SlideShare une entreprise Scribd logo

Protecting MySQL Network traffic

Daniël van Eeden
Daniël van Eeden

Using SSL/TLS to protect network traffic to and from a MySQL database

Logiciels
1  sur  40
Télécharger pour lire hors ligne
Protecting MySQL network traffic Daniël van Eeden | 25 April 2017
Booking.com at a glance ● Started in 1996; still based in Amsterdam ● Member of the Priceline Group since 2005 (stock: PCLN) ● Amazing growth; continuous scaling challenges ● Online Hotel/Accommodation/Travel Agent (OTA): ● Over 1.2 million active properties in 227 countries ● Over 1.2 million room nights reserved daily ● 40+ languages (website and customer service) ● Over 13,000 people working in 187 offices in 70 countries ● We use a lot of MySQL and MariaDB: ● Thousands (1000s) of servers, ~90% replicating ● >150 masters: ~30 >50 slaves & ~10 >100 slaves 2
Why protect MySQL network traffic? ● Protect leaking of authentication data (passwords, etc) ● Protect leaking of sensitive data (PII, credit card numbers, medical records) ● Ensure data is not tampered with. ● Because of regulations ● Because why not? Are you still using telnet to manage servers?
How? ● Use SSL! ● Done!
SSL Support in MySQL ● MySQL doesn't have SSL support ● MySQL never had any SSL support ● MySQL has TLS support.. this is what is called SSL but isn't ● Supported since 4.0.0 (~2003) ● For now just assume SSL and TLS are the same
What is NOT protected by TLS ● Data-at-rest ○ InnoDB and MyISAM data files ○ Binlogs, redo logs, slow query logs ○ Backups ● Does not protect against a DoS ○ e.g. corrupting traffic ● Might not protect the query text ○ performance_schema etc. ● Does not hide the traffic pattern
First steps with TLS 1. Get a certificate 2. Restart MySQL 3. Enable TLS on the client 4. Check if the connection actually uses TLS
Generating the certificate ● With 5.7 and up: Might already be done by your installation ● If not use mysql_ssl_rsa_setup ● For older versions: https://github.com/dveeden/mysslgen ● Or use the openssl commandline utilities as described in the reference manual on https://dev.mysql.com/doc/mysql/en/creating-ssl-files-using-openssl.html ● Did you know MySQL Workbench has a SSL Wizard?
Configuration ● On 5.7+: Place the ca.pem, server-cert.pem and server-key.pem in your datadir. (already the case if you use mysql_ssl_rsa_setup) ● Or set ssl-ca, ssl-key, ssl-cert in your my.cnf ● Restart MySQL ● Enable SSL in your application. You probably want to copy your ca.pem file to your client
Checking your connection ● 'status' or s ● Look for 'Cipher in use' ● Or check the 'Ssl_cipher' session status.
What if it doesn't work? ● Check your mysqld.log ● Check the permissions on the pem files ○ Should be readable for the mysql user ● Try to connect with --ssl-mode=REQUIRED ● Use the OpenSSL commandline tools to see what's in the certificate. ● Use Wireshark. ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ERROR 2026 (HY000): SSL connection error: unknown error number ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed ERROR 2026 (HY000): SSL connection error: protocol version mismatch ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections ERROR 2026 (HY000): SSL connection error: Failed to set ciphers to use ERROR 2026 (HY000): SSL connection error: Unable to get certificate ERROR 2026 (HY000): SSL connection error: Unable to get private key
