Intro:

Secure communication between MySQL clients and severs: Via

1. SSH - download and use a software that has been designed to sure comminications.
2. SSL - Setup and use SSL

Many Linux deamons such a mysqld, httpd, vsftpd etc support SSL

In MySQL you can decide which users are to use SSL or to Implement it for all
users.
Use a common CA for both clients and server

ssl_ca is the CA that is used by clients and servers

Server:
ssl_cert is the Pubblic Key
ssl_key is the Private Key

show variables like 'have_ssl';

##Create a directory that will house all your keys for mysql
##/etc/ssl/mysql

cd /etc/ssl/
mkdir mysql
cd mysql/

## Generate or create CA certificates

openssl genrsa 2048 > ca-key.pem

openssl req -new -x509 -nodes -days 3660 -key ca-key.pem -out ca.pem

## The two keys ( ca-key.pem and ca.pem) can now be used to generate subsequent
keys.

## Now create keys related to MySQL Usage: Create server certificate

## You will need a signing request to create a web of trust for the clients and
servers.
## You need a private key which is used as input to generate the output which is
the request.
## So create server request and private key (Generating a 1024 bit RSA private key)
## The Private key is used as input to generate a request key(a signing request
key)

## Create server certificate: steps

1. Generating a 1024 bit RSA private key: server-key.pem = private key

2. Create server request using the RSA private key
## steps 1 and 2 are combined in the command below

openssl req -newkey rsa:2048 -days 3660 -nodes -keyout server-key.pem -out server-
req.pem

## Since we are generating the Private key and signing request for MySQL usage(for
the mysql deamon - mysqld),
## Lets generate a private key and a signing request with a more representative
name to signify the deamon that will use it.

openssl req -newkey rsa:2048 -days 3660 -nodes -keyout mysql-server-key.pem -out
mysql-server-req.pem

3. Remove passphrase or password from the private key. This helps protect the
private key.

## openssl rsa -in server-key.pem -out server-key.pem

openssl rsa -in mysql-server-key.pem -out mysql-server-key.pem

4. Now sign the server certificate using the request and the keys from the CA
generated at the begining( ca-key.pem and ca.pem).

## openssl x509 -req -in server-req.pem -days 3660 -CA ca.pem -CAkey ca-key.pem
-set_serial 01 -out server-cert.pem

openssl x509 -req -in mysql-server-req.pem -days 3660 -CA ca.pem -CAkey ca-key.pem
-set_serial 01 -out mysql-server-cert.pem

The server certificate to be used by mysql has been created and is called mysql-
server-cert.pem

We can also create client certificates to be used by the mysql clients: steps

# Create client certificate

1. Create client request and key : openssl req -newkey rsa:2048 -days 3660 -nodes
-keyout client-key.pem -out client-req.pem
2. Remove the passphrase from the key: openssl rsa -in client-key.pem -out client-
key.pem
3. Sign client cert: openssl x509 -req -in client-req.pem -days 3660 -CA ca.pem
-CAkey ca-key.pem -set_serial 01 -out client-cert.pem

Note: The client cert is signed the request and the keys from the CA generated at
the begining( ca-key.pem and ca.pem)

## Many Linux deamons such a mysqld, httpd, vsftpd etc support SSL but since am
working on certificates to be used by mysql i have tagged mysql on both the mysql
## cetificates to be used by the server and the clients.

openssl req -newkey rsa:2048 -days 3660 -nodes -keyout mysql-client-key.pem -out
mysql-client-req.pem
openssl rsa -in mysql-client-key.pem -out mysql-client-key.pem

openssl x509 -req -in mysql-client-req.pem -days 3660 -CA ca.pem -CAkey ca-key.pem
-set_serial 01 -out mysql-client-cert.pem

