SlideShare a Scribd company logo

Deploying SSL/TLS For MySQL at Scale

Daniël van Eeden
Daniël van Eeden

This document discusses the large scale deployment of TLS/SSL for MySQL at Booking.com. It outlines reasons to deploy TLS such as security for account management and compliance. It describes challenges faced in the initial rollout at Booking.com including compatibility issues with different TLS versions and libraries. The document provides tips for rolling out TLS gradually and ensuring proper certificate validation. It also discusses enabling TLS for various applications and tools that connect to MySQL.

Technology
1 of 33
Download to read offline
Large Scale Deployment of SSL/TLS For MySQL Daniël van Eeden | Percona Live 2019 Austin | May 2019
Agenda. ● Introduction ● Reasons to deploy TLS ● Rolling out TLS
Introduction. Me: ● Daniël van Eeden ● Senior Database Engineer Booking.com: ● Part of Booking Holdings Inc. (NASDAQ: BKNG) ● Booking.com on average books 1,550,000 room nights every 24 hours ● More that 15,500 employees ● 198 offices around the world ● 1000's of MySQL and MariaDB servers ● 100's of replication topologies
Note: SSL ≈ TLS. SSLv2 > SSLv3 > TLSv1.0 > TLSv1.1 > TLSv1.2 > TLSv1.3 MySQL 5.6 and older supported TLSv1.0 only MySQL 5.7 supports TLSv1.0, TLSv1.1 and TLSv1.2 (TLSv1.2 only with OpenSSL) Support for TLSv1.1 and TLSv1.2 was added to MariaDB in 5.5 and 10.0 So what MySQL supports really is TLS, but many of the older options refer to it as SSL. OpenSSL and YaSSL have SSL in the name, but do support TLS (SSL support might even be turned off). So when talking about this people often mean TLS when they say SSL.
Why deploy TLS: account management. MySQL protects the password when logging in with mysql_native_password. However any statement send over a connection that is not encrypted is readable by anyone who has access to the network packets (tcpdump, wireshark, etc) SET PASSWORD …, UPDATE mysql.user …PASSWORD('secret')…, etc might all leak your password. The "solution" is to calculate the password hash on the client and then send it over the unencrypted solution. But as mysql_native_password doesn't use a salt this isn't very secure either. The other solution is to run an agent on the machine and send the password over HTTPS to the agent and then have the agent run the statement over a UNIX socket connection. All in all, enabling TLS allows remote management of accounts in a secure way.
Why deploy TLS: Compliance & Application security. ● TLS protects any data your application might send to or read from the database ● This might be part of your controls for ○ PCI-DSS ○ SOx ○ GDPR ● Note that at least PCI-DSS dictates that you disable older protocols ○ use the tls_version setting in MySQL
Why deploy TLS: client certificates. ● Client certificates allow authentication based on client certificates in addition or instead of passwords. ● One problem is certificate revocation (minimal CRL support and no OCSP support)
Why deploy TLS: caching_sha2. ● More secure because it uses SHA256 instead of double SHA1 ● More secure because it uses a salt ● Uses TLS or an RSA keypair ● Managing RSA keypairs is painful and/or insecure
Why deploy TLS: PAM authentication. ● Using Percona PAM plugin: pam_compat ● Needs plaintext password (depends on what PAM modules are used, etc)
Rolling out TLS. 1. Request TLS certificates from our internal service 2. Enable TLS on MySQL 3. DONE ☺ Easy isn't it?
Rolling out TLS: First try. ○ Enable TLS on a set of servers ■ Add ssl_ca, ssl_cert and ssl_key to my.cnf and restart ■ Result: TLS available, but not used ■ Set mysql_ssl=1 on the DSN to enable TLS ■ This was working fine, until... ■ We rebuild DBD::mysql against MySQL 5.7 instead of 5.6 ■ MySQL 5.7 changed the defaults, it uses ssl-mode=PREFERRED by default. ● MySQL 5.6 only used TLS when explicitly configured ■ During rollout: ● On 10%: everything ok ● On 100%: everything broken, as the master became overloaded ■ Adding mysql_ssl=0 did not disable TLS
