SlideShare a Scribd company logo

Protecting MySQL Network traffic

Daniël van Eeden
Daniël van Eeden

- Booking.com uses MySQL extensively with thousands of servers, most of which replicate data. Protecting MySQL network traffic with TLS encryption is important for security and privacy reasons. - Configuring TLS involves generating certificates, enabling TLS on MySQL servers and clients, and verifying connections are encrypted. While TLS adds security, it also introduces overhead that can impact performance. - Proper TLS configuration, monitoring, and maintenance are required to ensure security and high availability of MySQL deployments using encryption.

Software
1 of 40
Download to read offline
Protecting MySQL network traffic Daniël van Eeden | 25 April 2017
Booking.com at a glance ● Started in 1996; still based in Amsterdam ● Member of the Priceline Group since 2005 (stock: PCLN) ● Amazing growth; continuous scaling challenges ● Online Hotel/Accommodation/Travel Agent (OTA): ● Over 1.2 million active properties in 227 countries ● Over 1.2 million room nights reserved daily ● 40+ languages (website and customer service) ● Over 13,000 people working in 187 offices in 70 countries ● We use a lot of MySQL and MariaDB: ● Thousands (1000s) of servers, ~90% replicating ● >150 masters: ~30 >50 slaves & ~10 >100 slaves 2
Why protect MySQL network traffic? ● Protect leaking of authentication data (passwords, etc) ● Protect leaking of sensitive data (PII, credit card numbers, medical records) ● Ensure data is not tampered with. ● Because of regulations ● Because why not? Are you still using telnet to manage servers?
How? ● Use SSL! ● Done!
SSL Support in MySQL ● MySQL doesn't have SSL support ● MySQL never had any SSL support ● MySQL has TLS support.. this is what is called SSL but isn't ● Supported since 4.0.0 (~2003) ● For now just assume SSL and TLS are the same
What is NOT protected by TLS ● Data-at-rest ○ InnoDB and MyISAM data files ○ Binlogs, redo logs, slow query logs ○ Backups ● Does not protect against a DoS ○ e.g. corrupting traffic ● Might not protect the query text ○ performance_schema etc. ● Does not hide the traffic pattern
First steps with TLS 1. Get a certificate 2. Restart MySQL 3. Enable TLS on the client 4. Check if the connection actually uses TLS
Generating the certificate ● With 5.7 and up: Might already be done by your installation ● If not use mysql_ssl_rsa_setup ● For older versions: https://github.com/dveeden/mysslgen ● Or use the openssl commandline utilities as described in the reference manual on https://dev.mysql.com/doc/mysql/en/creating-ssl-files-using-openssl.html ● Did you know MySQL Workbench has a SSL Wizard?
Configuration ● On 5.7+: Place the ca.pem, server-cert.pem and server-key.pem in your datadir. (already the case if you use mysql_ssl_rsa_setup) ● Or set ssl-ca, ssl-key, ssl-cert in your my.cnf ● Restart MySQL ● Enable SSL in your application. You probably want to copy your ca.pem file to your client
Checking your connection ● 'status' or s ● Look for 'Cipher in use' ● Or check the 'Ssl_cipher' session status.
What if it doesn't work? ● Check your mysqld.log ● Check the permissions on the pem files ○ Should be readable for the mysql user ● Try to connect with --ssl-mode=REQUIRED ● Use the OpenSSL commandline tools to see what's in the certificate. ● Use Wireshark. ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ERROR 2026 (HY000): SSL connection error: unknown error number ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed ERROR 2026 (HY000): SSL connection error: protocol version mismatch ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections ERROR 2026 (HY000): SSL connection error: Failed to set ciphers to use ERROR 2026 (HY000): SSL connection error: Unable to get certificate ERROR 2026 (HY000): SSL connection error: Unable to get private key
Now let's make it more secure ● Require the use of TLS on the server ● Require the use of TLS on the client ● Enable more security checks ● Security updates
Make TLS a requirement ● On a per user basis: ○ ALTER USER foo REQUIRE SSL ○ Undo: ALTER USER foo REQUIRE NONE ● But what happens if you accidentally create a user? ○ e.g. GRANT on a nonexistent user? ○ Set: sql_mode=NO_AUTO_CREATE_USER,… ● On a server level: ○ SET GLOBAL require_secure_transport=ON ○ This still allows UNIX socket connections w/o TLS
Issues with full-on TLS ● Is your monitoring capable of using TLS connections? ● What about load balancer health checks?
On the client ● Use --ssl-mode=REQUIRED ○ The default in 5.7 is PREFERRED ○ Older releases default to DISABLED ● This only makes a TLS connection a requirement ○ Does not check if issued by a trusted CA ○ Does not check if the hostname matches the cert ○ To do this use VERIFY_CA or VERIFY_IDENTITY ● On older versions: ○ Use --ssl-ca to allow TLS and enable CA checks ○ Use --ssl-verify-server-cert to do hostname checks. ○ Often not possible to force the use of TLS: this is the BACKRONYM vulnerability ● Use --ssl-ca=/path/to/ca.pem to specify which CA(s) are trusted.
Client checks ● The client could do these checks: ○ Is the certificate signed by a trusted CA? ○ Does the CommonName (CN) in the certificate match the hostname we are connecting to? ○ Is the certificate expired?
