OpenSSL and yaSSL. Examples:
--ssl-cipher=AES128-SHA --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA
OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at http://www.openssl.org/docs/apps/ciphers.html. yaSSL does not, so attempts to use that extended syntax fail for a MySQL distribution compiled using yaSSL.
For information about which encryption ciphers MySQL supports, see Section 6.3, “Secure Connection Protocols and Ciphers”.
The name of the SSL key file in PEM format to use for
establishing a secure connection. This option implies
--ssl.
If the MySQL distribution was compiled using OpenSSL and the key file is protected by a passphrase, the program prompts the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key. If the MySQL distribution was built using yaSSL and the key file is protected by a passphrase, an error occurs.
This option is available only for client programs, not the server. It specifies the security state of the connection to the server:
If this option is not specified, the default value is
DISABLED (establish an unencrypted
connection) This is like the
--ssl=0 option or its
synonyms
(--skip-ssl,
--disable-ssl).
If this option is specified, the only permitted value is
REQUIRED (establish a secure connection
if the server supports secure connections). The connection
attempt fails if a secure connection cannot be
established.
The --ssl-mode option was
added in MySQL 5.5.49.
In MySQL 5.7 and higher, the C client library provides
native support for requiring encrypted connections (call the
mysql_options() C API
function, passing the MYSQL_OPT_SSL_MODE
option with a value of
SSL_MODE_REQUIRED). In MySQL
5.5, the client library provides no such
support because doing so would break binary compatibility
with previous library versions within the series. Clients
that require encrypted connections must implement the logic
themselves.
To require encrypted connections in MySQL 5.5,
the standard MySQL client programs use this technique: If
--ssl-mode=REQUIRED was
specified, the client program turns on SSL, connects to the
server, and checks whether the resulting connection is
encrypted. If not, the client exits with an error.
Third-party applications that must be able to require
encrypted connections can use the same technique. For
details, see mysql_ssl_set().
This option is available only for client programs, not the server. It causes the client to check the server's Common Name value in the certificate that the server sends to the client. The client verifies that name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. Verification is disabled by default.
This section describes how to use the openssl command to set up SSL certificate and key files for use by MySQL servers and clients. The first example shows a simplified procedure such as you might use from the command line. The second shows a script that contains more detail. The first two examples are intended for use on Unix and both use the openssl command that is part of OpenSSL. The third example describes how to set up SSL files on Windows.
Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL. A typical error in this case is:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
The following example shows a set of commands to create MySQL server and client certificate and key files. You will need to respond to several prompts by the openssl commands. To generate test files, you can press Enter to all prompts. To generate files for production use, you should provide nonempty responses.
# Create clean environment shell>rm -rf newcertsshell>mkdir newcerts && cd newcerts# Create CA certificate shell>openssl genrsa 2048 > ca-key.pemshell>openssl req -new -x509 -nodes -days 3600 \-key ca-key.pem -out ca.pem# Create server certificate, remove passphrase, and sign it # server-cert.pem = public key, server-key.pem = private key shell>openssl req -newkey rsa:2048 -days 3600 \-nodes -keyout server-key.pem -out server-req.pemshell>openssl rsa -in server-key.pem -out server-key.pemshell>openssl x509 -req -in server-req.pem -days 3600 \-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem# Create client certificate, remove passphrase, and sign it # client-cert.pem = public key, client-key.pem = private key shell>openssl req -newkey rsa:2048 -days 3600 \-nodes -keyout client-key.pem -out client-req.pemshell>openssl rsa -in client-key.pem -out client-key.pemshell>openssl x509 -req -in client-req.pem -days 3600 \-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
After generating the certificates, verify them:
shell> openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK
Now you have a set of files that can be used as follows:
ca.pem: Use this as the argument to
--ssl-ca on the server and
client sides. (The CA certificate, if used, must be the same
on both sides.)
server-cert.pem,
server-key.pem: Use these as the
arguments to --ssl-cert and
--ssl-key on the server
side.
client-cert.pem,
client-key.pem: Use these as the
arguments to --ssl-cert and
--ssl-key on the client
side.
To use the files for SSL connections, see Section 6.4, “Configuring MySQL to Use Secure Connections”.
Here is an example script that shows how to set up SSL certificate and key files for MySQL. After executing the script, use the files for SSL connections as described in Section 6.4, “Configuring MySQL to Use Secure Connections”.
