_o_________ ___ _______ A blog that hasn't yet lived up to it's title.

Tue, 01 Mar 2005

MySQL with SSL on Debian

Due to licensing issues, the Debian packages for MySQL are not built with OpenSSL support. In order to enable SSL, the packages must be recompiled.

server:/usr/src# apt-get build-dep mysql-server
server:/usr/src# apt-get install libssl-dev
server:/usr/src# apt-get source mysql-server
server:/usr/src# cd mysql-dfsg-4.0.23 (or whatever version you're building)
server:/usr/src/mysql-dfsg-4.0.23# vi debian/rules

Change --without-ssl to --with-ssl.

server:/usr/src/mysql-dfsg-4.0.23# vi debian/changelog

Add an entry to the top of the changelog.

mysql-dfsg (4.0.23-4-zerolag-1) unstable; urgency=low

  * Compile with OpenSSL support

 -- Christian Warden   Fri, 25 Feb 2005 12:32:05 -0800

Then build and install the packages.

server:/usr/src/mysql-dfsg-4.0.23# ./debian/rules binary
server:/usr/src/mysql-dfsg-4.0.23# dpkg -i ../*mysql*.deb

If you already an SSL certificate that you're using with mod_ssl, you can use that. Otherwise, generate a new key and certificate. See /usr/share/doc/mysql-server/SSL-MINI-HOWTO.txt.gz for information on how to generate a self-signed certificate. Add the key and certificate to /etc/mysql/my.cnf.

[mysqld]
...
ssl-key=/etc/mysql/server.key
ssl-cert=/etc/mysql/cert.key

Create a user in MySQL that requires SSL encryption.

mysql> GRANT ALL on db.* to user@10.0.0.10 IDENTIFIED BY 'password' REQUIRE SSL;

Now, you should be able to connect over SSL. Remember that the client must have been compiled with SSL support too. In order to use SSL, the client must use the --ssl-ca option, either on the command-line or in ~/.my.cnf (or [mysql] section of /etc/mysql/my.cnf).

client:~$ mysql --ssl-ca=/dev/null -h server -u user -p 

As far as I can tell, there's no way to actually force the client to validate the servers certificate so it doesn't matter what value you set for ssl-ca. It doesn't even have to exist. This, of course, means that while the connection is encrypted, it's vulnerable to man-in-the-middle attacks.

See /usr/share/doc/mysql-server/SSL-MINI-HOWTO.txt.gz if you want to use client certificates to authenticate clients rather than, or in addition to, passwords.

Update: I originally forgot to note that you should update the changelog before building the packages.

tech | Permanent Link

By:
Christian G. Warden

Subscribe

Something Else

Something Old

• February 2024 (1)
• March 2022 (1)
• January 2022 (1)
• September 2017 (1)
• July 2017 (1)
• January 2016 (2)
• September 2015 (1)
• November 2014 (1)
• October 2014 (1)
• September 2014 (5)
• September 2013 (2)
• August 2013 (1)
• August 2012 (2)
• June 2012 (1)
• May 2012 (2)
• December 2011 (1)
• August 2011 (1)
• May 2011 (1)
• February 2011 (1)
• November 2010 (2)
• November 2008 (3)
• February 2008 (1)
• September 2007 (1)
• August 2007 (2)
• May 2007 (3)
• March 2007 (6)
• February 2007 (3)
• January 2007 (1)
• December 2006 (2)
• November 2006 (3)
• October 2006 (2)
• September 2006 (1)
• July 2006 (1)
• June 2006 (4)
• May 2006 (6)
• April 2006 (4)
• March 2006 (5)
• February 2006 (4)
• January 2006 (5)
• November 2005 (9)
• October 2005 (7)
• September 2005 (2)
• August 2005 (6)
• July 2005 (6)
• June 2005 (14)
• May 2005 (9)
• April 2005 (15)
• March 2005 (17)
• February 2005 (9)
• January 2005 (5)
• December 2004 (5)
• November 2004 (7)
• October 2004 (12)
• September 2004 (9)

Somewhere Else

• Github
• LinkedIn