Rolling out TLS: YaSSL and OpenSSL. ○ We were using MySQL 5.7 Community Edition, which comes with YaSSL ○ YaSSL is a legacy product from WolfSSL ■ YaSSL doesn't support TLSv1.2 ■ YaSSL doesn't use optimized CPU instructions (AVX2, SSE4, etc) ○ Note that MySQL 5.7 Enterprise Edition comes with OpenSSL ○ Because of license compatibility Oracle can't really distribute a GPL build with OpenSSL. ○ We now rebuild the 5.7 RPMs with OpenSSL ○ This issue is gone in MySQL 8.0 as Oracle added a license exception. Now all builds come with OpenSSL. ○ In addition YaSSL was replaced with WolfSSL (but not used as default)
Rolling out TLS: DBD::mysql. ● So why did mysql_ssl=0 not disable TLS? ● If mysql_ssl=1 was set SSL settings were provided to libmysqlclient ● If this wasn't the case then it relied on the library default to not use TLS ● On MySQL 5.7 the library default changed to use TLS if available (ssl-mode=PREFERRED), so not providing anything could result in a TLS connection ● The ssl-mode setting was added in 5.6 and extended in 5.7 ● ssl-mode in 5.7 can be set to DISABLED, PREFERRED, REQUIRED, VERIFY_CA or VERIFY_IDENTITY. On 5.6 only REQUIRED was a valid option. ● Note that MariaDB doesn't use ssl-mode, but slightly changed the meaning of --ssl and --ssl-verify-server-cert
Rolling out TLS: DBD::mysql. ● So I started to patch and test DBD::mysql ● mysql_ssl=0 now disables TLS ● mysql_ssl=1 now requires TLS ● mysql_ssl=1,mysql_ssl_optional=1 now uses TLS if available Code depending on the version it as build against, the client library version and the server version. Both MySQL and MariaDB. A wide range of versions (4.1 to 8.0 and all MariaDB versions) Along the way I found some security bugs where connections to MySQL 8.0 and MariaDB 10.x could be made over a non-secure connection even with the most strict settings. I also became a co-maintainer for DBD::mysql
Rolling out TLS: Steps. ● First step is to enable TLS on slaves (or a percentage of slaves) ● Next step is to enable TLS on intermediate masters ● Now promote a intermediate master to a master ● ... and hope it works... ● If not: gdb -p $(pidof mysqld) -ex "set ssl_acceptor_fd=0x0" -batch ● In MySQL 8.0.16 and newer you can dynamically disable/enable TLS, no restart or GDB required. ● Applications are set to use TLS if available by default.
Rolling out TLS: Monitoring. ○ Use performance_schema ■ performance_schema.status_by_thread has all the usual things like Ssl_version, Ssl_cipher, etc. ○ This caused 5.7.21 and earlier to crash sporadically ○ Besides monitoring the number of connections you might also want to monitor the connection rate. ○ Monitor the expiry date of the certificates (not just the one on disk!)
Operational: Reloading certificates. ○ MySQL 8.0 and MariaDB 10.4 support online reloading of certificates ○ With MySQL 8.0 you can also disable TLS online. ○ But you should restart MySQL every so often anyway to follow the Oracle Critical Patch Updates. ○ This relies on a system that automates certificate management
Rolling out TLS: end user access. ○ We have an internal service that allows people to run ad-hoc SQL queries ○ This means MySQL Workbench, Sequel Pro, Excel, Tableau, etc. ○ This uses Percona's auth_pam_compat ○ This means using the cleartext password client plugin ○ This means we need to send the password to the server (instead of special nonce based handshake mysql_native_password) uses. ○ So this requires TLS ○ Additionally these applications don't know how to connect to a pool of servers
Rolling out TLS: end user access. ○ Solution: mysqlredirect, a custom proxy written in Go ○ This sets up a TLS connection between: ■ the client and the proxy ■ the proxy and the backend ○ Anything else is transported as-is. ○ This allows us to have a pool of servers as backend ○ This allows us to have a TLS certificate that matches the hostname of the proxy ○ This allows us to do strict TLS validation on the frontend and on the backend. ○ This is not open source. Use ProxySQL, at the time ProxySQL didn't have good TLS support yet.
