Scribd
Upload
68 views

Enable SSL Lab

The document discusses configuring SSL/TLS encryption for MySQL connections. It shows how to generate SSL certificates and keys, enable SSL on the MySQL server, configure clients to require SSL, and test secure connections from a remote MySQL client. Key steps include using mysql_ssl_rsa_setup to generate certificates, editing my.cnf to set require_secure_transport=ON, and connecting clients with --ssl-ca, --ssl-cert, and --ssl-key options while specifying the client IDENTIFIED BY password REQUIRE SSL.

Uploaded by

benben08
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
68 views

Enable SSL Lab

The document discusses configuring SSL/TLS encryption for MySQL connections. It shows how to generate SSL certificates and keys, enable SSL on the MySQL server, configure clients to require SSL, and test secure connections from a remote MySQL client. Key steps include using mysql_ssl_rsa_setup to generate certificates, editing my.cnf to set require_secure_transport=ON, and connecting clients with --ssl-ca, --ssl-cert, and --ssl-key options while specifying the client IDENTIFIED BY password REQUIRE SSL.

Uploaded by

benben08
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

# Vérifier l'état courant de SSL/TLS:

> mysql -u root -p -h 127.0.0.1

mysql> SHOW VARIABLES LIKE '%ssl%';

+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | |
+---------------+----------+
9 rows in set (0.01 sec)

mysql> \s

--------------
mysql Ver 14.14 Distrib 5.7.17, for Linux (x86_64) using EditLine wrapper

Connection id: 30
Current database:
Current user: root@localhost
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.17-0ubuntu0.16.04.1 (Ubuntu)
Protocol version: 10
Connection: 127.0.0.1 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 3 hours 38 min 44 sec

Threads: 1 Questions: 70 Slow queries: 0 Opens: 121 Flush tables: 1 Open


tables: 40 Queries per second avg: 0.005
--------------

# Générer les certificats SSL/TLS et les clés

>sudo mysql_ssl_rsa_setup --uid=mysql

Generating a 2048 bit RSA private key


...................................+++
.....+++
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
......+++
.................................+++
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
......................................................+++
.................................................................................++
+
writing new private key to 'client-key.pem'
-----

>sudo find /var/lib/mysql -name '*.pem' -ls

256740 4 -rw-r--r-- 1 mysql mysql 1078 Mar 17 17:24


/var/lib/mysql/server-cert.pem
256735 4 -rw------- 1 mysql mysql 1675 Mar 17 17:24
/var/lib/mysqlsql/ca-key.pem
256739 4 -rw-r--r-- 1 mysql mysql 451 Mar 17 17:24
/var/lib/mysqlsql/public_key.pem
256741 4 -rw------- 1 mysql mysql 1679 Mar 17 17:24
/var/lib/mysqlsql/client-key.pem
256737 4 -rw-r--r-- 1 mysql mysql 1074 Mar 17 17:24
/var/lib/mysqlsql/ca.pem
256743 4 -rw-r--r-- 1 mysql mysql 1078 Mar 17 17:24
/var/lib/mysqlsql/client-cert.pem
256736 4 -rw------- 1 mysql mysql 1675 Mar 17 17:24
/var/lib/mysqlsql/private_key.pem
256738 4 -rw------- 1 mysql mysql 1675 Mar 17 17:24
/var/lib/mysqlsql/server-key.pem

#Activer les connexions SSL sur le serveur Mysql

> mysql -u root -p -h 127.0.0.1

mysql> SHOW VARIABLES LIKE '%ssl%';

+---------------+-----------------+
| Variable_name | Value |
+---------------+-----------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | ca.pem |
| ssl_capath | |
| ssl_cert | server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | server-key.pem |
+---------------+-----------------+
9 rows in set (0.00 sec)

mysql> \s

--------------
. . .
SSL: Cipher in use is DHE-RSA-AES256-SHA
. . .
Connection: 127.0.0.1 via TCP/IP
. . .
--------------
# Configuration des connexions sécurisées pour les clients distants

> editer le fichier /etc/mysql/my.cnf, rajouter l'option require_secure_transport:


. . .

!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/

[mysqld]
# Require clients to connect either using SSL
# or through a local socket file
require_secure_transport = ON
bind-address = 0.0.0.0

> sudo systemctl restart mysql

> udo netstat -plunt

Active Internet connections (only servers)


Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
4330/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
1874/sshd
tcp6 0 0 :::22 :::* LISTEN
1874/sshd

>sudo ufw allow mysql

Rule added
Rule added (v6)

# Configurer un utilisateur Mysql distant

mysql> CREATE USER 'remote_user'@'mysql_client_IP' IDENTIFIED BY 'password' REQUIRE


SSL;
mysql>CREATE DATABASE example;
mysql>GRANT ALL ON example.* TO 'remote_user'@'mysql_client_IP';
mysql>FLUSH PRIVILEGES;
mysql>exit

# Tester la connection:

> mysql -u remote_user -p [-h mysql_client_IP]

> sudo mysql -u remote_user -p [-h mysql_client_IP] --ssl-ca=/var/lib/mysql/ca.pem


--ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem
mysql> exit

You might also like