DIR=`pwd`/openssl
PRIV=$DIR/private
mkdir $DIR $PRIV $DIR/newcerts
cp /usr/share/ssl/openssl.cnf $DIR
replace ./demoCA $DIR -- $DIR/openssl.cnf
# Create necessary files: $database, $serial and $new_certs_dir
# directory (optional)
touch $DIR/index.txt
echo "01" > $DIR/serial
#
# Generation of Certificate Authority(CA)
#
openssl req -new -x509 -keyout $PRIV/cakey.pem -out $DIR/ca.pem \
-days 3600 -config $DIR/openssl.cnf
# Sample output:
# Using configuration from /home/finley/openssl/openssl.cnf
# Generating a 1024 bit RSA private key
# ................++++++
# .........++++++
# writing new private key to '/home/finley/openssl/private/cakey.pem'
# Enter PEM pass phrase:
# Verifying password - Enter PEM pass phrase:
# -----
# You are about to be asked to enter information that will be
# incorporated into your certificate request.
# What you are about to enter is what is called a Distinguished Name
# or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [AU]:FI
# State or Province Name (full name) [Some-State]:.
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:MySQL admin
# Email Address []:
#
# Create server request and key
#
openssl req -new -keyout $DIR/server-key.pem -out \
$DIR/server-req.pem -days 3600 -config $DIR/openssl.cnf
# Sample output:
# Using configuration from /home/finley/openssl/openssl.cnf
# Generating a 1024 bit RSA private key
# ..++++++
# ..........++++++
# writing new private key to '/home/finley/openssl/server-key.pem'
# Enter PEM pass phrase:
# Verifying password - Enter PEM pass phrase:
# -----
# You are about to be asked to enter information that will be
# incorporated into your certificate request.
# What you are about to enter is what is called a Distinguished Name
# or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [AU]:FI
# State or Province Name (full name) [Some-State]:.
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:MySQL server
# Email Address []:
#
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:
