Table of Contents
Advertisement
Another way to connect securely is from within an SSH connection to the MySQL server host. For an
example, see
6.3.6.1. Basic SSL Concepts
To understand how MySQL uses SSL, it is necessary to explain some basic SSL and X509 concepts.
People who are familiar with these concepts can skip this part of the discussion.
By default, MySQL uses unencrypted connections between the client and the server. This means that
someone with access to the network could watch all your traffic and look at the data being sent or
received. They could even change the data while it is in transit between client and server. To improve
security a little, you can compress client/server traffic by using the
client programs. However, this does not foil a determined attacker.
When you need to move information over a network in a secure fashion, an unencrypted connection
is unacceptable. Encryption is the way to make any kind of data unreadable. Encryption algorithms
must include security elements to resist many kinds of known attacks such as changing the order of
encrypted messages or replaying data twice.
SSL is a protocol that uses different encryption algorithms to ensure that data received over a public
network can be trusted. It has mechanisms to detect any data change, loss, or replay. SSL also
incorporates algorithms that provide identity verification using the X509 standard.
X509 makes it possible to identify someone on the Internet. It is most commonly used in e-commerce
applications. In basic terms, there should be some entity called a "Certificate Authority" (or CA) that
assigns electronic certificates to anyone who needs them. Certificates rely on asymmetric encryption
algorithms that have two encryption keys (a public key and a secret key). A certificate owner can show
the certificate to another party as proof of identity. A certificate consists of its owner's public key. Any
data encrypted with this public key can be decrypted only using the corresponding secret key, which is
held by the owner of the certificate.
For more information about SSL, X509, encryption, or public-key cryptography, perform an Internet
search for the keywords in which you are interested.
6.3.6.2. Configuring MySQL for SSL
To use SSL connections between the MySQL server and client programs, your system must support
either OpenSSL or yaSSL, and your version of MySQL must be built with SSL support. To make it
easier to use secure connections, as of version 5.0.10, MySQL is bundled with yaSSL, which uses the
same licensing model as MySQL. (OpenSSL uses an Apache-style license.) yaSSL support is available
on all platforms supported by Oracle Corporation.
To get secure connections to work with MySQL and SSL, you must do the following:
1. If you are not using a binary (precompiled) version of MySQL that has been built with SSL support,
and you are going to use OpenSSL rather than the bundled yaSSL library, install OpenSSL if it has
not already been installed. We have tested MySQL with OpenSSL 0.9.6. To obtain OpenSSL, visit
http://www.openssl.org.
Building MySQL using OpenSSL requires a shared OpenSSL library, otherwise linker errors occur.
Alternatively, build MySQL using yaSSL.
2. If you are not using a binary (precompiled) version of MySQL that has been built with SSL support,
configure a MySQL source distribution to use SSL. When you configure MySQL, invoke the
configure
For yaSSL:
shell>
./configure --with-yassl
For OpenSSL:
Using SSL for Secure Connections
Section 6.3.7, "Connecting to MySQL Remotely from Windows with
script with the appropriate option to select the SSL library that you want to use.
--compress
604
SSH".
option when invoking
Advertisement
Chapters
Table of Contents
Troubleshooting
