I'm seeking to clear some information up for myself involving remote SSL connections to MYSQL. Particularly, once I have MYSQL setup to enable SSL and have a remote user that requires SSL.
This is how I connect (commandline), remotely, to MYSQL with a user that requires SSL:
mysql -uMyUserName -p -h192.168.5.5 --ssl-ca /path/to/ca.pem
My question is: Why do I have to provide the ca.pem file as the client?
These are the steps I took to install mysql on the server and setup remote access (Ubuntu):
Steps to Enable SSL for MYSQL
1) Obtain my Certificate Authority cert, Database cert, Database key
ca.pem (Certificate Authority cert)
dbcert.pem (Database cert)
dbkey.pem (Databse key)
2) Add the following lines to /etc/mysql/my.cnf under [mysqld]
ssl-ca=/path/to/ca.pem
ssl-cert=/path/to/dbcert.pem
ssl-key=/path/to/dbkey.pem
3) Restart mysql and confirm ssl enabled by logging in and typing following:
show variables like '%ssl%';
Configure Remote Connection Requiring SSL
1) Comment out the following lines in /etc/mysql/my.cnf
#bind-address
#skip-networking
2) Login to mysql and grant a user access to, in this case, every database
GRANT ALL PRIVILEGES ON . to 'USERNAME'#'%' IDENTIFIED BY 'PASSWORD' REQUIRE SSL
At this point, I have MYSQL setup to enable SSL && I have a remote user that will require SSL to login. I am able to login on a remote commandline, but i need to specify the --ssl-ca.
Why do I have to provide the ssl-ca from client? Is there a way to do this so that I don't have to?
I would really appreciate some insight here.
Thanks in advance.
Unlike your typical web browser, a commandline tool like mysql doesn't have a built-in list of certificate authorities. Browsers come with a built in list of certification authorities, and you implicitly trust them (whether you know it or not).
When you use mysql to log in to a MySQL server supporting encryption, that server will present you the public part of a certificate. To complete the secure handshake, your client needs to verify the server certificate is signed by a trusted certificate authority. Otherwise, it will have to say "hey, this looks like a well-formed certificate, but I never heard of the ca signing it."
For Hibernate / JDBC / TLS, a little bit of search-engine work turns up some useful suggestions. It's all about setting the right properties in your config.
http://razorsql.com/articles/mysql_ssl_jdbc.html
How can I configure Hibernate to use SSL to talk to the DB server?
Related
I have managed to have turned on SSL connection (require_secure_transport=ON) on MySQL server 5.7. It works fine for both remote and localhost users. However, I don't want the localhost users connected via SSL connection. However can I exempt the local user from the SSL requirement? thanks
I believe the only way to do this would be to update the global configuration to require_secure_transport=OFF and then for every remote user set REQUIRE SSL flag. Essentially switching to an opt-in type of setup for SSL.
The issue with this is you'd have to remember to add this flag every time you add a new remote user, and could easily be forgotten. May be safer bet to resolve any issues with connecting over SSL locally instead.
I'm receiving this error when trying to open my database connection:
"Cannot connect to database server
your connection failed for user root#% to database [mydatabase]
Please:
check mysql is running on localhost
check mysql is reachable on 3306
check root has rights to connect to localhost
Make sure youre both providing a password if needed"
I'm working on Mysql workbench on a windows 10 machine. I think my root privileges have been dropped (not sure how) so any advice on that also would be fab... thanks :)
Can you provide additional info on your setup, incl. versions of MySQL server and the client applications? You mention you can still connect, if so, what command do you use, can you query all from table mysql.user and post? Also, query the table mysql.user for plugin info, because in fresh versions of MySQL server 8.0 and up according to MySQL Documentation (6.4.1.2 Caching SHA-2 Pluggable Authentication) the server by default uses new authentication method via authentication plugin caching_sha2_password. In this case the password is encrypted either by the virtue of secure connection or with RSA public_key. Then the encrypted password gets decrypted on the server by the private RSA key. For example, connections from older clients or connectors within applications might fail due to incompatibility. If you use compatible clients and authentication plugin caching_sha2_password, the connection between client and server may fail due to:
Incorrect password.
No secure (SSL) connection established.
No public RSA key presented by the client.
In case 3, quoting the docs:
Client users can obtain the RSA public key two ways:
The database administrator can provide a copy of the public key file.