Now let's make it more secure ● Require the use of TLS on the server ● Require the use of TLS on the client ● Enable more security checks ● Security updates
Make TLS a requirement ● On a per user basis: ○ ALTER USER foo REQUIRE SSL ○ Undo: ALTER USER foo REQUIRE NONE ● But what happens if you accidentally create a user? ○ e.g. GRANT on a nonexistent user? ○ Set: sql_mode=NO_AUTO_CREATE_USER,… ● On a server level: ○ SET GLOBAL require_secure_transport=ON ○ This still allows UNIX socket connections w/o TLS
Issues with full-on TLS ● Is your monitoring capable of using TLS connections? ● What about load balancer health checks?
On the client ● Use --ssl-mode=REQUIRED ○ The default in 5.7 is PREFERRED ○ Older releases default to DISABLED ● This only makes a TLS connection a requirement ○ Does not check if issued by a trusted CA ○ Does not check if the hostname matches the cert ○ To do this use VERIFY_CA or VERIFY_IDENTITY ● On older versions: ○ Use --ssl-ca to allow TLS and enable CA checks ○ Use --ssl-verify-server-cert to do hostname checks. ○ Often not possible to force the use of TLS: this is the BACKRONYM vulnerability ● Use --ssl-ca=/path/to/ca.pem to specify which CA(s) are trusted.
Client checks ● The client could do these checks: ○ Is the certificate signed by a trusted CA? ○ Does the CommonName (CN) in the certificate match the hostname we are connecting to? ○ Is the certificate expired?
Certificate Authority validation ● Validates that the server certificate is signed by one of the CA's present in the specified CA file. ● Note that a CA file can have multiple CA's ● There is also a CA path option. ● The auto generated certificates from mysql_ssl_rsa_setup all have their own CA.
Hostname validation ● mysql_ssl_rsa_setup generates certificates with ○ CN=MySQL_Server_5.7.18_Auto_Generated_Server_Certificate ● So generate the certificates manually if want this to match your hostname ● A certificate can have a list of hostnames in SubjectAltName ○ MySQL doesn't check those... Bug #68052 ● So if you use a virtual-IP, cname, etc. it might be difficult to match this. ● What if your clients connect on a CNAME and your replicas connect on the hostname? You can't have both!
Security updates ● I reported a few issues to Oracle. ● CVE-2017-3590 for Connector/Python ● CVE-2017-3469 for MySQL Workbench ● CVE-2017-3467 for libmysqlclient ● Those are fixed. See the Oracle Critical Patch Update for details. ● But if you care about security you should follow the release notes and Critical Patch Update anyways...
What library does MySQL use? ● Community Edition: YaSSL ○ Because GPL and the OpenSSL license are not really compatible ○ This library is maintained by WolfSSL ○ This not CyaSSL/WolfSSL ○ WolfSSL made a patch to include WolfSSL in MySQL 5.6.30 (https://github.com/wolfSSL/mysql-patch) ● Enterprise Edition: OpenSSL ● If you build MySQL yourself: you can compile against either of them.
Why not TLS? ● Because it is SLOW! ● Because we trust our network! ● Because we encrypt with: ○ The application (store encrypted data) ○ SSH (Also works great with Workbench) ○ VPN ● Because we want to inspect our network traffic! ○ Wireshark can decrypt it if you hand over your private key. Some ciphers require you to somehow extract session keys.
