4

I'm seeking to clear some information up for myself involving remote SSL connections to MYSQL. Particularly, once I have MYSQL setup to enable SSL and have a remote user that requires SSL.

This is how I connect (commandline), remotely, to MYSQL with a user that requires SSL:

mysql -uMyUserName -p -h192.168.5.5 --ssl-ca /path/to/ca.pem


My question is: Why do I have to provide the ca.pem file as the client?


These are the steps I took to install mysql on the server and setup remote access (Ubuntu):

Steps to Enable SSL for MYSQL

1) Obtain my Certificate Authority cert, Database cert, Database key

  • ca.pem (Certificate Authority cert)
  • dbcert.pem (Database cert)
  • dbkey.pem (Databse key)

2) Add the following lines to /etc/mysql/my.cnf under [mysqld]

ssl-ca=/path/to/ca.pem
ssl-cert=/path/to/dbcert.pem
ssl-key=/path/to/dbkey.pem

enter image description here

3) Restart mysql and confirm ssl enabled by logging in and typing following:

show variables like '%ssl%';


enter image description here


Configure Remote Connection Requiring SSL

1) Comment out the following lines in /etc/mysql/my.cnf

#bind-address
#skip-networking

2) Login to mysql and grant a user access to, in this case, every database

GRANT ALL PRIVILEGES ON . to 'USERNAME'@'%' IDENTIFIED BY 'PASSWORD' REQUIRE SSL


At this point, I have MYSQL setup to enable SSL && I have a remote user that will require SSL to login. I am able to login on a remote commandline, but i need to specify the --ssl-ca.

Why do I have to provide the ssl-ca from client? Is there a way to do this so that I don't have to?

I would really appreciate some insight here.

Thanks in advance.

Improve this question

1 Answer 1

Reset to default
4

Unlike your typical web browser, a commandline tool like mysql doesn't have a built-in list of certificate authorities. Browsers come with a built in list of certification authorities, and you implicitly trust them (whether you know it or not).

When you use mysql to log in to a MySQL server supporting encryption, that server will present you the public part of a certificate. To complete the secure handshake, your client needs to verify the server certificate is signed by a trusted certificate authority. Otherwise, it will have to say "hey, this looks like a well-formed certificate, but I never heard of the ca signing it."

For Hibernate / JDBC / TLS, a little bit of search-engine work turns up some useful suggestions. It's all about setting the right properties in your config.

http://razorsql.com/articles/mysql_ssl_jdbc.html

How can I configure Hibernate to use SSL to talk to the DB server?

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This makes 100% sense to me. I'm going to mark this as the accepted answer. This leads to my followup question of negotiating the remote connection from Java using hibernate. I'm not sure if you can help me here or if I should repost it, but I'm trying to remote connect (requiring SSL) through Java. However, I can't find out how to provide the Certificate Authority for the hibernate config...

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.