Home |  MySQL Buzz |  FAQ |  Feeds |  Submit your blog feed |  Feedback |  Archive |  Aggregate feed RSS 2.0 English Deutsch Español Français Italiano 日本語 Русский Português 中文
Showing entries 1 to 28

Displaying posts with tag: SSL (reset)

Decoding (encrypted) MySQL traffic with Wireshark
+1 Vote Up -0Vote Down
In a comment on my post about Using SSL with MySQL xiaochong zhang asked if it is possible to decode SSL/TLS encrypted MySQL traffic. The short answer is: It depends.

To test this we need a MySQL server which is SSL enabled. I used MySQL Sandbox to create a sandboxed 5.6.19 server. Then I used mysslgen to create the config and the certificates.

$ make_sandbox 5.6.19
$ ./mysslgen.py --config=sandboxes/msb_5_6_19/my.sandbox.cnf --ssldir=sandboxes/msb_5_6_19/ssl

This assumes there already is a extracted tarball of MySQL 5.6.19 in ~/mysql/5.6.19

The mysslgen.py script will return a message with the changes you should make in your mysqld and client sections of the my.sandbox.cnf file. Then








  [Read more...]
SSL and MariaDB/MySQL
+1 Vote Up -0Vote Down

With the recent Heartbleed bug, people are clearly more interested in their MariaDB/MySQL running with SSL and if they have problems. First up, you should read the advisory notes: MariaDB, Percona Server (blog), and MySQL (blog).

Next, when you install MariaDB (or a variant) you are usually dynamically linked to the OpenSSL library that the system provides. Typically on startup

  [Read more...]
Heartbleed OpenSSL Bug: Impact on ClusterControl Users & Recommendations on How to Protect your Systems
+0 Vote Up -0Vote Down
April 10, 2014 By Severalnines

 

In the wake of recent concerns and debates raised around the Heartbleed bug, we wanted to update Severalnines ClusterControl users on any impact this bug might have on ClusterControl & associated databases and/or applications.

 

Background

 

If your ClusterControl's web application has been accessible on the internet, then most likely you have also been exposed to the Heartbleed OpenSSL security bug, see: http://heartbleed.com for more details. 

By default, our database deployment script enables SSL encryption for the

  [Read more...]
Heartbleed: Separating FAQ From FUD
+1 Vote Up -0Vote Down

If you’ve been following this blog (my colleague, David Busby, posted about it yesterday) or any tech news outlet in the past few days, you’ve probably seen some mention of the “Heartbleed” vulnerability in certain versions of the OpenSSL library.

So what is ‘Heartbleed’, really?

In short, Heartbleed is an information-leak issue. An attacker can exploit this bug to retrieve the contents of a server’s memory without any need for local access. According to the researchers that discovered it, this can be done without leaving any trace of compromise on the system. In other words, if you’re vulnerable, they can steal your keys and you won’t even notice that they’ve gone missing. I use the word

  [Read more...]
Redefining –ssl option
Employee +5 Vote Up -0Vote Down

MySQL clients have long had a –ssl option.  Casual users may think specifying this option will cause clients to secure connections using SSL.  That is not the case:

D:\mysql-5.6.13-winx64>bin\mysql -uroot -P3307 --ssl
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.6.13-log MySQL Community Server (GPL)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
bin\mysql  Ver 14.14 Distrib 5.6.13, for Win64 (x86_64)

Connection id:          2
Current database:
Current user:           root@localhost
  [Read more...]
SSL with MySQL does not have to be complicated
+3 Vote Up -0Vote Down
I've blogged before about how complicated setting up SSL with MySQL can be. Since then many bugs have been fixed related to SSL.

But still many people are using unencrypted connections for replication and client connections.

This could be because of possible performance degradation. But then it could be used for only the admin connections.

It could also be because they already use SSH or VPN.