How slow is slow? ● Overhead in milliseconds for setting up a TLS connection on localhost with TCP. ● Client: go ● 5.7 is faster than 5.6 ● OpenSSL is faster than YaSSL ● Using TLS tickets (OpenSSL only) helps ● Best case: 0.99ms (5.7 OpenSSL w/ tickets) vs. 0.60ms (no TLS) ● TLS does need more roundtrips, but this will change with TLS 1.3 ● OpenSSL performs better because it uses AVX2 and AES-NI
Bulk transfer performance ● Easy to test: mysqldump with and without TLS ● Different ciphers do make a difference. mysqldump performance with MySQL 5.6.35 (YaSSL) No TLS 4.5s TLS Default 10.4s RC4-MD5 7.1s DES-CBC3-SHA 23.2s
Monitoring ● Monitor the Expiry of certificates ● Not just the certificate on disk, also the one in memory. ● Use TLS for your monitoring on 5.6 and earlier, otherwise you might not see the status vars ● Performance schema can show you the ciphers and TLS versions in use by all connections ● Using SYS is even easier: ○ SELECT * FROM session_ssl_status
Client certificates ● This allows mutual authentication ● Often used together with a password ● You might want to use REQUIRE SUBJECT or REQUIRE ISSUER on accounts. ● At least use REQUIRE X509 instead of REQUIRE SSL
Replication ● Use CHANGE MASTER TO MASTER_SSL=1, etc ● Think about what happens if your certificate(s) expire ● Does the hostname match the certificate?
Changing certificates ● Needs restart ● Moving slaves around might not work until you restart.. ● Same for a switchover.
CRL and OCSP ● Only possible with OpenSSL ● Does not auto download the CRL from the distribution point ● Does not use OCSP ● Basically restart MySQL every time your CRL changes.. which is not practical
Where to get your certificate? ● Official CA? ● Internal CA? ● Self signed?
TLS handshake with MySQL ● server helo with ssl flag set ● 'empty' login packet with ssl flag set ● Start SSL handshake ● Basically STARTTLS-ish ○ SSL and non-SSL on the same port
Protection of authentication data ● native password with nonce ● sha256 password with RSA keys or TLS ● cleartext plugin
TLS ciphers ● Possible to set restriction on Server and Client ● How are you going manage and maintain that? ● 'REQUIRE cipher' also requires client certificates ● One practical use case would be to use a faster cipher for mysqldump ● Might help with compliance ● 5.7.10 already places more strict requirements on the list of ciphers
TLS versions ● Can be limited on the server and client ● Note that YaSSL only has TLS 1.0 and TLS 1.1 support ● Minimum is TLS 1.0
What about MariaDB? ● Doesn't use --ssl-mode ● Does have good TLS support ● MariaDB Connector/C has support for ○ fingerprint verification ○ password protected private keys ● 19 Open MDEV's tagged with SSL
Connector support ● Works for C, C++, Python (multiple), Perl, Java, ODBC, Go, etc ● The Go MySQL driver lets you specify a TLS Config, which is really flexible. ● Do update your Connector.. Many connectors did have security updates related to TLS.
Don't forget these ● MySQL Cluster (NDB) communication within the cluster ● Galera communication ● Sending backups to a central location (xbstream etc) ● Network traffic for iSCSI, FCP, NFS
Future ● TLSv1.3 with 0-RTT ● WolfSSL?
Oh, and Booking.com is hiring! ● Almost any role: ● MySQL Engineer / DBA ● System Administrator ● System Engineer ● Site Reliability Engineer ● Developer ● Designer ● Technical Team Lead ● Product Owner ● Data Scientist ● And many more… ● https://workingatbooking.com/39
Thank you! All references to “Booking.com", including any mention of “us”, “we” and “our” refer to Booking.com BV, the company behind Booking.com™

Recommandé

Large Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQLLarge Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQLDaniël van Eeden
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverhannob
 
6 Months Sailing with Docker in Production
6 Months Sailing with Docker in Production 6 Months Sailing with Docker in Production
6 Months Sailing with Docker in Production Hung Lin
 
Lets Encrypt!
Lets Encrypt!Lets Encrypt!
Lets Encrypt!Joerg Henning
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...Severalnines
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Severalnines
 
Vault
VaultVault
VaultJean-Philippe Bélanger
 

Recommandé

Large Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQLLarge Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQLDaniël van Eeden
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverhannob
 
6 Months Sailing with Docker in Production
6 Months Sailing with Docker in Production 6 Months Sailing with Docker in Production
6 Months Sailing with Docker in Production Hung Lin
 
Lets Encrypt!
Lets Encrypt!Lets Encrypt!
Lets Encrypt!Joerg Henning
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...Severalnines
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Severalnines
 
Vault
VaultVault
VaultJean-Philippe Bélanger
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
OpenDS Primer Aquarium
OpenDS Primer AquariumOpenDS Primer Aquarium
OpenDS Primer AquariumEduardo Pelegri-Llopart
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!Drew Fustini
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolCheapSSLsecurity
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandalDhrubaji Mandal ♛
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
The nightmare of locking, blocking and isolation levels
The nightmare of locking, blocking and isolation levelsThe nightmare of locking, blocking and isolation levels
The nightmare of locking, blocking and isolation levelsBoris Hristov
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatJean-Frederic Clere
 
Ohio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLOhio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLDave Stokes
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
JDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
JDD2015: Taste of new in Java 9 - Arkadiusz SokołowskiJDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
JDD2015: Taste of new in Java 9 - Arkadiusz SokołowskiPROIDEA
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsMichael Man
 
SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE Dr Anjan Krishnamurthy
 
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsMySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsJean-François Gagné
 
Monitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixMonitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixZabbix
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichał Czeraszkiewicz
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Demystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyDemystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyJean-François Gagné
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat opensslJean-Frederic Clere
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultOlinData
 
MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best PracticesFederico Razzoli
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 

Contenu connexe

Tendances

Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolCheapSSLsecurity
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
The nightmare of locking, blocking and isolation levels
The nightmare of locking, blocking and isolation levelsThe nightmare of locking, blocking and isolation levels
The nightmare of locking, blocking and isolation levelsBoris Hristov
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatJean-Frederic Clere
 
Ohio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLOhio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLDave Stokes
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
JDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
JDD2015: Taste of new in Java 9 - Arkadiusz SokołowskiJDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
JDD2015: Taste of new in Java 9 - Arkadiusz SokołowskiPROIDEA
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsMichael Man
 
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsMySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsJean-François Gagné
 
Monitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixMonitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixZabbix
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Demystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyDemystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyJean-François Gagné
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultOlinData
 

Tendances (20)

Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
OpenDS Primer Aquarium
OpenDS Primer AquariumOpenDS Primer Aquarium
OpenDS Primer Aquarium
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandal
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
The nightmare of locking, blocking and isolation levels
The nightmare of locking, blocking and isolation levelsThe nightmare of locking, blocking and isolation levels
The nightmare of locking, blocking and isolation levels
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
 
Ohio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLOhio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQL
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
JDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
JDD2015: Taste of new in Java 9 - Arkadiusz SokołowskiJDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
JDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
 
SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE
 
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsMySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
 
Monitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixMonitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With Zabbix
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Demystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyDemystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash Safety
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 

Similaire à Protecting MySQL Network traffic

MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best PracticesFederico Razzoli
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
Enhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesEnhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesMydbops
 
MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015Dave Stokes
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...confluent
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Miguel Zuniga
 
Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015Netgate
 
Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Slides: Introducing the new ClusterControl 1.2.9 - with live demo Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Slides: Introducing the new ClusterControl 1.2.9 - with live demo Severalnines
 
Securing your database servers from external attacks
Securing your database servers from external attacksSecuring your database servers from external attacks
Securing your database servers from external attacksAlkin Tezuysal
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Puppet
 
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...Severalnines
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...ScyllaDB
 
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios
 
MySQL's new Secure by Default Install -- All Things Open October 20th 2015
MySQL's new Secure by Default Install -- All Things Open October 20th 2015MySQL's new Secure by Default Install -- All Things Open October 20th 2015
MySQL's new Secure by Default Install -- All Things Open October 20th 2015Dave Stokes
 
The Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication TutorialThe Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication TutorialJean-François Gagné
 
A first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use themA first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use themFederico Razzoli
 

Similaire à Protecting MySQL Network traffic (20)

MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best Practices
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
Enhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesEnhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificates
 
MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015
 
Secure PostgreSQL deployment
Secure PostgreSQL deploymentSecure PostgreSQL deployment
Secure PostgreSQL deployment
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014
 
Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015
 
Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Slides: Introducing the new ClusterControl 1.2.9 - with live demo Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Slides: Introducing the new ClusterControl 1.2.9 - with live demo
 
Securing your database servers from external attacks
Securing your database servers from external attacksSecuring your database servers from external attacks
Securing your database servers from external attacks
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014
 
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
 
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
 
MySQL's new Secure by Default Install -- All Things Open October 20th 2015
MySQL's new Secure by Default Install -- All Things Open October 20th 2015MySQL's new Secure by Default Install -- All Things Open October 20th 2015
MySQL's new Secure by Default Install -- All Things Open October 20th 2015
 
The Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication TutorialThe Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication Tutorial
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
A first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use themA first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use them
 

Dernier

8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Nitya salvi
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfproinshot.com
 

Dernier (20)

8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 

Protecting MySQL Network traffic

  • 1. Protecting MySQL network traffic Daniël van Eeden | 25 April 2017
  • 2. Booking.com at a glance ● Started in 1996; still based in Amsterdam ● Member of the Priceline Group since 2005 (stock: PCLN) ● Amazing growth; continuous scaling challenges ● Online Hotel/Accommodation/Travel Agent (OTA): ● Over 1.2 million active properties in 227 countries ● Over 1.2 million room nights reserved daily ● 40+ languages (website and customer service) ● Over 13,000 people working in 187 offices in 70 countries ● We use a lot of MySQL and MariaDB: ● Thousands (1000s) of servers, ~90% replicating ● >150 masters: ~30 >50 slaves & ~10 >100 slaves 2
  • 3. Why protect MySQL network traffic? ● Protect leaking of authentication data (passwords, etc) ● Protect leaking of sensitive data (PII, credit card numbers, medical records) ● Ensure data is not tampered with. ● Because of regulations ● Because why not? Are you still using telnet to manage servers?
  • 5. SSL Support in MySQL ● MySQL doesn't have SSL support ● MySQL never had any SSL support ● MySQL has TLS support.. this is what is called SSL but isn't ● Supported since 4.0.0 (~2003) ● For now just assume SSL and TLS are the same
  • 6. What is NOT protected by TLS ● Data-at-rest ○ InnoDB and MyISAM data files ○ Binlogs, redo logs, slow query logs ○ Backups ● Does not protect against a DoS ○ e.g. corrupting traffic ● Might not protect the query text ○ performance_schema etc. ● Does not hide the traffic pattern
  • 7. First steps with TLS 1. Get a certificate 2. Restart MySQL 3. Enable TLS on the client 4. Check if the connection actually uses TLS
  • 8. Generating the certificate ● With 5.7 and up: Might already be done by your installation ● If not use mysql_ssl_rsa_setup ● For older versions: https://github.com/dveeden/mysslgen ● Or use the openssl commandline utilities as described in the reference manual on https://dev.mysql.com/doc/mysql/en/creating-ssl-files-using-openssl.html ● Did you know MySQL Workbench has a SSL Wizard?
  • 9. Configuration ● On 5.7+: Place the ca.pem, server-cert.pem and server-key.pem in your datadir. (already the case if you use mysql_ssl_rsa_setup) ● Or set ssl-ca, ssl-key, ssl-cert in your my.cnf ● Restart MySQL ● Enable SSL in your application. You probably want to copy your ca.pem file to your client
  • 10. Checking your connection ● 'status' or s ● Look for 'Cipher in use' ● Or check the 'Ssl_cipher' session status.
  • 11. What if it doesn't work? ● Check your mysqld.log ● Check the permissions on the pem files ○ Should be readable for the mysql user ● Try to connect with --ssl-mode=REQUIRED ● Use the OpenSSL commandline tools to see what's in the certificate. ● Use Wireshark. ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ERROR 2026 (HY000): SSL connection error: unknown error number ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed ERROR 2026 (HY000): SSL connection error: protocol version mismatch ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections ERROR 2026 (HY000): SSL connection error: Failed to set ciphers to use ERROR 2026 (HY000): SSL connection error: Unable to get certificate ERROR 2026 (HY000): SSL connection error: Unable to get private key
  • 12. Now let's make it more secure ● Require the use of TLS on the server ● Require the use of TLS on the client ● Enable more security checks ● Security updates
  • 13. Make TLS a requirement ● On a per user basis: ○ ALTER USER foo REQUIRE SSL ○ Undo: ALTER USER foo REQUIRE NONE ● But what happens if you accidentally create a user? ○ e.g. GRANT on a nonexistent user? ○ Set: sql_mode=NO_AUTO_CREATE_USER,… ● On a server level: ○ SET GLOBAL require_secure_transport=ON ○ This still allows UNIX socket connections w/o TLS
  • 14. Issues with full-on TLS ● Is your monitoring capable of using TLS connections? ● What about load balancer health checks?
  • 15. On the client ● Use --ssl-mode=REQUIRED ○ The default in 5.7 is PREFERRED ○ Older releases default to DISABLED ● This only makes a TLS connection a requirement ○ Does not check if issued by a trusted CA ○ Does not check if the hostname matches the cert ○ To do this use VERIFY_CA or VERIFY_IDENTITY ● On older versions: ○ Use --ssl-ca to allow TLS and enable CA checks ○ Use --ssl-verify-server-cert to do hostname checks. ○ Often not possible to force the use of TLS: this is the BACKRONYM vulnerability ● Use --ssl-ca=/path/to/ca.pem to specify which CA(s) are trusted.
  • 16. Client checks ● The client could do these checks: ○ Is the certificate signed by a trusted CA? ○ Does the CommonName (CN) in the certificate match the hostname we are connecting to? ○ Is the certificate expired?
  • 17. Certificate Authority validation ● Validates that the server certificate is signed by one of the CA's present in the specified CA file. ● Note that a CA file can have multiple CA's ● There is also a CA path option. ● The auto generated certificates from mysql_ssl_rsa_setup all have their own CA.
  • 18. Hostname validation ● mysql_ssl_rsa_setup generates certificates with ○ CN=MySQL_Server_5.7.18_Auto_Generated_Server_Certificate ● So generate the certificates manually if want this to match your hostname ● A certificate can have a list of hostnames in SubjectAltName ○ MySQL doesn't check those... Bug #68052 ● So if you use a virtual-IP, cname, etc. it might be difficult to match this. ● What if your clients connect on a CNAME and your replicas connect on the hostname? You can't have both!
  • 19. Security updates ● I reported a few issues to Oracle. ● CVE-2017-3590 for Connector/Python ● CVE-2017-3469 for MySQL Workbench ● CVE-2017-3467 for libmysqlclient ● Those are fixed. See the Oracle Critical Patch Update for details. ● But if you care about security you should follow the release notes and Critical Patch Update anyways...
  • 20. What library does MySQL use? ● Community Edition: YaSSL ○ Because GPL and the OpenSSL license are not really compatible ○ This library is maintained by WolfSSL ○ This not CyaSSL/WolfSSL ○ WolfSSL made a patch to include WolfSSL in MySQL 5.6.30 (https://github.com/wolfSSL/mysql-patch) ● Enterprise Edition: OpenSSL ● If you build MySQL yourself: you can compile against either of them.
