MySQL + SSL

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Oct 8 07:45:57 UTC 2009 

Olivier Nicole wrote:
> Hi,
> 
> I have been strugling to find the correct syntax for the mysql(1)
> command to connect with SSL.
> 
> My server is accepting SSL connections:
> 
>   db2<root>: mysql -u root -p
>   Enter password: 
>   Welcome to the MySQL monitor.  Commands end with ; or \g.
>   Your MySQL connection id is 1
>   Server version: 5.4.2-beta FreeBSD port: mysql-server-5.4.2
>   
>   Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
>   
>   mysql> SHOW VARIABLES LIKE '%ssl%';
>   +---------------+-------------------------------------------+
>   | Variable_name | Value                                     |
>   +---------------+-------------------------------------------+
>   | have_openssl  | YES                                       |
>   | have_ssl      | YES                                       |
>   | ssl_ca        | /usr/local/ssl/ca/ait-itserv.crt          |
>   | ssl_capath    |                                           |
>   | ssl_cert      | /usr/local/ssl/crt/db2.cs.ait.ac.th.crt   |
>   | ssl_cipher    | DHE-RSA-AES256-SHA:AES128-SHA             |
>   | ssl_key       | /database/mysql/database.cs.ait.ac.th.key |
>   +---------------+-------------------------------------------+
>   7 rows in set (0.00 sec)
>   
>   mysql> quit
>   Bye
>   db2<root>:

This is a question more suited to one of the various MySQL fora really.

Anyhow, the standard take on using SSL to encrypt MySQL connections is:
don't do it.  MySQL is apparently pretty ropey when in comes to doing
crypto.

Instead, you should use ipsec, ssh, stunnel or the like to provide an
encrypted transport layer that you access MySQL through.  It's also
generally the case that the overhead of doing encryption between the DB
and the client application tends to destroy performance.  Design your 
network so that the DB is close to the application servers and has a
protected private network between the two, where you can send plaintext
traffic without fear of snooping.  If you need to work with systems
distributed over a number of sites, then replicating the DB so there is
an instance at each location is a good design choice, despite the
difficulties this introduces with Insert/Update/Delete on replica
DBs.  Then just encrypt the transport layer the inter-site replication
traffic uses.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20091008/51811c41/signature.pgp

More information about the freebsd-questions mailing list