But for many it's because they think it's complicated. This is not necessary. I've created mysslgen which makes it easier to setup SSL. Just run mysslgen.py and then the CA, server and client certificates and keys will be generated for you. The most difficult part it to get python 3.3 or python 2.7 to run on







  [Read more...]
MySQL 5.7: mysqlbinlog now supports SSL
Employee +2 Vote Up -0Vote Down
Starting in version 5.7.3 MySQL added SSL support to mysqlbinlog client program. This feature allows system administrators to perform remote binlog queries (using --read-from-remote-server option) over secure connections.
So, the behavior of mysqlbinlog client program using SSL options is now the same as other MySQL client tools, with same SSL options and same SSL defaults. See the References section if you want more information about MySQL SSL options.

Overview


The remote administration of MySQL servers is a very common task as many MySQL servers are deployed in remote hosting facilities or in remotely located data centers.
There are many problems with remote administration of servers. With respect to security, the major concerns are:
  • If the traffic between




  [Read more...]
MySQL encryption performance, revisited
+1 Vote Up -0Vote Down

This is part two on a two-part series on the performance implications of in-flight data encryption with MySQL. In the first part, I focused specifically on the impact of using MySQL’s built-in SSL support with some rather surprising results. Certainly it was expected that query throughput would be lower with SSL than without, but I was rather surprised by the magnitude of the performance hit incurred at connection setup time. These results naturally lended themselves to some further investigation; in particular, I wanted to compare performance differences between MySQL’s built-in SSL encryption facilities and external encryption technologies, such as SSH tunneling. I’ll also be using this post to address a couple of questions posed in the comments on my

  [Read more...]
SSL Performance Overhead in MySQL
+1 Vote Up -0Vote Down

NOTE: This is part 1 of what will be a two-part series on the performance implications of using in-flight data encryption.

Some of you may recall my security webinar from back in mid-August; one of the follow-up questions that I was asked was about the performance impact of enabling SSL connections. My answer was 25%, based on some 2011 data that I had seen over on yaSSL’s website, but I included the caveat that it is workload-dependent, because the most expensive part of using SSL is establishing the connection. Not long thereafter, I received a request to conduct some more specific benchmarks surrounding SSL usage in MySQL,

  [Read more...]
Setting up MySQL SSL and secure connections
+1 Vote Up -0Vote Down

There are different articles on how to setup MySQL with SSL but it’s sometimes difficult to end up with a good simple one. Usually, setting up MySQL SSL is not really a smooth process due to such factors like “it’s not your day”, something is broken apparently or the documentation lies I am going to provide the brief instructions on how to setup MySQL with SSL, SSL replication and how to establish secure connections from the console and scripts showing the working examples.

Quick links:

  [Read more...]
SSL-related MySQL Bug #62743 Fixed Recently
+1 Vote Up -0Vote Down

I was very pleased to see that the SSL-related MySQL Bug #62743 was just fixed.

Here is the bug for reference:

http://bugs.mysql.com/bug.php?id=62743

In essence, the –ssl-key value was not validated, thus anything could have been specified there.

Your connection would have still been SSL encrypted, which was good at least, but your SSL Key would not have made any difference.

This fix will be included in versions 5.1.66, 5.5.28, 5.6.7, 5.7.0.

For reference, here is the entry that will go into the changelogs:

“The argument to the –ssl-key option was not verified to exist and be
a valid key. The resulting connection used SSL, but the key was not
used.”

 

Understanding SHOW VARIABLES: DISABLED and NO values
+1 Vote Up -0Vote Down

When you use SHOW VARIABLES LIKE “have_%” to see whether a particular feature is enabled, you will note the value of NO for some, and DISABLED for others. These values are not intrinsically clear for the casual onlooker, and often cause confusion. Typically, this happens with SSL and InnoDB. So, here is a quick clarification!

  • NO means that the feature was not enabled (or was actively disabled) in the build. This means the code and any required libraries are not present in the binary.
  • DISABLED means that the feature is built in and capable of working in the binary, but is disabled due to relevant my.cnf settings.
  • YES means the feature is available, and configured in my.cnf.

