MySQL SSL Checklist
-
Verify that the modulus of the key is the same as the certificate one.
These two hashes should be the same. In case they are not, then the certificate does not match the key. MySQL server will have
have_ssl
set toDISABLED
in this case.
$ openssl x509 -noout -modulus -in server.crt | md5sum $ openssl rsa -noout -modulus -in server.key | md5sum
-
Verify that the CA certificate is correct and that the certificate chain is in proper order.
For example, StartSSL Class 1 certificates should have
sub.class1.server.ca.pem
first and then theca.pem
root CA certificate itself. However, I found out that specifying the Class 1 intermediate certificate is enough. Failure to set the CA certificates right would lead to the following message on the client:
After connection, check that it is actually done over SSL:
-
Use
REQUIRE
keyword to specify the SSL connection checks.SSL
simply requires that a connection was using SSL.X509
would require the client certificate to be verifiable against server CA certificate. Additionally you can useISSUER
,SUBJECT
andCIPHER
. However, due to bug in MySQL that requires specific order of RDN and Ubuntu MySQL upstart configuration bug that breaks logging to syslog, that may take a while to figure out, see the bug report for a workaround. The following works with my StartSSL certificate:
GRANT ALL on *.* TO 'user'@'my-host' REQUIRE SUBJECT '/C=UA/CN=my-clienthost.lappyfamily.net/emailAddress=my-email@example.net' AND ISSUER '/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA';
-
Configure firewall to limit access to MySQL server to a set of known addresses.
Remember that mysql clients don't verify the server certificate host name. This is also one of the cases when you may want to create your own CA to prevent other clients of the same CA get through the certificate check phase just because they happen to be issued by the same authority in case you are using REQUIRE X509 only.