This guide demonstrates how to configure SSL/TLS settings in MySQL 8.0 to enhance security by encrypting data in transit. This includes creating self-signed certificates, configuring MySQL to use SSL, verifying SSL settings, and enforcing SSL connections for users.
First, you need to get SSL/TLS certificates. You can either obtain them from a Certificate Authority (CA) or create self-signed certificates. This example uses self-signed certificates.
Create a directory for certificates:
mkdir /var/lib/mysql/pki
Copy the certificates to the new directory:
cp /etc/pki/tls/certs/server.{crt,key} /var/lib/mysql/pki/
Change the ownership of the directory:
chown -R mysql. /var/lib/mysql/pki
Configure MySQL to use SSL certificates by editing the MySQL configuration file:
[mysqld] section in /etc/my.cnf.d/mysql-server.cnf:[mysqld]
ssl-cert=/var/lib/mysql/pki/server.crt
ssl-key=/var/lib/mysql/pki/server.key
Restart MySQL to apply the changes:
systemctl restart mysqld
Connect to MySQL:
mysql -u root -p
Check SSL/TLS settings:
SHOW VARIABLES LIKE '%ssl%';
This should display paths for ssl_cert and ssl_key, and have_ssl should be YES.
To enforce SSL/TLS for client connections, use the --ssl-mode option.
mysql -u root -p --ssl-mode=required --protocol=tcp
SHOW STATUS LIKE 'ssl_cipher';
Connect to MySQL:
mysql -u root -p
Create a user that requires SSL/TLS for connections:
CREATE USER redhat IDENTIFIED BY 'password' REQUIRE SSL;
To enforce SSL/TLS for an existing user:
ALTER USER 'cent'@'%' REQUIRE SSL;
Verify SSL/TLS requirements for users:
SELECT user, host, ssl_type FROM mysql.user;
Users requiring SSL/TLS will have their ssl_type set to ANY.