Planet MySQL Planet MySQL: Meta Deutsch Español Français Italiano 日本語 Русский Português 中文
Showing entries 1 to 10 of 39 10 Older Entries

Displaying posts with tag: SSL (reset)

Identifying Insecure Connections
Employee_Team +0 Vote Up -0Vote Down

A key theme of the MySQL Server 5.7 release is much improved security. Earlier releases of MySQL 5.7 have introduced features supporting this initiative including automatic generation and detection of TLS key material and client-side preference for TLS connections. The recent MySQL 5.7.8 …

  [Read more...]
SSL/TLS Connections to Recent MySQL Servers in Java
Employee +0 Vote Up -0Vote Down

Recent changes to support better security by increasing strength of Diffie-Hellman cipher suites from 512-bit to 2048-bit were introduced to MySQL Server 5.7. While this change enhances security, it is an aggressive change in that 2048-bit DH ciphers are not universally supported. This has become a problem specifically for Java users, as only Java 8 JRE (currently) supports DH ciphers greater than 1024 bits. Making the problem more acute, this change was back-ported from MySQL Server 5.7 to the recent …

  [Read more...]
SSL/TLS in 5.6 and 5.5 – oCERT Advisory
Employee +1 Vote Up -0Vote Down

Today, oCERT published advisory 2015-003 describing a TLS vulnerability in MySQL and derivative products.  The content isn’t exactly news – it is documented legacy behavior and the subject of an earlier blog post describing how MySQL Server 5.7 solves the problem.  That said, the efforts of Duo Security are certainly appreciated and welcomed – it provides a meaningful context to discuss how to properly …

  [Read more...]
SSL/TLS and RSA Improvements for OpenSSL Linked MySQL 5.7 Binaries
Employee_Team +0 Vote Up -0Vote Down

What?

MySQL 5.7 server binaries compiled with the OpenSSL library now make it easy to set up SSL/TLS and RSA artifacts, and to enable them within MySQL. Two new read-only global options have been introduced through this work:

  • --auto-generate-certs: Enables automatic generation and detection of SSL artifacts at server start-up.
  • --sha256-password-auto-generate-rsa-keys: Enables automatic generation of an RSA key pair.

These options …

  [Read more...]
Practical P_S: Which TLS ciphers are connections using?
Employee +0 Vote Up -0Vote Down

As noted in an earlier post, MySQL Server 5.7 prefers and enables SSL/TLS connections by default.  That’s great and useful progress towards secure connections, but we know that not all SSL/TLS ciphers are created equal – some are older and more vulnerable.  Furthermore, some recent vulnerabilities rely on the ability to negotiate less-secure ciphers during the handshake.  Monitoring which ciphers are used can help identify connections using low-grade ciphers, but also to build an appropriate …

  [Read more...]
Implications of TLS plans for third-party products
Employee +0 Vote Up -0Vote Down

As I wrote earlier, we want the default experience in MySQL 5.7 to be secure by default.  Part of this includes securing connections by automatically creating key material and using TLS for connections where possible.  This may have some significant implications for third-party software – especially products which depend upon capturing, evaluating and/or redirecting client/server traffic at the network level.  This blog post is intended to highlight for developers and users of such products potential issues they may want to …

  [Read more...]
How to test if CVE-2015-0204 FREAK SSL security flaw affects you
+0 Vote Up -0Vote Down

The CVE-2015-0204 FREAK SSL vulnerability abuses intentionally weak “EXPORT” ciphers which could be used to perform a transparent Man In The Middle attack. (We seem to be continually bombarded with not only SSL vulnerabilities but the need to name vulnerabilities with increasing odd names.)

Is your server vulnerable?

This can be tested using the following GIST

If the result is 0; the server is not providing the EXPORT cipher; and as such is not vulnerable.

Is your client vulnerable? …

  [Read more...]
How to Use SSL and MySQL Client Library in the Same Binary!
Employee_Team +1 Vote Up -0Vote Down

We plan to hide (not export) the symbols of the SSL library used by the MySQL client library. As step one in that effort, we plan to hide all of the non-documented symbols because we want to stop polluting the MySQL client program’s namespace.

Consider a requirement where there the OpenSSL and MySQL client library functions are both used directly to generate a binary. If the order of linking used is 1. MySQL client library (i.e libmysqlclient) and then 2. OpenSSL library (i.e libcrypto), then using the created binary will result in a crash.

The Reason why it will crash is as follows: The libmysqlclient …

  [Read more...]
Different SSL setups for MySQL
+0 Vote Up -0Vote Down

In this blog post I will describe different ways of using SSL with the MySQL database server.

What does SSL give you?

You might use MySQL replication over the internet or connect to MySQL over the internet.

Another posibility is that you connect over an enterprise network to which just too many people have access. This is especially an issue if you use an BYOD network.

SSL helps here by encrypting the network traffic to prevent against evesdropping. It also validates …

  [Read more...]
Using a CRL with MySQL
+0 Vote Up -0Vote Down

So assume you just uploaded the certificate you use to identify yourself to the MySQL server to Github or some other place it doesn't belong...and there is no undelete.

First: Don't panic.
Often a password is required besides a certificate to connect to the server. So someone with the certificate can't use it without the password. The certificate itself might be protected by a password, but that's really rare. Also access to MySQL and/or your account should be limited to certain IP's.






  [Read more...]
Showing entries 1 to 10 of 39 10 Older Entries

Planet MySQL © 1995, 2015, Oracle Corporation and/or its affiliates   Legal Policies | Your Privacy Rights | Terms of Use

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.