I had to update openssl: I was having erors without the updated version of open
ssl:

yum update openssl

## LAB: Create server certificate

[root@centos01 mysql]# which openssl

/usr/bin/openssl
[root@centos01 mysql]# openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
..................+++
......+++
e is 65537 (0x10001)
[root@centos01 mysql]# ll
total 4
-rw-r--r-- 1 root root 1679 Jun 15 11:38 ca-key.pem
[root@centos01 mysql]# openssl req -new -x509 -nodes -days 3660 -key ca-key.pem
-out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Florida
Locality Name (eg, city) [Default City]:Clearwater
Organization Name (eg, company) [Default Company Ltd]:Clarity.net
Organizational Unit Name (eg, section) []:Release
Common Name (eg, your name or your server's hostname) []:centos01
Email Address []:sefange@clarityservices.com
[root@centos01 mysql]# ll
total 8
-rw-r--r-- 1 root root 1679 Jun 15 11:38 ca-key.pem
-rw-r--r-- 1 root root 1452 Jun 15 11:45 ca.pem
[root@centos01 mysql]# openssl req -newkey rsa:2048 -days 3660 -nodes -keyout
mysql-server-key.pem -out mysql-server-req.pem
Generating a 2048 bit RSA private key
...+++
...................................................................................
............+++
writing new private key to 'mysql-server-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Florida
Locality Name (eg, city) [Default City]:Clearwater
Organization Name (eg, company) [Default Company Ltd]:Clarity
Organizational Unit Name (eg, section) []:Release
Common Name (eg, your name or your server's hostname) []:centos01
Email Address []:sefange@clarityservices.com

Please enter the following 'extra' attributes

to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos01 mysql]# openssl rsa -in mysql-server-key.pem -out mysql-server-
key.pem
writing RSA key
[root@centos01 mysql]# openssl x509 -req -in mysql-server-req.pem -days 3660 -CA
ca.pem -CAkey ca-key.pem -set_serial 01 -out mysql-server-cert.pem
Signature ok
subject=/C=US/ST=Florida/L=Clearwater/O=Clarity/OU=Release/CN=centos01/emailAddress
=sefange@clarityservices.com
Getting CA Private Key
[root@centos01 mysql]# ll
total 20
-rw-r--r-- 1 root root 1679 Jun 15 11:38 ca-key.pem
-rw-r--r-- 1 root root 1452 Jun 15 11:45 ca.pem
-rw-r--r-- 1 root root 1322 Jun 15 11:48 mysql-server-cert.pem
-rw-r--r-- 1 root root 1679 Jun 15 11:47 mysql-server-key.pem
-rw-r--r-- 1 root root 1070 Jun 15 11:47 mysql-server-req.pem
[root@centos01 mysql]#

## LAB: Create client certificate

[root@centos01 mysql]# openssl req -newkey rsa:2048 -days 3660 -nodes -keyout
mysql-client-key.pem -out mysql-client-req.pem
Generating a 2048 bit RSA private key
.....................................................................+++
.........................................................................+++
writing new private key to 'mysql-client-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Florida
Locality Name (eg, city) [Default City]:Clearwater
Organization Name (eg, company) [Default Company Ltd]:Clarity
Organizational Unit Name (eg, section) []:Release
Common Name (eg, your name or your server's hostname) []:centos01
Email Address []:sefange@clarityservices.com

Please enter the following 'extra' attributes

to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos01 mysql]# openssl rsa -in mysql-client-key.pem -out mysql-client-
key.pem
writing RSA key
[root@centos01 mysql]# openssl x509 -req -in mysql-client-req.pem -days 3660 -CA
ca.pem -CAkey ca-key.pem -set_serial 01 -out mysql-client-cert.pem
Signature ok
subject=/C=US/ST=Florida/L=Clearwater/O=Clarity/OU=Release/CN=centos01/emailAddress
=sefange@clarityservices.com
Getting CA Private Key
[root@centos01 mysql]# ll
total 32
-rw-r--r-- 1 root root 1679 Jun 15 11:38 ca-key.pem
-rw-r--r-- 1 root root 1452 Jun 15 11:45 ca.pem
-rw-r--r-- 1 root root 1322 Jun 15 11:57 mysql-client-cert.pem
-rw-r--r-- 1 root root 1675 Jun 15 11:56 mysql-client-key.pem
-rw-r--r-- 1 root root 1070 Jun 15 11:56 mysql-client-req.pem
-rw-r--r-- 1 root root 1322 Jun 15 11:48 mysql-server-cert.pem
-rw-r--r-- 1 root root 1679 Jun 15 11:47 mysql-server-key.pem
-rw-r--r-- 1 root root 1070 Jun 15 11:47 mysql-server-req.pem
[root@centos01 mysql]#

