Recent changes to support better security by increasing strength of Diffie-Hellman cipher suites from 512-bit to 2048-bit were introduced to MySQL Server 5.7. While this change enhances security, it is an aggressive change in that 2048-bit DH ciphers are not universally supported. This has become a problem specifically for Java users, as only Java 8 JRE (currently) supports DH ciphers greater than 1024 bits. Making the problem more acute, this change was back-ported from MySQL Server 5.7 to the recent 5.6.26 and 5.5.45 releases in response to a community bug report. This blog post will identify affected applications, existing workarounds, and our plans to provide a more …
[Read more]Today, oCERT published advisory 2015-003 describing a TLS vulnerability in MySQL and derivative products. The content isn’t exactly news – it is documented legacy behavior and the subject of an earlier blog post describing how MySQL Server 5.7 solves the problem. That said, the efforts of Duo Security are certainly appreciated and welcomed – it provides a meaningful context to discuss how to properly harden existing MySQL 5.5 and 5.6 deployments, as well as frame a discussion on potential changes in these versions to increase security.
Vulnerability
The vulnerability described in the advisory relies on the legacy behavior of the client …
[Read more]
As noted in an earlier post, MySQL Server 5.7 prefers and
enables SSL/TLS connections by default. That’s great and
useful progress towards secure connections, but we know that not
all SSL/TLS ciphers are created equal – some are older and more
vulnerable. Furthermore, some recent vulnerabilities rely
on the ability to negotiate less-secure ciphers during the
handshake. Monitoring which ciphers are used can help
identify connections using low-grade ciphers, but also to build
an appropriate restricted cipher list. Using
improvements to PERFORMANCE_SCHEMA
introduced in
5.7, you can now easily do this – and this post will show you
how.
The cipher used for each TLS connection is stored in a …
As I wrote earlier, we want the default experience in MySQL 5.7 to be secure by default. Part of this includes securing connections by automatically creating key material and using TLS for connections where possible. This may have some significant implications for third-party software – especially products which depend upon capturing, evaluating and/or redirecting client/server traffic at the network level. This blog post is intended to highlight for developers and users of such products potential issues they may want to consider or address during the pre-GA period for MySQL Server 5.7.
What types of products are dependent upon access to unencrypted protocol data? Most immediately apparent are proxy-based and network capture-based products. Proxy-based products typically rely on the same characteristics which can …
[Read more]MySQL 5.7 aims to be the most secure MySQL Server release ever, and that means some significant changes in SSL/TLS. This post aims to tie together individual enhancements introduced over the span of several Development Milestone Releases (DMRs) into the larger initiative. In the simplest terms, we hope to have a minimal TLS configuration enabled by default, and for connections to prefer TLS by default. Let’s dig into the various aspects of this:
Generation of TLS key material
MySQL Server has long supported TLS connections, yet very few deployments are actually configured to leverage this. This is partly because creation of key material – the certificates and keys needed to establish TLS connections – is a multi-step, extra, manual process. Basic TLS concepts have to be understood, third-party software …
[Read more]In this blog post I will describe different ways of using SSL with the MySQL database server.
What does SSL give you?
You might use MySQL replication over the internet or connect to MySQL over the internet.
Another posibility is that you connect over an enterprise network to which just too many people have access. This is especially an issue if you use an BYOD network.
SSL helps here by encrypting the network traffic to prevent against evesdropping. It also validates that you're talking to the correct server to prevent man-in-the-middle attacks.
And you can also use SSL client certificates together with an password as two factor authentication.
SSL is not the only option, you could use SSH and many MySQL GUI clients like MySQL Workbench support …
[Read more]
So assume you just uploaded the certificate you use to identify
yourself to the MySQL server to Github or some other place it
doesn't belong...and there is no undelete.
First: Don't panic.
Often a password is required besides a certificate to connect to
the server. So someone with the certificate can't use it without
the password. The certificate itself might be protected by a
password, but that's really rare. Also access to MySQL and/or
your account should be limited to certain IP's.
The next step is to revoke the certificate. This is possible
since MySQL 5.6.3 by using a Certificate Revocation List
(CRL).
A CRL is a list of the serials of the revoked certificates and
signed by the CA. So this will only work if the certificates have
unique serials.
…
The brief outage was due to a scheduled move of the servers to a separate rack and subnet dedicated to our work with the Center for Information Assurance & Cybersecurity (ciac) at the University of Washington Bothell (uwb), and a11y.com
I am currently exercising the new (to us) equipment and hope to winnow the less than awesome equipment over the next quarter. I spent the last six months finding the best in breed of the surplussed DL385 and DL380 chassis we (work) were going to have recycled. The team and I were able to find enough equipment to bring up one of each with eight and six gigs of memory, respectively. These will make excellent hypervisors for provisioning embedded instances of Slackware, Fedora, RHEL, CentOS, Debian, FreeBSD, OpenSolaris, OpenIndiana, FreeDOS, etc.
When I initially configured this xen paravirt environment, I failed to plan for integration with libvirt, so I am now re-jiggering the software bridges so …
[Read more]