Rolling out TLS: Certificate validation. This brings us to Certificate Validation. Things to validate: ● Not After date ● CA ● Hostname(s)
Rolling out TLS: Certificate validation. But this wasn't always working as expected: ● Hostname ○ Not done unless you set ssl-mode to VERIFY_IDENTITY ○ Wasn't possible in Workbench before 6.3.9 ○ Support for SubjectAlternativeName was added in 5.7.23 (based on my patch) ● Not After date ○ Fixed in 5.7.18 (and Workbench 8.0.12) ● CA ○ Note done unless you set ssl-mode to VERIFY_CA or VERIFY_IDENTITY ○ Before 5.7.18: If VERIFY_CA was set but no CA was specified it didn't fail.
Enforcing TLS. ● Per account ○ REQUIRE SSL ○ REQUIRE X509 (SSL + valid certificate) ○ REQUIRE SUBJECT ○ REQUIRE ISSUER ○ REQUIRE CIPHER ● On the server: require_secure_transport ○ TLS or UNIX Domain Socket ● On the client: ○ requireTLS=true (Connector/J) ○ --ssl-mode=REQUIRED|VERIFY_CA|VERIFY_IDENTITY ○ mysql_ssl=1, etc (Perl) Remember the auth_pam_compat with cleartext-plugin? We use require_secure_transport for that.
Rolling out TLS: percona-toolkit. ● So we have some servers with require_secure_transport ● We are in the process of rolling out TLS, not enabled everywhere just yet. ● We feed pt-online-schema-change a list of machines to monitor ● Now pt-osc connects, this fails on servers with require_secure_transport ● Setting mysql_ssl=1 causes it to fail on non-TLS servers ● Upgrading DBD::mysql and using mysql_ssl=1,mysql_ssl_optional=1 fixes the issue
Rolling out TLS: Orchestrator and go-mysql-driver. ● Orchestrator ○ We use GitHub Orchestrator ○ Orchestrator needs to connect to machines. ○ We teached it to re-connect over TLS when a host uses require-secure-transport ○ Orchestrator stores this per machine, to avoid re-connects. ○ Maintaining this cache wasn't without issues. ● Go ○ I added support for optional TLS: "tls=preferred" on the DSN ○ This should make it easier to support use TLS while it is not yet available on all servers.
Rolling out TLS: Java. ● We have a PEM CA certificate ● For Connector/Java we have to convert this to JKS before we can use it.
Rolling out TLS: RSA vs EC. ○ I started to test connect times ○ EC: ECDH-RSA-AES128-GCM-SHA256 ○ RSA: DHE-RSA-AES128-GCM-SHA256 ○ Connect time was about 50% faster with EC on MySQL 5.7 with OpenSSL $ openssl ciphers -v 'DHE-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256' DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
Rolling out TLS: EC. ○ For Java we use conscrypt as crypto library ○ However conscript and MySQL with OpenSSL and EC don't agree on ciphers ○ A similar issue happens with golang and crypto/tls ○ So EC is new and has some rough edges ○ Running MySQL with a newer OpenSSL version might help
Rolling out TLS: Current status. ● Most servers run with TLS enabled ● More than 50% of connections actually use TLS ● Millions of concurrent TLS connections
Learnings 1. Use OpenSSL, don't use YaSSL (basically: use MySQL 8.0 or a recent MariaDB) 2. Focus on enabling TLS on all MySQL Servers 3. Disable for specific connections if needed 4. Use TLS unless you have a strong reason not to (unless the other way around) 5. With TLS you are more future proof (caching_sha2)
Future. ○ TLSv1.3 0-RTT(-like)? ○ Better support for EC ciphers ○ Using TLS Tickets (Bug #76921 Resume SSL / TLS sessions (use TLS tickets)) ■ 1000 connects: from 37s to 26s ○ Increasing use of a Proxy
Questions? Daniël van Eeden daniel.vaneeden@booking.com
MariaDB specific features. ● Support for GnuTLS ● Support for SChannel (Windows only) ● Fingerprint verification ● Passphrase protected private keys
Wireshark. ● Use a non-DH key ● Give wireshark your key ● It can now decrypt your traffic