SSL tends to show up as DISABLED, until you configure

  [Read more...]
Tech Messages | 2012-05-11
+0 Vote Up -0Vote Down

A special extended edition of Tech Messages for 2011-09-21 through 2012-05-11:

Setting up MySQL SSL on Multiple Machines
+2 Vote Up -0Vote Down

Managing SSL certificates for MySQL can be somewhat of a pain, especially when setting it up on multiple machines.

I looked around on the web, and didn’t really run into any mentions of how to do this for multiple machines, so I dug into it a bit more.

If you’ve created the certificates before, you’ll know you get prompted for various bits of information during a couple of the steps (country, state, email).

However, this can be by-passed by using the -batch option with the openssl command.

So, to set this up for multiple servers, just loop through the following 5 commands for your servers:

cd C:\mysql\certs
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -batch -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 3600 -batch -nodes -keyout server-key.pem >
	server-req.pem
openssl x509 -req -in server-req.pem
  [Read more...]
MySQL SSL Users: BEWARE This Bug
+1 Vote Up -1Vote Down

If you’re using MySQL and SSL, you might want to glance over this article and give your setup a quick test.

I’ve uncovered an alarming bug in 5.5 where one could gain access to your MySQL instance just knowing the username and password (not having any SSL certificate, key, etc.)!

Of course, I’ve filed a bug about it here:

http://bugs.mysql.com/bug.php?id=62743

It’s been over 4 days now, and not one comment from the MySQL Bug/Dev Team.

So once again, I feel the need to share this bug with the public, in case you are using SSL with 5.5, and think your connections are secure, or that only users with the certs/key could gain access.

For SSL Users, you’ll already have this set up, but for those who don’t, I’ve simply got mysqld (5.5.15 and 5.5.16 thus far) running with the

  [Read more...]
how to test the plain and encrypted SMTP/POP3/IMAP and HTTP protocols
+0 Vote Up -0Vote Down

In this article I will describe how to test the plain and the encrypted SMTP/POP3/IMAP and HTTP protocols with telnet and the openssl s_client command.

list of references

For a complete list of available commands for the used protocols check the RFCs please:

SMTP

sending mail

In the first example I will open a telnet

  [Read more...]
How To Set Up MySQL Database Replication With SSL Encryption On Debian Squeeze
+1 Vote Up -0Vote Down

How To Set Up MySQL Database Replication With SSL Encryption On Debian Squeeze

This tutorial describes how to set up database replication in MySQL using an SSL connection for encryption (to make it impossible for hackers to sniff out passwords and data transferred between the master and slave). MySQL replication allows you to have an exact copy of a database from a master server on another server (slave), and all updates to the database on the master server are immediately replicated to the database on the slave server so that both databases are in sync. This is not a backup policy because an accidentally issued DELETE command will also be carried out on the slave; but replication can help protect against hardware failures though.

Using SSL with MySQL
+1 Vote Up -0Vote Down
Since MySQL 4.0 it's possible to use SSL to secure the connections to MySQL. Unfortunately this is not used very often.

It can be used for cient-server connections and for replication. It will encrypt your traffic and prevent man-in-the-middle attacks if you're using ssl-verify-server-cert when connecting using mysql.

Securing database communication can be required to be compliant to some regulations.

There are other means of preventing anyone from snooping your database traffic like VPN, SSH Tunneling or stunnel.

As usual the documentation is quite good. The only issue with the docs is that the verification step is missing. (Bug







  [Read more...]
The best MySQL SSL Cipher?
+0 Vote Up -0Vote Down

This is more of a question than me sharing knowledge, but I'm testing the effects of MySQL SSL on replication delay. Interestingly, my tests show faster replication when I enable SSL, versus disable. The slave_compressed_protocol has an effect too, and I get the best result when I use SSL and slave compression in a non-CPU bound test.

