Enable TLS for MySQL Clients

TLS is also known as SSL (Secure Sockets Layer). It refers to Transport Layer Security.

When there is an unencrypted connection between the MySQL client and the server, a person who has access to the network can watch all the traffic and inspect the data that is being sent or received between client and server. When the user wishes to move information over a network in a secure method, an unencrypted connection is not acceptable.

To make any sort of data unreadable, encryption has to be used. Encryption algorithms usually include security elements that help resist many kinds of known attacks, some of which include changing the order of encrypted messages or replaying the data twice. MySQL supports the encrypted connection that happens between clients and the server where they both use the TLS protocol. But MySQL doesn’t use SSL protocol for encrypted connections since the encryption is weak.

TLS uses encryption algorithms to make sure that the data which is received over a public network is trusted data. It has many ways to detect data change, loss, or replay.TLS also uses algorithms that come with identity verification with the help of the X.509 standard.

Steps to Enable TLS

MySQL performs encryption on a per-connection basis. The encryption for a given user can either be optional or mandatory. This enables the user to choose an encrypted or unencrypted connection depending on the requirements of the applications.

Let us understand how TLS can be enabled for MySQL clients:

  • The ssl-cert and ssl-key parameters in the configuration file have to be specified when server is started.
  • The certificate or key is signed and generated with the help of OpenSSL.
  • This key can also be generated using mysql_ssl_rsa_setup tool in MySQL:
    mysql_ssl_rsa_setup --datadir=./certs
  • If the parameters are correct, a secure connection is passed as output that is enabled when it starts.
  • The certificate, key and CA are reloaded- The ALTER INSTANCE RELOAD TLS statement is executed on the server instance. This ensures that the server instance won’t have to be reloaded.
  • The newly loaded certificate, key, and CA show effect after connection that was established is successfully executed. 
  • The MySQL client is configured to use encrypted connections- An encrypted connection is tried to set up by default. If the server doesn’t support an encrypted connection, an unencrypted connection is automatically returned.
  • The connection behavior of client can be changed using --ssl-mode parameters:
    --ssl-mode=REQUIRED- Tells that en encrypted connection is needed.

Authentication needs to be enabled: If the ssl-ca parameter is not specified, the client or server doesn’t do authentication by default.

  • The ssl-cert and ssl-key parameters have to be specified in server.
  • The --ssl-ca parameter is specified in MySQL client.
  • The --ssl-mode is specified to VERIFY_CA in the MySQL client.
  • The certificate (ssl-cert) configured in the server is signed by CA specified by the client --ssl-ca parameter.
  • If not, authentication fails.

To authenticate MySQL client from the server:

  • The ssl-cert, ssl-key, and ssl-ca parameters are specified server.
  • The --ssl-cert and --ssl-key parameters are specified in the client.
  • The server-configured certificate and client-configured certificate are signed by the ssl-ca specified by the server.
  • The server-to-client authentication is optional. If client doesn’t show their certificate of identification during TLS handshake, the TLS connection is still established.
  • Check whether the current connection uses any encryption.