A client user who can connect to the server some other way can use a
SHOW STATUS LIKE 'Caching_sha2_password_rsa_public_key' statement and
save the returned key value in a file.
If you can connect to the database with any client, obtain the public key and use it to configure another client. Alternatively, the public key for RSA connection can be obtained from the server data directory. On Windows 10 it is usually C:\ProgramData\MySQL\MySQL Server 8.0\Data
example server data directory location on a windows 10 default installation
So, if the user has caching_sha2_password set and you have the public RSA key for the MySQL server you can use it to establish connection. If the user has mysql_native_password the cause be different.
I set up a new MySQL instance on AWS RDS (Aurora). I added a user that requires SSL, and downloaded the combined ca bundle as described here and here: SSL Connection error, and I can connect via command line and confirm that the user is securely connected. I also turned off the SSL requirement for the user temporarily and was able to connect with MySQL Workbench with SSL turned off.
The problem is that both MySQL Workbench and my Rails app expect three separate files: SSL CA, SSL Cert, and SSL Key.
I'm sure there has to be an easy solution to it, but much Googling is not finding the answer, including this unanswered one on the AWS forums. I appreciate the help.
You don't need any other files. When it comes to the MySQL Workbench you need to provide "SSL CA File" and "Use SSL" ("Require" or "Require and Verify CA").
After that you can verify your connection by using the following command:
SHOW SESSION STATUS LIKE 'Ssl_cipher';
I have a MySQL database running and I created a new user called 'ssluser' with SSL REQUIRED. I'm having trouble with this user logging in from a client to a remote server.
I verified the firewall is not an issue. iptables are not reporting dropped packets.
I am able to connect from nonssluser to the remote server without an issue.
On the server my.cnf I have the CA, Cert, and Key file in place and MySQL WorkBench shows that SSL is enabled.
On the client, I have CA, Cert, and Key file in place as well.
For both certificates I used the FQDN as the common name. I'm not sure if that is the issue or not. Any ideas?
The connection is on a private network in the Digital Ocean datacenter NYC.
[1045] Access denied for user
is a MySQL thing - which means that you are connecting - SSL does not seem to be the problem.
This most likely means you are authenticating wrong (have the wrong password).
Check this to see if it helps if you are sure you have the right password.
To answer my question:
1 - The password was incorrect
and
2 - The application does not support SSL MySQL connections
I would like to know how can you connect to postgresql in these conditions:
allow you to access them from any location (do IP filtering)
safe connection (no risk on having your password captured)
easy to setup, preferably having to configure only the server for that.
I know that the recommended approach is to used SSH port forwarding, but this requires you to start the port forwarding before trying to connect to these databases.
What is the easiest method to acquire a good enough security without having to do complex setup on the client.
Is there a way to auto enable the port forwarding stuff on demand?
For PostgreSQL you would start by making sure you are using an SSL-enabled build. (I think that is the default for most installers.)
Then you would need to allow the server to accept remote connections by setting listen_addresses (which specifies which IP addresses the server will listen on): http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html
The pg_hba.conf file allows you to specify which users can connect to which databases from which IP addresses using which authentication methods. There are a lot of authentication methods from which to choose: http://www.postgresql.org/docs/9.1/interactive/client-authentication.html
Regarding what needs to be done on the client side, the details will depend on what connector you are using from which environment; as an example, the PostgreSQL JDBC driver uses an SSL connection by default if available. To tell the JDBC driver not to accept a connection unless it can use SSL, you set a JDBC connection property: ssl=true. http://jdbc.postgresql.org/documentation/head/ssl-client.html
Sorry, but I don't know how MySQL manages any of this.
I am myself trying to find the answer for Postgre, but here is what you can do for MySQL.
First, you need to enable remote access to your database. You can create a user with remote access ability as follows.
GRANT ALL ON *.* to user#address IDENTIFIED BY 'password';
flush privileges;
More details here.
To add security to this, you can add a 'REQUIRE SSL' to the GRANT command as follows
GRANT ALL ON *.* to user#address IDENTIFIED BY 'password' REQUIRE SSL;
All this needs to be done on the server side. On the client, you just need to provide the required certificates that it will need to connect.
For details on creating certificates, the MySQL site has a step by step guide here