# Verify the server and clients certificates you created for mysql: openssl verify
-CAfile ca.pem server-cert.pem client-cert.pem

openssl verify -CAfile ca.pem mysql-server-cert.pem mysql-client-cert.pem

## LAB: Verify certificates

[root@centos01 mysql]# openssl verify -CAfile ca.pem mysql-server-cert.pem mysql-

client-cert.pem
mysql-server-cert.pem: OK
mysql-client-cert.pem: OK
[root@centos01 mysql]# service mysql restart
Stopping mysqld: [ OK ]
Starting mysqld: [ OK ]

Edit the Config file:

[root@centos01 mysql]# cat /etc/my.cnf

#
# The Percona Server 5.7 configuration file.
#
#
# * IMPORTANT: Additional settings that can override those from this file!
# The files must end with '.cnf', otherwise they'll be ignored.
# Please make any edits and changes to the appropriate sectional files
# included below.
#
!includedir /etc/my.cnf.d/
!includedir /etc/percona-server.conf.d/

[root@centos01 mysql]# cat /etc/percona-server.conf.d/mysqld.cnf

# Percona Server template configuration

[client]
ssl-ca=/etc/ssl/mysql/ca.pem
ssl-cert=/etc/ssl/mysql/mysql-client-cert.pem
ssl-key=/etc/ssl/mysql/mysql-client-key.pem

[mysqld]
#
# Remove leading # and set to the amount of RAM for the most important data
# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%.
# innodb_buffer_pool_size = 128M
#
# Remove leading # to turn on a very important data integrity option: logging
# changes to the binary log between backups.
# log_bin
#
# Remove leading # to set options mainly useful for reporting servers.
# The server defaults are faster for transactions and fast SELECTs.
# Adjust sizes as needed, experiment to find the optimal values.
# join_buffer_size = 128M
# sort_buffer_size = 2M
# read_rnd_buffer_size = 2M

datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock

ssl-ca=/etc/ssl/mysql/ca.pem
ssl-cert=/etc/ssl/mysql/mysql-server-cert.pem
ssl-key=/etc/ssl/mysql/mysql-server-key.pem

# Disabling symbolic-links is recommended to prevent assorted security risks

symbolic-links=0

log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

[root@centos01 mysql]# mysql --ssl-cert=/etc/ssl/mysql/mysql-client-cert.pem -p

Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.7.18-15 Percona Server (GPL), Release 15, Revision bff2cd9

Copyright (c) 2009-2017 Percona LLC and/or its affiliates

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.18-15, for Linux (x86_64) using 6.0

Connection id: 6
Current database:
Current user: root@localhost
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-15 Percona Server (GPL), Release 15, Revision
bff2cd9
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /var/lib/mysql/mysql.sock
Uptime: 1 min 47 sec

Threads: 1 Questions: 6 Slow queries: 0 Opens: 105 Flush tables: 1 Open

tables: 98 Queries per second avg: 0.056
--------------

mysql> show variables like '%ssl%';

+---------------+--------------------------------------+
| Variable_name | Value |
+---------------+--------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/ssl/mysql/ca.pem |
| ssl_capath | |
| ssl_cert | /etc/ssl/mysql/mysql-server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/ssl/mysql/mysql-server-key.pem |
+---------------+--------------------------------------+
9 rows in set (0.00 sec)

mysql> \! rpm -qa | grep -i openssl

pyOpenSSL-0.13.1-2.el6.x86_64
openssl-devel-1.0.1e-57.el6.x86_64
openssl-1.0.1e-57.el6.x86_64
mysql>

[root@centos01 mysql]# mysql -u root -p

Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.7.18-15 Percona Server (GPL), Release 15, Revision bff2cd9

Copyright (c) 2009-2017 Percona LLC and/or its affiliates

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

You are enforcing ssl conection via unix socket. Please consider
switching ssl off as it does not make connection via unix socket
any more secure.
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.18-15, for Linux (x86_64) using 6.0

Connection id: 7
Current database:
Current user: root@localhost
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.18-15 Percona Server (GPL), Release 15, Revision
bff2cd9
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /var/lib/mysql/mysql.sock
Uptime: 8 min 32 sec

Threads: 1 Questions: 12 Slow queries: 0 Opens: 106 Flush tables: 1 Open

tables: 99 Queries per second avg: 0.023
--------------