Thursday, January 2, 2014

SSL with MySQL does not have to be complicated

I've blogged before about how complicated setting up SSL with MySQL can be. Since then many bugs have been fixed related to SSL.

But still many people are using unencrypted connections for replication and client connections.

This could be because of possible performance degradation. But then it could be used for only the admin connections.

It could also be because they already use SSH or VPN.

But for many it's because they think it's complicated. This is not necessary. I've created mysslgen which makes it easier to setup SSL. Just run mysslgen.py and then the CA, server and client certificates and keys will be generated for you. The most difficult part it to get python 3.3 or python 2.7 to run on CentOS/RHEL/OEL 6.
If you think SSL should be part of the default MySQL installation, then click the 'Affects me' button for Bug #70734.

During the creation of mysslgen I found out MySQL fails to load private keys if they are in PKCS#8 format (Bug #71271). So, be careful if you create the private keys yourself!

With SSL enabled it should be easier to grant users the permission to use MySQL for Excel, MySQL with LibreOffice or any other desktop tool with a MySQL feature.

2 comments:

  1. Cool stuff, Daniël - thanks! We've been having similar discussions about how to make SSL setup easier by default (I commented on the bug report you referenced). In the meantime, might you consider contributing mysslgen under OCA for possible inclusion in MySQL Utilities?

    ReplyDelete
    Replies
    1. Yes, that would be a good option. What do I need to do for that?

      Delete