#
# Remove the passphrase from the key
#
openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem
#
# Sign server cert
#
openssl ca -cert $DIR/ca.pem -policy policy_anything \
-out $DIR/server-cert.pem -config $DIR/openssl.cnf \
-infiles $DIR/server-req.pem
# Sample output:
# Using configuration from /home/finley/openssl/openssl.cnf
# Enter PEM pass phrase:
# Check that the request matches the signature
# Signature ok
# The Subjects Distinguished Name is as follows
# countryName :PRINTABLE:'FI'
# organizationName :PRINTABLE:'MySQL AB'
# commonName :PRINTABLE:'MySQL admin'
# Certificate is to be certified until Sep 13 14:22:46 2003 GMT
# (365 days)
# Sign the certificate? [y/n]:y
#
#
# 1 out of 1 certificate requests certified, commit? [y/n]y
# Write out database with 1 new entries
# Data Base Updated
#
# Create client request and key
#
openssl req -new -keyout $DIR/client-key.pem -out \
$DIR/client-req.pem -days 3600 -config $DIR/openssl.cnf
# Sample output:
# Using configuration from /home/finley/openssl/openssl.cnf
# Generating a 1024 bit RSA private key
# .....................................++++++
# .............................................++++++
# writing new private key to '/home/finley/openssl/client-key.pem'
# Enter PEM pass phrase:
# Verifying password - Enter PEM pass phrase:
# -----
# You are about to be asked to enter information that will be
# incorporated into your certificate request.
# What you are about to enter is what is called a Distinguished Name
# or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [AU]:FI
# State or Province Name (full name) [Some-State]:.
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL AB
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:MySQL user
# Email Address []:
#
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:
#
# Remove the passphrase from the key
#
openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem
#
# Sign client cert
#
openssl ca -cert $DIR/ca.pem -policy policy_anything \
-out $DIR/client-cert.pem -config $DIR/openssl.cnf \
-infiles $DIR/client-req.pem
# Sample output:
# Using configuration from /home/finley/openssl/openssl.cnf
# Enter PEM pass phrase:
# Check that the request matches the signature
# Signature ok
# The Subjects Distinguished Name is as follows
# countryName :PRINTABLE:'FI'
# organizationName :PRINTABLE:'MySQL AB'
# commonName :PRINTABLE:'MySQL user'
# Certificate is to be certified until Sep 13 16:45:17 2003 GMT
# (365 days)
# Sign the certificate? [y/n]:y
#
#
# 1 out of 1 certificate requests certified, commit? [y/n]y
# Write out database with 1 new entries
# Data Base Updated
#
# Create a my.cnf file that you can use to test the certificates
#
cat <<EOF > $DIR/my.cnf
[client]
ssl-ca=$DIR/ca.pem
ssl-cert=$DIR/client-cert.pem
ssl-key=$DIR/client-key.pem
[mysqld]
ssl-ca=$DIR/ca.pem
ssl-cert=$DIR/server-cert.pem
ssl-key=$DIR/server-key.pem
EOF
Download OpenSSL for Windows if it is not installed on your system. An overview of available packages can be seen here:
http://www.slproweb.com/products/Win32OpenSSL.html
Choose the Win32 OpenSSL Light or Win64 OpenSSL Light package,
depending on your architecture (32-bit or 64-bit). The default
installation location will be
C:\OpenSSL-Win32 or
C:\OpenSSL-Win64, depending on which package
you downloaded. The following instructions assume a default
location of C:\OpenSSL-Win32. Modify this as
necessary if you are using the 64-bit package.
If a message occurs during setup indicating
'...critical component is missing: Microsoft Visual C++
2008 Redistributables', cancel the setup and download
one of the following packages as well, again depending on your
architecture (32-bit or 64-bit):
Visual C++ 2008 Redistributables (x86), available at:
http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF
Visual C++ 2008 Redistributables (x64), available at:
http://www.microsoft.com/downloads/details.aspx?familyid=bd2a6171-e2d6-4230-b809-9a8d7548c1b6
After installing the additional package, restart the OpenSSL setup procedure.
During installation, leave the default
C:\OpenSSL-Win32 as the install path, and
also leave the default option 'Copy OpenSSL DLL files
to the Windows system directory' selected.
When the installation has finished, add
C:\OpenSSL-Win32\bin to the Windows System
Path variable of your server:
On the Windows desktop, right-click the My Computer icon, and select .
Select the tab from the menu that appears, and click the button.
Under System Variables, select , then click the button. The dialogue should appear.
Add ';C:\OpenSSL-Win32\bin' to the end
(notice the semicolon).
Press OK 3 times.
Check that OpenSSL was correctly integrated into the Path variable by opening a new command console (Start>Run>cmd.exe) and verifying that OpenSSL is available:
Microsoft Windows [Version ...] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\Windows\system32>cd \C:\>opensslOpenSSL>exit<<< If you see the OpenSSL prompt, installation was successful. C:\>
Depending on your version of Windows, the preceding path-setting instructions might differ slightly.
After OpenSSL has been installed, use instructions similar to those from Example 1 (shown earlier in this section), with the following changes:
Change the following Unix commands:
# Create clean environment shell>rm -rf newcertsshell>mkdir newcerts && cd newcerts
On Windows, use these commands instead:
# Create clean environment C:\>md c:\newcertsC:\>cd c:\newcerts
When a '\' character is shown at the end
of a command line, this '\' character
must be removed and the command lines entered all on a
single line.
After generating the certificate and key files, to use them for SSL connections, see Section 6.4, “Configuring MySQL to Use Secure Connections”.
This section describes how to get a secure connection to a remote
MySQL server with SSH. The information was provided by David
Carlson <dcarlson@mplcomm.com>.
Install an SSH client on your Windows machine. For a comparison of SSH clients, see http://en.wikipedia.org/wiki/Comparison_of_SSH_clients.
Start your Windows SSH client. Set Host_Name =
.
Set
yourmysqlserver_URL_or_IPuserid=
to log in to your server. This your_useriduserid value
might not be the same as the user name of your MySQL account.
Set up port forwarding. Either do a remote forward (Set
local_port: 3306, remote_host:
,
yourmysqlservername_or_ipremote_port: 3306 ) or a local forward (Set
port: 3306, host:
localhost, remote port: 3306).
Save everything, otherwise you will have to redo it the next time.
Log in to your server with the SSH session you just created.
On your Windows machine, start some ODBC application (such as Access).
Create a new file in Windows and link to MySQL using the ODBC
driver the same way you normally do, except type in
localhost for the MySQL host server, not
yourmysqlservername.
At this point, you should have an ODBC connection to MySQL, encrypted using SSH.