Recommended

Protecting MySQL Network traffic
Protecting MySQL Network trafficProtecting MySQL Network traffic
Protecting MySQL Network trafficDaniël van Eeden
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverhannob
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatJean-Frederic Clere
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat opensslJean-Frederic Clere
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat opensslJean-Frederic Clere
 
Kubernetes networking - basics
Kubernetes networking - basicsKubernetes networking - basics
Kubernetes networking - basicsJuraj Hantak
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandalDhrubaji Mandal ♛
 
MySQL Scalability and Reliability for Replicated Environment
MySQL Scalability and Reliability for Replicated EnvironmentMySQL Scalability and Reliability for Replicated Environment
MySQL Scalability and Reliability for Replicated EnvironmentJean-François Gagné
 

Recommended

Protecting MySQL Network traffic
Protecting MySQL Network trafficProtecting MySQL Network traffic
Protecting MySQL Network trafficDaniël van Eeden
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverhannob
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatJean-Frederic Clere
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat opensslJean-Frederic Clere
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat opensslJean-Frederic Clere
 
Kubernetes networking - basics
Kubernetes networking - basicsKubernetes networking - basics
Kubernetes networking - basicsJuraj Hantak
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandalDhrubaji Mandal ♛
 
MySQL Scalability and Reliability for Replicated Environment
MySQL Scalability and Reliability for Replicated EnvironmentMySQL Scalability and Reliability for Replicated Environment
MySQL Scalability and Reliability for Replicated EnvironmentJean-François Gagné
 
Demystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyDemystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyJean-François Gagné
 
Nginx Essential
Nginx EssentialNginx Essential
Nginx EssentialGong Haibing
 
MySQL High Availability Sprint: Launch the Pacemaker
MySQL High Availability Sprint: Launch the PacemakerMySQL High Availability Sprint: Launch the Pacemaker
MySQL High Availability Sprint: Launch the Pacemakerhastexo
 
Rabbit mq簡介(上)
Rabbit mq簡介(上)Rabbit mq簡介(上)
Rabbit mq簡介(上)共和 薛
 
Aws Network Introduction
Aws Network Introduction Aws Network Introduction
Aws Network Introduction Rafael Salerno de Oliveira
 
MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...
MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...
MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...Jean-François Gagné
 
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsMySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsJean-François Gagné
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingScott Lowe
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingUTD Computer Security Group
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesSeveralnines
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Severalnines
 
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...Severalnines
 
How Safe is Asynchronous Master-Master Setup?
How Safe is Asynchronous Master-Master Setup? How Safe is Asynchronous Master-Master Setup?
How Safe is Asynchronous Master-Master Setup?Sveta Smirnova
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Nutan Kumar Panda
 
Varnish SSL / TLS
Varnish SSL / TLSVarnish SSL / TLS
Varnish SSL / TLSVarnish Software
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorialmestery
 
Container Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitContainer Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitDavid Timothy Strauss
 
Mobile Programming - 3 UDP
Mobile Programming - 3 UDPMobile Programming - 3 UDP
Mobile Programming - 3 UDPRiza Fahmi
 
MySQL Sandbox 3
MySQL Sandbox 3MySQL Sandbox 3
MySQL Sandbox 3Giuseppe Maxia
 
Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Trygve Vea
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerMuhammad Moinur Rahman
 

More Related Content

What's hot

Demystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyDemystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyJean-François Gagné
 
MySQL High Availability Sprint: Launch the Pacemaker
MySQL High Availability Sprint: Launch the PacemakerMySQL High Availability Sprint: Launch the Pacemaker
MySQL High Availability Sprint: Launch the Pacemakerhastexo
 
Rabbit mq簡介(上)
Rabbit mq簡介(上)Rabbit mq簡介(上)
Rabbit mq簡介(上)共和 薛
 
MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...
MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...
MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...Jean-François Gagné
 
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsMySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsJean-François Gagné
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingScott Lowe
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesSeveralnines
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Severalnines
 
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...Severalnines
 
How Safe is Asynchronous Master-Master Setup?
How Safe is Asynchronous Master-Master Setup? How Safe is Asynchronous Master-Master Setup?
How Safe is Asynchronous Master-Master Setup?Sveta Smirnova
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Nutan Kumar Panda
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorialmestery
 
