Overview Some MySQL distribution packages, such as the generic Linux build, bundle an OpenSSL dependency within the same .tar.gz archive. With the new MySQL 8.0.46, 8.4.9 and 9.7.0 releases, we are upgrading those bundled packages from using OpenSSL 3.0 to the new OpenSSL 3.5 LTS branch. Native OS packages, such as .rpm and .deb, continue […]

The following report is covering performance evaluation of the currently available OpenSSL releases when they are used by MySQL in CPU-intensive OLTP workloads. However, the main focus is on OpenSSL-3.5.5, which will be used by default in the next MySQL releases.

Read more... (19 min remaining to read)

This is a demo tutorial to show how we can create InnoDB Cluster with newly installed Certificate and having X509 certificate verification via MySQL Router connection.   

Recorded Video

The full process is recorded on Youtube - showing creating InnoDB Cluster with newly installed CA, Server Certificates.  The Router creation is configured with SSL Server certificate from the same CA certificate across Server nodes.   The creation of User (create user my509user identified by '....' require X509) using X509 certificate PASSTHROUGH verification via Router connection.

https://www.youtube.com/watch?v=w1xgpjw0VTw

Environment

The following environment was tested 

Oracle Linux Server release 8.6

MySQL Server 8.0.31

MySQL Shell 8.0.31 …

MySQL needs an SSL/TLS library. It uses it primarily to encrypt network connections, but also uses its various algorithms and random number generators.

OpenSSL is the golden standard when it comes to cross-platform open source SSL/TLS library that you use from C/C++.…

Facebook Twitter LinkedIn

Recently a serious vulnerability called DROWN was found. The vulnerability exists in systems that support SSLv2. There is flaw in SSLv2 that could be used to decrypt information over newer SSL protocols such as TLS. More information about the DROWN vulnerability with CVE number CVE-2016-0800 can be found here: The DROWN attack Mitre CVE dictionary […]

The post MariaDB itself is NOT affected by the DROWN vulnerability appeared first on MariaDB.org.

New SSL alternatives SSL connections in previous versions of MariaDB Connector/C based on the OpenSSL library. The OpenSSL heartbleed bug, licensing problems and the lack of supporting different transport layers were the main reasons that we decided to offer SSL alternatives. In addition to OpenSSL the following SSL libraries are supported in Connector/C 3.0: GnuTLS […]

The post New in MariaDB Connector/C 3.0 – Part I: SSL appeared first on MariaDB.org.

MySQL 5.6.23 was recently released (it is the latest MySQL 5.6, is GA), and is available for download here.

For this release, there is 1 “Security Note”, 3 “Functionality Changed”, and 5 “Compilation Notes”, all benign, but let me address them:

1. Security Note: The linked OpenSSL library for the MySQL Commercial Server has been updated from version 1.0.1j to version 1.0.1k. Issues fixed in the new version are described at http://www.openssl.org/news/vulnerabilities.html.
2. Functionality Changed: Support for the SSL 2.0 and SSL 3.0 protocols has been disabled because they provide weak encryption. (Bug #19820550, Bug #19921150)
3. Functionality Changed: yaSSL was upgraded to version …

April 10, 2014 By Severalnines

In the wake of recent concerns and debates raised around the Heartbleed bug, we wanted to update Severalnines ClusterControl users on any impact this bug might have on ClusterControl & associated databases and/or applications.

Background

If your ClusterControl's web application has been accessible on the internet, then most likely you have also been exposed to the Heartbleed OpenSSL security bug, see: http://heartbleed.com for more details. 

By default, our database deployment script enables SSL encryption for the Apache web server on the Controller host with a generated private SSL key and a self-signed certificate. SSL encryption is used between the UI and the Controller REST API if you have clusters added with HTTPS, which we do by default. The content that is encrypted …

The heartbleed bug was introduced in OpenSSL 1.0.1 and is present in

• 1.0.1
• 1.0.1a
• 1.0.1b
• 1.0.1c
• 1.0.1d
• 1.0.1e
• 1.0.1f

The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8 branch of OpenSSL some sources report 1.0.2-beta is also affected by this bug at the time of writing, however it is a beta product and I would really recommend not to use beta quality releases for something as fundamentally important as OpenSSL in production.

The bug itself is within the heartbeat extension of OpenSSL (RFC6520). The bug allows an attacker to leak the memory in up to 64k chunks, this is not to say the data being leaked is limited to 64k as the attacker can continually abuse this bug to leak data, until they are satisfied with what has been …

Managing SSL certificates for MySQL can be somewhat of a pain, especially when setting it up on multiple machines.

I looked around on the web, and didn’t really run into any mentions of how to do this for multiple machines, so I dug into it a bit more.

If you’ve created the certificates before, you’ll know you get prompted for various bits of information during a couple of the steps (country, state, email).

However, this can be by-passed by using the -batch option with the openssl command.

So, to set this up for multiple servers, just loop through the following 5 commands for your servers:

cd C:\mysql\certs
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -batch -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 3600 -batch -nodes -keyout server-key.pem >
        server-req.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem
        -CAkey …