Certificate Authority validation ● Validates that the server certificate is signed by one of the CA's present in the specified CA file. ● Note that a CA file can have multiple CA's ● There is also a CA path option. ● The auto generated certificates from mysql_ssl_rsa_setup all have their own CA.
Hostname validation ● mysql_ssl_rsa_setup generates certificates with ○ CN=MySQL_Server_5.7.18_Auto_Generated_Server_Certificate ● So generate the certificates manually if want this to match your hostname ● A certificate can have a list of hostnames in SubjectAltName ○ MySQL doesn't check those... Bug #68052 ● So if you use a virtual-IP, cname, etc. it might be difficult to match this. ● What if your clients connect on a CNAME and your replicas connect on the hostname? You can't have both!
Security updates ● I reported a few issues to Oracle. ● CVE-2017-3590 for Connector/Python ● CVE-2017-3469 for MySQL Workbench ● CVE-2017-3467 for libmysqlclient ● Those are fixed. See the Oracle Critical Patch Update for details. ● But if you care about security you should follow the release notes and Critical Patch Update anyways...
What library does MySQL use? ● Community Edition: YaSSL ○ Because GPL and the OpenSSL license are not really compatible ○ This library is maintained by WolfSSL ○ This not CyaSSL/WolfSSL ○ WolfSSL made a patch to include WolfSSL in MySQL 5.6.30 (https://github.com/wolfSSL/mysql-patch) ● Enterprise Edition: OpenSSL ● If you build MySQL yourself: you can compile against either of them.
Why not TLS? ● Because it is SLOW! ● Because we trust our network! ● Because we encrypt with: ○ The application (store encrypted data) ○ SSH (Also works great with Workbench) ○ VPN ● Because we want to inspect our network traffic! ○ Wireshark can decrypt it if you hand over your private key. Some ciphers require you to somehow extract session keys.
How slow is slow? ● Overhead in milliseconds for setting up a TLS connection on localhost with TCP. ● Client: go ● 5.7 is faster than 5.6 ● OpenSSL is faster than YaSSL ● Using TLS tickets (OpenSSL only) helps ● Best case: 0.99ms (5.7 OpenSSL w/ tickets) vs. 0.60ms (no TLS) ● TLS does need more roundtrips, but this will change with TLS 1.3 ● OpenSSL performs better because it uses AVX2 and AES-NI
Bulk transfer performance ● Easy to test: mysqldump with and without TLS ● Different ciphers do make a difference. mysqldump performance with MySQL 5.6.35 (YaSSL) No TLS 4.5s TLS Default 10.4s RC4-MD5 7.1s DES-CBC3-SHA 23.2s
Monitoring ● Monitor the Expiry of certificates ● Not just the certificate on disk, also the one in memory. ● Use TLS for your monitoring on 5.6 and earlier, otherwise you might not see the status vars ● Performance schema can show you the ciphers and TLS versions in use by all connections ● Using SYS is even easier: ○ SELECT * FROM session_ssl_status
Client certificates ● This allows mutual authentication ● Often used together with a password ● You might want to use REQUIRE SUBJECT or REQUIRE ISSUER on accounts. ● At least use REQUIRE X509 instead of REQUIRE SSL
Replication ● Use CHANGE MASTER TO MASTER_SSL=1, etc ● Think about what happens if your certificate(s) expire ● Does the hostname match the certificate?
Changing certificates ● Needs restart ● Moving slaves around might not work until you restart.. ● Same for a switchover.
CRL and OCSP ● Only possible with OpenSSL ● Does not auto download the CRL from the distribution point ● Does not use OCSP ● Basically restart MySQL every time your CRL changes.. which is not practical
Where to get your certificate? ● Official CA? ● Internal CA? ● Self signed?
TLS handshake with MySQL ● server helo with ssl flag set ● 'empty' login packet with ssl flag set ● Start SSL handshake ● Basically STARTTLS-ish ○ SSL and non-SSL on the same port
Protection of authentication data ● native password with nonce ● sha256 password with RSA keys or TLS ● cleartext plugin
TLS ciphers ● Possible to set restriction on Server and Client ● How are you going manage and maintain that? ● 'REQUIRE cipher' also requires client certificates ● One practical use case would be to use a faster cipher for mysqldump ● Might help with compliance ● 5.7.10 already places more strict requirements on the list of ciphers
TLS versions ● Can be limited on the server and client ● Note that YaSSL only has TLS 1.0 and TLS 1.1 support ● Minimum is TLS 1.0
What about MariaDB? ● Doesn't use --ssl-mode ● Does have good TLS support ● MariaDB Connector/C has support for ○ fingerprint verification ○ password protected private keys ● 19 Open MDEV's tagged with SSL
Connector support ● Works for C, C++, Python (multiple), Perl, Java, ODBC, Go, etc ● The Go MySQL driver lets you specify a TLS Config, which is really flexible. ● Do update your Connector.. Many connectors did have security updates related to TLS.
Don't forget these ● MySQL Cluster (NDB) communication within the cluster ● Galera communication ● Sending backups to a central location (xbstream etc) ● Network traffic for iSCSI, FCP, NFS
Future ● TLSv1.3 with 0-RTT ● WolfSSL?
Oh, and Booking.com is hiring! ● Almost any role: ● MySQL Engineer / DBA ● System Administrator ● System Engineer ● Site Reliability Engineer ● Developer ● Designer ● Technical Team Lead ● Product Owner ● Data Scientist ● And many more… ● https://workingatbooking.com/39
Thank you! All references to “Booking.com", including any mention of “us”, “we” and “our” refer to Booking.com BV, the company behind Booking.com™

