Securing mariadb-server with SSL/TLS on RHEL7

Updated -

Securing mariadb-server (mariadb-server-5.5.56-2.el7_1) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /etc/my.cnf.d/server.cnf

shortform

[mysqld]

ssl-cert=/etc/pki/tls/certs/mariadb.pem
ssl-key=/etc/pki/tls/private/mariadb.key
ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Protocols

There is no control over the protocol level used. mariadb will use TLSv1.0 or better.

Ciphers

    ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

Provides a comprehensive set

Ciphers - Alternative Values

ssl-cipher=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES

Strongest ciphers only

ssl-cipher=ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Allow very old clients

Certificate Handling

mariadb-server expects separate PEM format files for key and certificate

Key File

ssl-key=/etc/pki/tls/private/mariadb.key

key should be readable only by user root and group mysql

# ls -l /etc/pki/tls/private/mariadb.key
-rw-r-----. 1 root mysql 3243 Jun  4 14:12 /etc/pki/tls/private/mariadb.key

Certificate File

ssl-cert=/etc/pki/tls/certs/mariadb.pem

Should contain the server certificate followed by any intermediate certificates and then the root certificate.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.