MySQL SSL

Databases

MySQL

MySQL Security

Basic Configuration

/etc/my.cnf

Troubleshooting

Status Variables

Bibliography & References

To setup SSL connections for MySQL you need three things...

A Certificate Authority (CA) certificate
A server public key certificate file
A server private key file

NOTE: As of MySQL 5.7.35, the TLSv1 and TLSv1.1 connection protocols are deprecated and support for them is subject to removal in a future MySQL version. (1)

UNIX SSL

You can also block deprecated TLS versions at a UNIX level.

Basic Configuration

/etc/my.cnf

MySQL Configuration

# TLS

ssl-ca = CA.cer

ssl-cert = cert.pem

ssl-key = key.pem

tls-version = TLSv1.2

Other variables...

require_secure_transport
ssl_capath
ssl_cipher
ssl_crl
ssl_crlpath
tls_ciphersuites

Assumes all certificates and keys are in /var/lib/mysql (or your specified datadir) with the following UNIX level permissions...
chmod 644 CA.cerchmod 644 cert.pemchmod 600 key.pem

If you leave ssl-ca, ssl-cert and ssl-key unset, MySQL will use the auto generated (in your data_dir) default certs and keys...
ca-key.pemca.pemclient-cert.pemclient-key.pemprivate_key.pempublic_key.pemserver-cert.pemserver-key.pem

tls-version can be a comma separated list of versions e.g. TLSv1.2,TLSv1.3. Note that TLS1.3 is only valid if MySQL is compiled with openssl 1.1.1 or higher. Check with...ldd $(which mysqld) | grep libssl

Troubleshooting

These messages are common in the mysql.log at instance startup when the instance reads SSL/TLS config from my.cnf...

SSL

[Warning] [MY-013414] [Server] Server SSL certificate doesn't verify: certificate has expired.

Check with...openssl x509 -enddate -noout -in cert.pem

[Warning] [MY-010068] [Server] CA certificate CA.cer is self signed.

[System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.

[Warning] A deprecated TLS version TLSv1 is enabled. Please use TLSv1.2 or higher.

[Warning] A deprecated TLS version TLSv1.1 is enabled. Please use TLSv1.2 or higher.

Check with...SHOW GLOBAL VARIABLES LIKE 'tls_version';

Fix by setting this in the /etc/my.cnf and restarting MySQL...tls_version=TLSv1.2

Status Variables

SELECT variable_name, variable_value

FROM performance_schema.global_status

WHERE variable_name LIKE 'current_tls%';

Bibliography & References

https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.htmlhttps://dev.mysql.com/doc/refman/8.0/en/server-status-variable-reference.htmlhttps://docs.banyansecurity.io/docs/feature-guides/infrastructure/databases/cert-auth-mysql/(1) https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-protocols-ciphers.htmlhttps://serverfault.com/questions/477677/how-to-determine-which-ssl-library-mysql-is-using