Container Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitContainer Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitDavid Timothy Strauss
 
Mobile Programming - 3 UDP
Mobile Programming - 3 UDPMobile Programming - 3 UDP
Mobile Programming - 3 UDPRiza Fahmi
 
Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Trygve Vea
 

What's hot (20)

Demystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyDemystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash Safety
 
Nginx Essential
Nginx EssentialNginx Essential
Nginx Essential
 
MySQL High Availability Sprint: Launch the Pacemaker
MySQL High Availability Sprint: Launch the PacemakerMySQL High Availability Sprint: Launch the Pacemaker
MySQL High Availability Sprint: Launch the Pacemaker
 
Rabbit mq簡介(上)
Rabbit mq簡介(上)Rabbit mq簡介(上)
Rabbit mq簡介(上)
 
Aws Network Introduction
Aws Network Introduction Aws Network Introduction
Aws Network Introduction
 
MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...
MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...
MySQL Parallel Replication (LOGICAL_CLOCK): all the 5.7 (and some of the 8.0)...
 
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsMySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
 
An Introduction to OpenStack Networking
An Introduction to OpenStack NetworkingAn Introduction to OpenStack Networking
An Introduction to OpenStack Networking
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
How To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - SlidesHow To Set Up SQL Load Balancing with HAProxy - Slides
How To Set Up SQL Load Balancing with HAProxy - Slides
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
 
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
 
How Safe is Asynchronous Master-Master Setup?
How Safe is Asynchronous Master-Master Setup? How Safe is Asynchronous Master-Master Setup?
How Safe is Asynchronous Master-Master Setup?
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6
 
Varnish SSL / TLS
Varnish SSL / TLSVarnish SSL / TLS
Varnish SSL / TLS
 
OpenStack Neutron Tutorial
OpenStack Neutron TutorialOpenStack Neutron Tutorial
OpenStack Neutron Tutorial
 
Container Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security SummitContainer Security via Monitoring and Orchestration - Container Security Summit
Container Security via Monitoring and Orchestration - Container Security Summit
 
Mobile Programming - 3 UDP
Mobile Programming - 3 UDPMobile Programming - 3 UDP
Mobile Programming - 3 UDP
 
MySQL Sandbox 3
MySQL Sandbox 3MySQL Sandbox 3
MySQL Sandbox 3
 
Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!Extending functionality in nginx, with modules!
Extending functionality in nginx, with modules!
 

Similar to Deploying SSL/TLS For MySQL at Scale

Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...confluent
 
MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015Dave Stokes
 
MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best PracticesFederico Razzoli
 
Database Security Explained
Database Security ExplainedDatabase Security Explained
Database Security Explainedwensheng wei
 
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...javier ramirez
 
Enhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesEnhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesMydbops
 
MySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireMySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireSimon J Mudd
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)Marcel Cattaneo
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL
 
CloudStack In Production
CloudStack In ProductionCloudStack In Production
CloudStack In ProductionClayton Weise
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configurationextremeunix
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Miguel Zuniga
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Dave Stokes
 
Securing your database servers from external attacks
Securing your database servers from external attacksSecuring your database servers from external attacks
Securing your database servers from external attacksAlkin Tezuysal
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open SourceTLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open SourceNGINX, Inc.
 
Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Slides: Introducing the new ClusterControl 1.2.9 - with live demo Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Slides: Introducing the new ClusterControl 1.2.9 - with live demo Severalnines
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL ProcessRocket Software
 

Similar to Deploying SSL/TLS For MySQL at Scale (20)

Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
 
MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015
 
MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best Practices
 
Database Security Explained
Database Security ExplainedDatabase Security Explained
Database Security Explained
 
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
 
Enhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesEnhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificates
 
MySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the WireMySQL X protocol - Talking to MySQL Directly over the Wire
MySQL X protocol - Talking to MySQL Directly over the Wire
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
 
CloudStack In Production
CloudStack In ProductionCloudStack In Production
CloudStack In Production
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019
 
Securing your database servers from external attacks
Securing your database servers from external attacksSecuring your database servers from external attacks
Securing your database servers from external attacks
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open SourceTLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source
 
Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Slides: Introducing the new ClusterControl 1.2.9 - with live demo Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Slides: Introducing the new ClusterControl 1.2.9 - with live demo
 
Managing the SSL Process
Managing the SSL ProcessManaging the SSL Process
Managing the SSL Process
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 

Deploying SSL/TLS For MySQL at Scale

  • 1. Large Scale Deployment of SSL/TLS For MySQL Daniël van Eeden | Percona Live 2019 Austin | May 2019
  • 2. Agenda. ● Introduction ● Reasons to deploy TLS ● Rolling out TLS
  • 3. Introduction. Me: ● Daniël van Eeden ● Senior Database Engineer Booking.com: ● Part of Booking Holdings Inc. (NASDAQ: BKNG) ● Booking.com on average books 1,550,000 room nights every 24 hours ● More that 15,500 employees ● 198 offices around the world ● 1000's of MySQL and MariaDB servers ● 100's of replication topologies
  • 4. Note: SSL ≈ TLS. SSLv2 > SSLv3 > TLSv1.0 > TLSv1.1 > TLSv1.2 > TLSv1.3 MySQL 5.6 and older supported TLSv1.0 only MySQL 5.7 supports TLSv1.0, TLSv1.1 and TLSv1.2 (TLSv1.2 only with OpenSSL) Support for TLSv1.1 and TLSv1.2 was added to MariaDB in 5.5 and 10.0 So what MySQL supports really is TLS, but many of the older options refer to it as SSL. OpenSSL and YaSSL have SSL in the name, but do support TLS (SSL support might even be turned off). So when talking about this people often mean TLS when they say SSL.
  • 5. Why deploy TLS: account management. MySQL protects the password when logging in with mysql_native_password. However any statement send over a connection that is not encrypted is readable by anyone who has access to the network packets (tcpdump, wireshark, etc) SET PASSWORD …, UPDATE mysql.user …PASSWORD('secret')…, etc might all leak your password. The "solution" is to calculate the password hash on the client and then send it over the unencrypted solution. But as mysql_native_password doesn't use a salt this isn't very secure either. The other solution is to run an agent on the machine and send the password over HTTPS to the agent and then have the agent run the statement over a UNIX socket connection. All in all, enabling TLS allows remote management of accounts in a secure way.
  • 6. Why deploy TLS: Compliance & Application security. ● TLS protects any data your application might send to or read from the database ● This might be part of your controls for ○ PCI-DSS ○ SOx ○ GDPR ● Note that at least PCI-DSS dictates that you disable older protocols ○ use the tls_version setting in MySQL
  • 7. Why deploy TLS: client certificates. ● Client certificates allow authentication based on client certificates in addition or instead of passwords. ● One problem is certificate revocation (minimal CRL support and no OCSP support)
  • 8. Why deploy TLS: caching_sha2. ● More secure because it uses SHA256 instead of double SHA1 ● More secure because it uses a salt ● Uses TLS or an RSA keypair ● Managing RSA keypairs is painful and/or insecure
  • 9. Why deploy TLS: PAM authentication. ● Using Percona PAM plugin: pam_compat ● Needs plaintext password (depends on what PAM modules are used, etc)
  • 10. Rolling out TLS. 1. Request TLS certificates from our internal service 2. Enable TLS on MySQL 3. DONE ☺ Easy isn't it?
  • 11. Rolling out TLS: First try. ○ Enable TLS on a set of servers ■ Add ssl_ca, ssl_cert and ssl_key to my.cnf and restart ■ Result: TLS available, but not used ■ Set mysql_ssl=1 on the DSN to enable TLS ■ This was working fine, until... ■ We rebuild DBD::mysql against MySQL 5.7 instead of 5.6 ■ MySQL 5.7 changed the defaults, it uses ssl-mode=PREFERRED by default. ● MySQL 5.6 only used TLS when explicitly configured ■ During rollout: ● On 10%: everything ok ● On 100%: everything broken, as the master became overloaded ■ Adding mysql_ssl=0 did not disable TLS
