Securing mysql-server (mysql-server-5.1.73-8.el6_8) that uses openssl

This article is part of the Securing Applications Collection

Configuration File

   /etc/my.cnf

shortform

[mysqld]

ssl-cert=/etc/pki/tls/certs/mysql.pem
ssl-key=/etc/pki/tls/private/mysql.key
ssl-cipher=ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL 

Protocols

There is no control over the protocol level used. mysql will always TLSv1.0.

Ciphers

    ssl-cipher=ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL 

Provides a comprehensive set

Ciphers - Alternative Values

ssl-cipher=kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES

Strongest ciphers only

ssl-cipher=ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Allow very old clients

Certificate Handling

mysql-server expects separate PEM format files for key and certificate

Key File

ssl-key=/etc/pki/tls/private/mysql.key

key should be readable only by user root and group mysql

# ls -l /etc/pki/tls/private/mysql.key
-rw-r-----. 1 root mysql 3243 Jun  4 14:12 /etc/pki/tls/private/mysql.key

Certificate File

ssl-cert=/etc/pki/tls/certs/mysql.pem

Should contain the server certificate followed by any intermediate certificates and then the root certificate.
Certificate file should be world readable.

# ls -l /etc/pki/tls/certs/mysql.pem
-rw-r--r--. 1 root root 5869 Jun  4 17:02 /etc/pki/tls/certs/mysql.pem