Using SSL/TLS for your MySQL or MariaDB server ensures that data transferred between the server and clients is encrypted and secure. It protects sensitive information, such as passwords and other confidential data, from potential eavesdroppers.
While the default setup of MySQL and MariaDB servers may not have SSL/TLS enabled, it's highly recommended for production environments, especially when database connections are made over public or untrusted networks. With SSL/TLS, you not only ensure data confidentiality but also gain assurance of data integrity and server authentication.
Configuring SSL/TLS for MySQL or MariaDB involves creating and setting up the required certificates and keys, and then making appropriate configurations in the server's settings file.
apt-get install openssl
mkdir /etc/mysql/ssl
$ openssl req -newkey rsa:2048 -days 365 -nodes -keyout /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-req.pem
$ openssl x509 -signkey /etc/mysql/ssl/server-key.pem -in /etc/mysql/ssl/server-req.pem -req -days 365 -out /etc/mysql/ssl/server-cert.pem
$ openssl req -newkey rsa:2048 -days 365 -nodes -keyout /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-req.pem $ openssl x509 -signkey /etc/mysql/ssl/client-key.pem -in /etc/mysql/ssl/client-req.pem -req -days 365 -out /etc/mysql/ssl/client-cert.pem
This is for clients that will connect to the server, and they'll need these files to authenticate themselves to the server.
$ sudo cp /etc/mysql/ssl/*.pem /var/lib/mysql/
[mysqld] ssl-ca=/etc/mysql/ssl/ca-cert.pem ssl-cert=/etc/mysql/ssl/server-cert.pem ssl-key=/etc/mysql/ssl/server-key.pem
The exact location of the configuration file may differ based on the server's operating system or specific installation.
$ sudo systemctl restart mysql # For both MySQL and MariaDB on most distributions
Related: How to restart MySQL/MariaDB service
$ mysql -u root -p -e "SHOW VARIABLES LIKE 'have_ssl';"
You should see the value 'YES' if SSL/TLS has been correctly configured.
$ mysql -u root -p -e "SET GLOBAL require_secure_transport = ON;"
It's essential to ensure secure connections by default, especially when handling sensitive data or when the database server is exposed to public networks.
This setup provides an essential layer of security to your database server. Always remember to periodically renew the SSL/TLS certificates before they expire to ensure uninterrupted secure communication.
Comment anonymously. Login not required.