Skip to main content

MySQL SSL Checklist

  • Verify that the modulus of the key is the same as the certificate one.

    These two hashes should be the same. In case they are not, then the certificate does not match the key. MySQL server will have have_ssl set to DISABLED in this case.

$ openssl x509 -noout -modulus -in server.crt | md5sum
$ openssl rsa -noout -modulus -in server.key | md5sum
  • Verify that the CA certificate is correct and that the certificate chain is in proper order.

    For example, StartSSL Class 1 certificates should have sub.class1.server.ca.pem first and then the ca.pem root CA certificate itself. However, I found out that specifying the Class 1 intermediate certificate is enough. Failure to set the CA certificates right would lead to the following message on the client:

ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
  • After connection, check that it is actually done over SSL:

mysql> status
...
SSL:            Cipher in use is DHE-RSA-AES256-SHA
...
  • Use REQUIRE keyword to specify the SSL connection checks.

    SSL simply requires that a connection was using SSL. X509 would require the client certificate to be verifiable against server CA certificate. Additionally you can use ISSUER, SUBJECT and CIPHER. However, due to bug in MySQL that requires specific order of RDN and Ubuntu MySQL upstart configuration bug that breaks logging to syslog, that may take a while to figure out, see the bug report for a workaround. The following works with my StartSSL certificate:

GRANT ALL on *.* TO 'user'@'my-host' REQUIRE
    SUBJECT '/C=UA/CN=my-clienthost.lappyfamily.net/emailAddress=my-email@example.net'
    AND ISSUER '/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA';
  • Configure firewall to limit access to MySQL server to a set of known addresses.

    Remember that mysql clients don't verify the server certificate host name. This is also one of the cases when you may want to create your own CA to prevent other clients of the same CA get through the certificate check phase just because they happen to be issued by the same authority in case you are using REQUIRE X509 only.