  • 12. Rolling out TLS: YaSSL and OpenSSL. ○ We were using MySQL 5.7 Community Edition, which comes with YaSSL ○ YaSSL is a legacy product from WolfSSL ■ YaSSL doesn't support TLSv1.2 ■ YaSSL doesn't use optimized CPU instructions (AVX2, SSE4, etc) ○ Note that MySQL 5.7 Enterprise Edition comes with OpenSSL ○ Because of license compatibility Oracle can't really distribute a GPL build with OpenSSL. ○ We now rebuild the 5.7 RPMs with OpenSSL ○ This issue is gone in MySQL 8.0 as Oracle added a license exception. Now all builds come with OpenSSL. ○ In addition YaSSL was replaced with WolfSSL (but not used as default)
  • 13. Rolling out TLS: DBD::mysql. ● So why did mysql_ssl=0 not disable TLS? ● If mysql_ssl=1 was set SSL settings were provided to libmysqlclient ● If this wasn't the case then it relied on the library default to not use TLS ● On MySQL 5.7 the library default changed to use TLS if available (ssl-mode=PREFERRED), so not providing anything could result in a TLS connection ● The ssl-mode setting was added in 5.6 and extended in 5.7 ● ssl-mode in 5.7 can be set to DISABLED, PREFERRED, REQUIRED, VERIFY_CA or VERIFY_IDENTITY. On 5.6 only REQUIRED was a valid option. ● Note that MariaDB doesn't use ssl-mode, but slightly changed the meaning of --ssl and --ssl-verify-server-cert
  • 14. Rolling out TLS: DBD::mysql. ● So I started to patch and test DBD::mysql ● mysql_ssl=0 now disables TLS ● mysql_ssl=1 now requires TLS ● mysql_ssl=1,mysql_ssl_optional=1 now uses TLS if available Code depending on the version it as build against, the client library version and the server version. Both MySQL and MariaDB. A wide range of versions (4.1 to 8.0 and all MariaDB versions) Along the way I found some security bugs where connections to MySQL 8.0 and MariaDB 10.x could be made over a non-secure connection even with the most strict settings. I also became a co-maintainer for DBD::mysql
  • 15. Rolling out TLS: Steps. ● First step is to enable TLS on slaves (or a percentage of slaves) ● Next step is to enable TLS on intermediate masters ● Now promote a intermediate master to a master ● ... and hope it works... ● If not: gdb -p $(pidof mysqld) -ex "set ssl_acceptor_fd=0x0" -batch ● In MySQL 8.0.16 and newer you can dynamically disable/enable TLS, no restart or GDB required. ● Applications are set to use TLS if available by default.
  • 16. Rolling out TLS: Monitoring. ○ Use performance_schema ■ performance_schema.status_by_thread has all the usual things like Ssl_version, Ssl_cipher, etc. ○ This caused 5.7.21 and earlier to crash sporadically ○ Besides monitoring the number of connections you might also want to monitor the connection rate. ○ Monitor the expiry date of the certificates (not just the one on disk!)
  • 17. Operational: Reloading certificates. ○ MySQL 8.0 and MariaDB 10.4 support online reloading of certificates ○ With MySQL 8.0 you can also disable TLS online. ○ But you should restart MySQL every so often anyway to follow the Oracle Critical Patch Updates. ○ This relies on a system that automates certificate management
  • 18. Rolling out TLS: end user access. ○ We have an internal service that allows people to run ad-hoc SQL queries ○ This means MySQL Workbench, Sequel Pro, Excel, Tableau, etc. ○ This uses Percona's auth_pam_compat ○ This means using the cleartext password client plugin ○ This means we need to send the password to the server (instead of special nonce based handshake mysql_native_password) uses. ○ So this requires TLS ○ Additionally these applications don't know how to connect to a pool of servers
  • 19. Rolling out TLS: end user access. ○ Solution: mysqlredirect, a custom proxy written in Go ○ This sets up a TLS connection between: ■ the client and the proxy ■ the proxy and the backend ○ Anything else is transported as-is. ○ This allows us to have a pool of servers as backend ○ This allows us to have a TLS certificate that matches the hostname of the proxy ○ This allows us to do strict TLS validation on the frontend and on the backend. ○ This is not open source. Use ProxySQL, at the time ProxySQL didn't have good TLS support yet.
