- its hard to setup and configure
- are just plain lazy
- feels it's offer zero-security benefits
- or a combination of ALL thee above :)
You will need the following for the server;
CA-cert
Server-cert
Server-key
You will need the following for the client(s);
CA-cert
Client-cert
Cient-key
1st here's my simplified my.cnf cfg ( this is very basic lean down conf )
[mysqld]
bind-address = *
ssl-ca=/etc/ssl/ca.pem
ssl-cert=/etc/ssl/server-cert.pem
ssl-key=/etc/ssl/server-key.pem
Now to check for SSL support you need to show global variables and match on SSL. If your successful upon a restart the DISABLE will be ENABLE and SSL support will be included in the mysql server services
Now we can test for basic access with the root account and by specifying SSL;
To lock this down for just a database user account, you will grant ( them ) permission and set required SSL for that user(s).
And now compare a SSL and non_SSL access
If a user that's required SSL tries without SSL certificates ( he/she ) will get a reject message similar to the below;
Yes it's really that simple.
In a real professional environment, you will craft unique client-certificates & 1 per users and ensure that the user has secured and protected his key via a passphrase.
If you want to revoke his access revoke the cert and remove his access.
For the mysql services ensure the mysql user that runs the daemon can read the server-private-keyfile .... I seen this issue being the #1 problem when setting up mysql w/SSL-TLS. chown and chmod the permission for the priv-key and just for the mysql-services account
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment