MySQL clients have long had a –ssl option.  Casual users may think specifying this option will cause clients to secure connections using SSL.  That is not the case:

D:\mysql-5.6.13-winx64>bin\mysql -uroot -P3307 --ssl
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.6.13-log MySQL Community Server (GPL)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
bin\mysql  Ver 14.14 Distrib 5.6.13, for Win64 (x86_64)

Connection id:          2
Current database:
Current user:           root@localhost
SSL:                    Not in use
...

This behavior is clearly explained in the …

I've blogged before about how complicated setting up SSL with MySQL can be. Since then many bugs have been fixed related to SSL.

But still many people are using unencrypted connections for replication and client connections.

This could be because of possible performance degradation. But then it could be used for only the admin connections.

It could also be because they already use SSH or VPN.

But for many it's because they think it's complicated. This is not necessary. I've created mysslgen which makes it easier to setup SSL. Just run mysslgen.py and then the CA, server and client certificates and keys will be generated for you. The most difficult part it to get python 3.3 or python 2.7 to run on CentOS/RHEL/OEL 6.
If you …

Starting in version 5.7.3 MySQL added SSL support to mysqlbinlog client program. This feature allows system administrators to perform remote binlog queries (using --read-from-remote-server option) over secure connections.
So, the behavior of mysqlbinlog client program using SSL options is now the same as other MySQL client tools, with same SSL options and same SSL defaults. See the References section if you want more information about MySQL SSL options.
Overview
The remote administration of MySQL servers is a very common task as many MySQL servers are deployed in remote hosting facilities or in remotely located data centers.
There are many problems with remote administration of servers. With respect to security, the major concerns are:

• If the traffic between the administrative console and the remote server passes …

This is part two on a two-part series on the performance implications of in-flight data encryption with MySQL. In the first part, I focused specifically on the impact of using MySQL’s built-in SSL support with some rather surprising results. Certainly it was expected that query throughput would be lower with SSL than without, but I was rather surprised by the magnitude of the performance hit incurred at connection setup time. These results naturally lended themselves to some further investigation; in particular, I wanted to compare performance differences between MySQL’s built-in SSL encryption facilities and external encryption technologies, such as SSH tunneling. I’ll also be using this post to address a couple of questions posed in the comments on my original article. So, without further ado….

Test Environment

The …

NOTE: This is part 1 of what will be a two-part series on the performance implications of using in-flight data encryption.

Some of you may recall my security webinar from back in mid-August; one of the follow-up questions that I was asked was about the performance impact of enabling SSL connections. My answer was 25%, based on some 2011 data that I had seen over on yaSSL’s website, but I included the caveat that it is workload-dependent, because the most expensive part of using SSL is establishing the connection. Not long thereafter, I received a request to conduct some more specific benchmarks surrounding SSL usage in MySQL, and today I’m going to show the results.

First, the testing …

After speaking about the topic the Developer Week 2013 in Nürnberg this week, due to some scheduling coincide I repeated it today for our codecentric "Dev-Friday" in which internal or external speakers present some topic to the whole company.

For a while we have been recording these for colleagues on vacation or otherwise occupied during the talk to watch it later. Several of them are available on codecentric's YouTube channel publicly. As of a few moments ago, so is my "Man in the Middle? – No, thank you!" talk on the possibility of – and countermeasures against – man in the middle attacks against SSL connections.

For your convenience, here is the video:



The …

There are different articles on how to setup MySQL with SSL but it’s sometimes difficult to end up with a good simple one. Usually, setting up MySQL SSL is not really a smooth process due to such factors like “it’s not your day”, something is broken apparently or the documentation lies I am going to provide the brief instructions on how to setup MySQL with SSL, SSL replication and how to establish secure connections from the console and scripts showing the working examples.

Quick links:

• Setup SSL on MySQL
• Establish secure connection from console
• Setup SSL replication
• Establish …

I was very pleased to see that the SSL-related MySQL Bug #62743 was just fixed.

Here is the bug for reference:

http://bugs.mysql.com/bug.php?id=62743

In essence, the –ssl-key value was not validated, thus anything could have been specified there.

Your connection would have still been SSL encrypted, which was good at least, but your SSL Key would not have made any difference.

This fix will be included in versions 5.1.66, 5.5.28, 5.6.7, 5.7.0.

For reference, here is the entry that will go into the changelogs:

“The argument to the –ssl-key option was not verified to exist and be
a valid key. The resulting connection used SSL, but the key was not
used.”

When you use SHOW VARIABLES LIKE “have_%” to see whether a particular feature is enabled, you will note the value of NO for some, and DISABLED for others. These values are not intrinsically clear for the casual onlooker, and often cause confusion. Typically, this happens with SSL and InnoDB. So, here is a quick clarification!

• NO means that the feature was not enabled (or was actively disabled) in the build. This means the code and any required libraries are not present in the binary.
• DISABLED means that the feature is built in and capable of working in the binary, but is disabled due to relevant my.cnf settings.
• YES means the feature is available, and configured in my.cnf.

SSL tends to show up as DISABLED, until you configure the appropriate settings to use it …

A special extended edition of Tech Messages for 2011-09-21 through 2012-05-11:

• Understanding Linux CPU Load - when should you be worried?
• Performance Testing - Load Balancer SSL Stress Testing
  This is a great simple test. Thanks, Corey!
• Mosh: the mobile shell
• Twitter open sources its MySQL secret sauce
• Lab Overview
  This guy is serious about his lab!