  • 20. Rolling out TLS: Certificate validation. This brings us to Certificate Validation. Things to validate: ● Not After date ● CA ● Hostname(s)
  • 21. Rolling out TLS: Certificate validation. But this wasn't always working as expected: ● Hostname ○ Not done unless you set ssl-mode to VERIFY_IDENTITY ○ Wasn't possible in Workbench before 6.3.9 ○ Support for SubjectAlternativeName was added in 5.7.23 (based on my patch) ● Not After date ○ Fixed in 5.7.18 (and Workbench 8.0.12) ● CA ○ Note done unless you set ssl-mode to VERIFY_CA or VERIFY_IDENTITY ○ Before 5.7.18: If VERIFY_CA was set but no CA was specified it didn't fail.
  • 22. Enforcing TLS. ● Per account ○ REQUIRE SSL ○ REQUIRE X509 (SSL + valid certificate) ○ REQUIRE SUBJECT ○ REQUIRE ISSUER ○ REQUIRE CIPHER ● On the server: require_secure_transport ○ TLS or UNIX Domain Socket ● On the client: ○ requireTLS=true (Connector/J) ○ --ssl-mode=REQUIRED|VERIFY_CA|VERIFY_IDENTITY ○ mysql_ssl=1, etc (Perl) Remember the auth_pam_compat with cleartext-plugin? We use require_secure_transport for that.
  • 23. Rolling out TLS: percona-toolkit. ● So we have some servers with require_secure_transport ● We are in the process of rolling out TLS, not enabled everywhere just yet. ● We feed pt-online-schema-change a list of machines to monitor ● Now pt-osc connects, this fails on servers with require_secure_transport ● Setting mysql_ssl=1 causes it to fail on non-TLS servers ● Upgrading DBD::mysql and using mysql_ssl=1,mysql_ssl_optional=1 fixes the issue
  • 24. Rolling out TLS: Orchestrator and go-mysql-driver. ● Orchestrator ○ We use GitHub Orchestrator ○ Orchestrator needs to connect to machines. ○ We teached it to re-connect over TLS when a host uses require-secure-transport ○ Orchestrator stores this per machine, to avoid re-connects. ○ Maintaining this cache wasn't without issues. ● Go ○ I added support for optional TLS: "tls=preferred" on the DSN ○ This should make it easier to support use TLS while it is not yet available on all servers.
  • 25. Rolling out TLS: Java. ● We have a PEM CA certificate ● For Connector/Java we have to convert this to JKS before we can use it.
  • 26. Rolling out TLS: RSA vs EC. ○ I started to test connect times ○ EC: ECDH-RSA-AES128-GCM-SHA256 ○ RSA: DHE-RSA-AES128-GCM-SHA256 ○ Connect time was about 50% faster with EC on MySQL 5.7 with OpenSSL $ openssl ciphers -v 'DHE-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256' DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
  • 27. Rolling out TLS: EC. ○ For Java we use conscrypt as crypto library ○ However conscript and MySQL with OpenSSL and EC don't agree on ciphers ○ A similar issue happens with golang and crypto/tls ○ So EC is new and has some rough edges ○ Running MySQL with a newer OpenSSL version might help
  • 28. Rolling out TLS: Current status. ● Most servers run with TLS enabled ● More than 50% of connections actually use TLS ● Millions of concurrent TLS connections
  • 29. Learnings 1. Use OpenSSL, don't use YaSSL (basically: use MySQL 8.0 or a recent MariaDB) 2. Focus on enabling TLS on all MySQL Servers 3. Disable for specific connections if needed 4. Use TLS unless you have a strong reason not to (unless the other way around) 5. With TLS you are more future proof (caching_sha2)
  • 30. Future. ○ TLSv1.3 0-RTT(-like)? ○ Better support for EC ciphers ○ Using TLS Tickets (Bug #76921 Resume SSL / TLS sessions (use TLS tickets)) ■ 1000 connects: from 37s to 26s ○ Increasing use of a Proxy
  • 32. MariaDB specific features. ● Support for GnuTLS ● Support for SChannel (Windows only) ● Fingerprint verification ● Passphrase protected private keys
  • 33. Wireshark. ● Use a non-DH key ● Give wireshark your key ● It can now decrypt your traffic