To configure SSL/TLS encryption for MySQL connections, follow these steps:
server-cert.pem
), server key (server-key.pem
), client certificate (client-cert.pem
), and client key (client-key.pem
). These files should be placed in a secure directory on your MySQL server.Configure MySQL Server: Edit the MySQL configuration file (my.cnf
or my.ini
depending on your operating system). Add or modify the following lines under the [mysqld]
section:
<code>[mysqld] ssl-ca=/path/to/ca-cert.pem ssl-cert=/path/to/server-cert.pem ssl-key=/path/to/server-key.pem</code>
Replace /path/to/
with the actual paths where your certificates are stored.
Verify Server SSL Configuration: Connect to MySQL and run the following command to verify that the server is using SSL:
<code>SHOW VARIABLES LIKE 'have_ssl';</code>
The output should show YES
.
Configure MySQL Client: To ensure that the client also uses SSL for connections, you can specify SSL options in the client configuration file or at runtime. For example, you can add the following lines to the [client]
section of your MySQL client configuration file (my.cnf
or my.ini
):
<code>[client] ssl-ca=/path/to/ca-cert.pem ssl-cert=/path/to/client-cert.pem ssl-key=/path/to/client-key.pem</code>
Test SSL Connection: Connect to the MySQL server using the client, specifying the SSL options if not already configured in the client configuration file. Use the command:
<code>mysql -h hostname -u username -p --ssl-ca=/path/to/ca-cert.pem --ssl-cert=/path/to/client-cert.pem --ssl-key=/path/to/client-key.pem</code>
Once connected, you can verify the SSL status by running:
<code>STATUS;</code>
The output should show SSL: Cipher in use
.
To generate and install SSL certificates for MySQL, follow these steps:
Generate a Certificate Authority (CA) Certificate: Use OpenSSL to create a CA certificate and key. Run the following commands:
<code>openssl genrsa 2048 > ca-key.pem openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem</code>
You will be prompted to enter details about the CA, such as the country name and organization name.
Generate Server Certificate and Key: Create a server certificate request and sign it with the CA:
<code>openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem openssl rsa -in server-key.pem -out server-key.pem openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem</code>
When generating the server request, ensure the Common Name
matches the hostname of your MySQL server.
Generate Client Certificate and Key: Similarly, create a client certificate request and sign it with the CA:
<code>openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem openssl rsa -in client-key.pem -out client-key.pem openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem</code>
/etc/mysql/ssl/
.my.cnf
or my.ini
) to point to the certificate files, as described in the previous section.Yes, you can use self-signed certificates for MySQL SSL/TLS encryption. However, there are several security implications to consider:
To verify that SSL/TLS encryption is working correctly for your MySQL connections, follow these steps:
Check MySQL Server Configuration: Connect to the MySQL server and run:
<code>SHOW VARIABLES LIKE 'have_ssl';</code>
The output should show YES
, indicating that SSL is enabled.
Verify SSL Connection Status: Once connected to the MySQL server, run:
<code>STATUS;</code>
The output should include an SSL
field showing the cipher in use, for example, SSL: Cipher in use is TLS_AES_256_GCM_SHA384
.
Use the SHOW STATUS
Command: Run the following command to get more detailed information about SSL connections:
<code>SHOW STATUS LIKE 'Ssl_cipher';</code>
This should show the cipher being used for the current connection.
Check Client Connection with SSL Options: Connect to the MySQL server using the client with SSL options specified:
<code>mysql -h hostname -u username -p --ssl-ca=/path/to/ca-cert.pem --ssl-cert=/path/to/client-cert.pem --ssl-key=/path/to/client-key.pem</code>
The connection should succeed, and you can verify the SSL status using the STATUS
command.
Monitor SSL Connection Metrics: You can monitor SSL connection metrics by running:
<code>SHOW GLOBAL STATUS LIKE 'Ssl%';</code>
This command provides various SSL-related status variables, such as Ssl_accepts
, Ssl_accept_renegotiates
, and Ssl_client_connects
, which can help you assess the overall SSL usage on your server.
By following these steps, you can ensure that SSL/TLS encryption is properly configured and functioning for your MySQL connections.
The above is the detailed content of How do I configure SSL/TLS encryption for MySQL connections?. For more information, please follow other related articles on the PHP Chinese website!