  • 21. Why not TLS? ● Because it is SLOW! ● Because we trust our network! ● Because we encrypt with: ○ The application (store encrypted data) ○ SSH (Also works great with Workbench) ○ VPN ● Because we want to inspect our network traffic! ○ Wireshark can decrypt it if you hand over your private key. Some ciphers require you to somehow extract session keys.
  • 22. How slow is slow? ● Overhead in milliseconds for setting up a TLS connection on localhost with TCP. ● Client: go ● 5.7 is faster than 5.6 ● OpenSSL is faster than YaSSL ● Using TLS tickets (OpenSSL only) helps ● Best case: 0.99ms (5.7 OpenSSL w/ tickets) vs. 0.60ms (no TLS) ● TLS does need more roundtrips, but this will change with TLS 1.3 ● OpenSSL performs better because it uses AVX2 and AES-NI
  • 23. Bulk transfer performance ● Easy to test: mysqldump with and without TLS ● Different ciphers do make a difference. mysqldump performance with MySQL 5.6.35 (YaSSL) No TLS 4.5s TLS Default 10.4s RC4-MD5 7.1s DES-CBC3-SHA 23.2s
  • 24. Monitoring ● Monitor the Expiry of certificates ● Not just the certificate on disk, also the one in memory. ● Use TLS for your monitoring on 5.6 and earlier, otherwise you might not see the status vars ● Performance schema can show you the ciphers and TLS versions in use by all connections ● Using SYS is even easier: ○ SELECT * FROM session_ssl_status
  • 25.
  • 26. Client certificates ● This allows mutual authentication ● Often used together with a password ● You might want to use REQUIRE SUBJECT or REQUIRE ISSUER on accounts. ● At least use REQUIRE X509 instead of REQUIRE SSL
  • 27. Replication ● Use CHANGE MASTER TO MASTER_SSL=1, etc ● Think about what happens if your certificate(s) expire ● Does the hostname match the certificate?
  • 28. Changing certificates ● Needs restart ● Moving slaves around might not work until you restart.. ● Same for a switchover.
  • 29. CRL and OCSP ● Only possible with OpenSSL ● Does not auto download the CRL from the distribution point ● Does not use OCSP ● Basically restart MySQL every time your CRL changes.. which is not practical
  • 30. Where to get your certificate? ● Official CA? ● Internal CA? ● Self signed?
  • 31. TLS handshake with MySQL ● server helo with ssl flag set ● 'empty' login packet with ssl flag set ● Start SSL handshake ● Basically STARTTLS-ish ○ SSL and non-SSL on the same port
  • 32. Protection of authentication data ● native password with nonce ● sha256 password with RSA keys or TLS ● cleartext plugin
  • 33. TLS ciphers ● Possible to set restriction on Server and Client ● How are you going manage and maintain that? ● 'REQUIRE cipher' also requires client certificates ● One practical use case would be to use a faster cipher for mysqldump ● Might help with compliance ● 5.7.10 already places more strict requirements on the list of ciphers
  • 34. TLS versions ● Can be limited on the server and client ● Note that YaSSL only has TLS 1.0 and TLS 1.1 support ● Minimum is TLS 1.0
  • 35. What about MariaDB? ● Doesn't use --ssl-mode ● Does have good TLS support ● MariaDB Connector/C has support for ○ fingerprint verification ○ password protected private keys ● 19 Open MDEV's tagged with SSL
  • 36. Connector support ● Works for C, C++, Python (multiple), Perl, Java, ODBC, Go, etc ● The Go MySQL driver lets you specify a TLS Config, which is really flexible. ● Do update your Connector.. Many connectors did have security updates related to TLS.
  • 37. Don't forget these ● MySQL Cluster (NDB) communication within the cluster ● Galera communication ● Sending backups to a central location (xbstream etc) ● Network traffic for iSCSI, FCP, NFS
  • 38. Future ● TLSv1.3 with 0-RTT ● WolfSSL?
  • 39. Oh, and Booking.com is hiring! ● Almost any role: ● MySQL Engineer / DBA ● System Administrator ● System Engineer ● Site Reliability Engineer ● Developer ● Designer ● Technical Team Lead ● Product Owner ● Data Scientist ● And many more… ● https://workingatbooking.com/39
  • 40. Thank you! All references to “Booking.com", including any mention of “us”, “we” and “our” refer to Booking.com BV, the company behind Booking.com™