Using SSL Connections

To use SSL connections between the MariaDB server and client programs, your system must support either OpenSSL or yaSSL and your version of MariaDB must be built with SSL support.

To make it easier to use secure connections, MariaDB is bundled with yaSSL. (MySQL and yaSSL employ the same licensing model, whereas OpenSSL uses an Apache-style license.) yaSSL support initially was available only for a few platforms, but now it is available on all MariaDB platforms supported by Oracle Corporation.

To get secure connections to work with MariaDB and SSL, you must do the following:

1. If you are not using a binary (precompiled) version of MariaDB that has been built with SSL support, and you are going to use OpenSSL rather than the bundled yaSSL library, install OpenSSL if it has not already been installed. We have tested MariaDB with OpenSSL 0.9.6. To obtain OpenSSL, visit http://www.openssl.org.

   Building MariaDB using OpenSSL requires a shared OpenSSL library, otherwise linker errors occur. Alternatively, build MariaDB using yaSSL.

2. If you are not using a binary (precompiled) version of MariaDB that has been built with SSL support, configure a MariaDB source distribution to use SSL. When you configure MySQL, invoke CMake like this:

   shell> cmake . -DWITH_SSL=bundled
   

   That configures the distribution to use the bundled yaSSL library. To use the system SSL library instead, specify the option as -DWITH_SSL=system instead. See , "MySQL Source-Configuration Options".

   Note that yaSSL support on Unix platforms requires that either /dev/urandom or /dev/random be available to retrieve true random numbers. For additional information (especially regarding yaSSL on Solaris versions prior to 2.8 and HP-UX), see Bug #13164.

3. Make sure that the user in the MariaDB database includes the SSL-related columns (beginning with ssl_ and x509_). If your user table does not have these columns, it must be upgraded; see , "mysql_upgrade - Check Tables for MariaDB Upgrade".
4. To check whether a server binary is compiled with SSL support, invoke it with the --ssl option. An error will occur if the server does not support SSL:

   shell> mysqld --ssl --help
   060525 14:18:52 [ERROR] mysqld: unknown option '--ssl'
   

   To check whether a running mysqld server supports SSL, examine the value of the have_ssl system variable (if you have no have_ssl variable, check for have_openssl):

   mysql> SHOW VARIABLES LIKE 'have_ssl';
   +---------------+-------+
   | Variable_name | Value |
   +---------------+-------+
   | have_ssl | YES |
   +---------------+-------+
   

   If the value is YES, the server supports SSL connections. If the value is DISABLED, the server supports SSL connections but was not started with the appropriate --ssl-xxx options (described later in this section).

To enable SSL connections, the proper SSL-related options must be used (see , "SSL Command Options").

To start the MariaDB server so that it permits clients to connect using SSL, use the options that identify the key and certificate files the server needs when establishing a secure connection:

shell> mysqld --ssl-ca=ca-cert.pem \
 --ssl-cert=server-cert.pem \
 --ssl-key=server-key.pem

• --ssl-ca identifies the Certificate Authority (CA) certificate.
• --ssl-cert identifies the server public key. This can be sent to the client and authenticated against the CA certificate that it has.
• --ssl-key identifies the server private key.

To establish a secure connection to a MariaDB server with SSL support, the options that a client must specify depend on the SSL requirements of the user account that the client uses. (See the discussion of the REQUIRE clause in , "GRANT Syntax".)

If the account has no special SSL requirements or was created using a GRANT statement that includes the REQUIRE SSL option, a client can connect securely by using just the --ssl-ca option:

shell> mysql --ssl-ca=ca-cert.pem

To require that a client certificate also be specified, create the account using the REQUIRE X509 option. Then the client must also specify the proper client key and certificate files or the server will reject the connection:

shell> mysql --ssl-ca=ca-cert.pem \
 --ssl-cert=client-cert.pem \
 --ssl-key=client-key.pem

In other words, the options are similar to those used for the server. Note that the Certificate Authority certificate has to be the same.

A client can determine whether the current connection with the server uses SSL by checking the value of the Ssl_cipher status variable. The value of Ssl_cipher is nonempty if SSL is used, and empty otherwise. For example:

mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA |
+---------------+--------------------+

For the mysql client, you can use the STATUS or \s command and check the SSL line:

mysql> \s
...
SSL: Not in use
...

Or:

mysql> \s
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...

To establish a secure connection from within an application program, use the mysql_ssl_set() C API function to set the appropriate certificate options before calling mysql-real-connect(). See , "mysql_ssl_set()". After the connection is established, you can use mysql_get_ssl_cipher() to determine whether SSL is in use. A non-NULL return value indicates a secure connection and names the SSL cipher used for encryption. A NULL return value indicates that SSL is not being used. See , "mysql_get_ssl_cipher()".

Retornar