The question came up, however, of what SSL Cipher I'm using. I'm not specifying one in my CHANGE MASTER statement, so I'm guessing I'm getting the same default cipher as if I connect with the regular mysql command line client with SSL, which is:

-->

read more

A MD5 stored procedure for Drizzle… in C
+1 Vote Up -0Vote Down

So, just in case that wasn’t evil enough for you… perhaps you have something you want to know the MD5 checksum of. So, you could just do this:

drizzle> select md5('Hello World!');
+----------------------------------+
| md5('Hello World!')              |
+----------------------------------+
| ed076287532e86365e841e92bfc50d8c |
+----------------------------------+
1 row in set (0 sec)

But that is soooo boring.

Since we have the SSL libs already loaded into Drizzle, and using my very evil libtcc plugin… we could just implement it in C. We can even use malloc!

  [Read more...]
Reminder: Tech Webinar on Security for Web Application
Employee +0 Vote Up -0Vote Down

Reminder, mark you callendar:

Wednesday January 27th, Join the Sun Startup Essentials Webinar on  Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Solaris, Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and  150 employee: Join Sun Startup Essentials >>


Reminder: Tech Webinar on Security for Web Application
Employee +0 Vote Up -0Vote Down

Reminder, mark you callendar:

Wednesday January 27th, Join the Sun Startup Essentials Webinar on  Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Solaris, Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and  150 employee: Join Sun Startup Essentials >>


Reminder: Tech Webinar on Security for Web Application
Employee +0 Vote Up -0Vote Down

Reminder, mark you callendar:

Wednesday January 27th, Join the Sun Startup Essentials Webinar on  Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Solaris, Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and  150 employee: Join Sun Startup Essentials >>


Tech Webinar: Security for Web Application
Employee +0 Vote Up -0Vote Down

Wednesday January 27th, Join the Sun Startup Essentials Webinar on  Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and  150 employee: Join Sun Startup Essentials >>

Tech Webinar: Security for Web Application
Employee +0 Vote Up -0Vote Down

Wednesday January 27th, Join the Sun Startup Essentials Webinar on  Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and  150 employee: Join Sun Startup Essentials >>

Tech Webinar: Security for Web Application
Employee +0 Vote Up -0Vote Down

Wednesday January 27th, Join the Sun Startup Essentials Webinar on  Security for Web Applications.

A key success factor for Web startups is to protect their applications and data from different security threats. Join this webinar to learn about security challenges and about key solutions such as encryption, authentication, certificates, secure and fault-tolerant storage, chrooted environments. The Sun Startup Essentials experts will also cover how to implement these solutions at minimal cost by using standard and open components such as Apache, MySQL, ZFS and more.

Registration limited to members of the Sun Startup Essentials program.

Your company is less than 6 year and  150 employee: Join Sun Startup Essentials >>

Replication Checksumming Through Encryption
Employee +0 Vote Up -0Vote Down

Problem

A problem we occasionally see is Relay Log corruption, which is most frequently caused by network errors. At this point in time, the replication IO thread does not perform checksumming on incoming data (currently scheduled for MySQL 6.x). In the mean time, we have a relatively easy workaround: encrypt the replication connection. Because of the nature of encrypted connections, they have to checksum each packet.

Solution 1: Replication over SSH Tunnel

This is the easiest to setup. You simply need to do the following on the Slave:

shell> ssh -f user@master.server -L 4306:master.server:3306 -N

This sets up the tunnel. slave.server:4306 is now a tunnelled link to master.server:3306. So now, you just need to alter the Slave to go through the tunnel:

mysql>
  [Read more...]
New MySQL Workbench Auto-Update Feature for SE in 5.0.22
Employee_Team +0 Vote Up -0Vote Down

We introduced a new library to use with our update-feature inside Workbench. With the new lib (yassl) it’s possible to use SSL encryption for the authentication/download of new SE releases. This was not possible with libcurl because we’re not allowed to use/bundle openSSL. As this update is included staring with 5.0.22 all SE users will have to download version 5.0.22 manually from the enterprise pages one more time. Please logon to https://enterprise.mysql.com/software/gui_tools.php with your mysql username and password, download the latest release and launch the installer manually. Sorry for the inconvenience.

Showing entries 1 to 28

Planet MySQL © 1995, 2014, Oracle Corporation and/or its affiliates   Legal Policies | Your Privacy Rights | Terms of Use

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.