Recommended

Large Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQLLarge Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQL
Daniël van Eeden
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
6 Months Sailing with Docker in Production
6 Months Sailing with Docker in Production 6 Months Sailing with Docker in Production
6 Months Sailing with Docker in Production
Hung Lin
 
Lets Encrypt!
Lets Encrypt!Lets Encrypt!
Lets Encrypt!
Joerg Henning
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Severalnines
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Severalnines
 
Vault
VaultVault
Vault
Jean-Philippe Bélanger
 

Recommended

Large Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQLLarge Scale Deployment of SSL/TLS For MySQL
Large Scale Deployment of SSL/TLS For MySQL
Daniël van Eeden
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
hannob
 
6 Months Sailing with Docker in Production
6 Months Sailing with Docker in Production 6 Months Sailing with Docker in Production
6 Months Sailing with Docker in Production
Hung Lin
 
Lets Encrypt!
Lets Encrypt!Lets Encrypt!
Lets Encrypt!
Joerg Henning
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
Alex Schoof
 
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Webinar slides: Become a MongoDB DBA - What to Monitor (if you’re really a My...
Severalnines
 
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Webinar Slides: Become a MongoDB DBA (if you’re really a MySQL user)
Severalnines
 
Vault
VaultVault
Vault
Jean-Philippe Bélanger
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
OpenDS Primer Aquarium
OpenDS Primer AquariumOpenDS Primer Aquarium
OpenDS Primer Aquarium
Eduardo Pelegri-Llopart
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
Drew Fustini
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
CheapSSLsecurity
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandal
Dhrubaji Mandal ♛
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
The nightmare of locking, blocking and isolation levels
The nightmare of locking, blocking and isolation levelsThe nightmare of locking, blocking and isolation levels
The nightmare of locking, blocking and isolation levels
Boris Hristov
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
Ohio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLOhio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQL
Dave Stokes
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
CheapSSLsecurity
 
JDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
JDD2015: Taste of new in Java 9 - Arkadiusz SokołowskiJDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
JDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
PROIDEA
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
Michael Man
 
SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE
Dr Anjan Krishnamurthy
 
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsMySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
Jean-François Gagné
 
Monitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixMonitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With Zabbix
Zabbix
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Demystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyDemystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash Safety
Jean-François Gagné
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
Jean-Frederic Clere
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best Practices
Federico Razzoli
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 

More Related Content

What's hot

Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
OpenDS Primer Aquarium
OpenDS Primer AquariumOpenDS Primer Aquarium
OpenDS Primer Aquarium
Eduardo Pelegri-Llopart
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
Drew Fustini
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
CheapSSLsecurity
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandal
Dhrubaji Mandal ♛
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
The nightmare of locking, blocking and isolation levels
The nightmare of locking, blocking and isolation levelsThe nightmare of locking, blocking and isolation levels
The nightmare of locking, blocking and isolation levels
Boris Hristov
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
Jean-Frederic Clere
 
Ohio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLOhio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQL
Dave Stokes
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
CheapSSLsecurity
 
JDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
JDD2015: Taste of new in Java 9 - Arkadiusz SokołowskiJDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
JDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
PROIDEA
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
Michael Man
 
SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE
Dr Anjan Krishnamurthy
 
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsMySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
Jean-François Gagné
 
Monitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixMonitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With Zabbix
Zabbix
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
Michał Czeraszkiewicz
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
Demystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyDemystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash Safety
Jean-François Gagné
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
Jean-Frederic Clere
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 

What's hot (20)

Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
OpenDS Primer Aquarium
OpenDS Primer AquariumOpenDS Primer Aquarium
OpenDS Primer Aquarium
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
 
Various Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and KeytoolVarious Types of OpenSSL Commands and Keytool
Various Types of OpenSSL Commands and Keytool
 
Nginx dhruba mandal
Nginx dhruba mandalNginx dhruba mandal
Nginx dhruba mandal
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
The nightmare of locking, blocking and isolation levels
The nightmare of locking, blocking and isolation levelsThe nightmare of locking, blocking and isolation levels
The nightmare of locking, blocking and isolation levels
 
Apache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and TomcatApache httpd reverse proxy and Tomcat
Apache httpd reverse proxy and Tomcat
 
Ohio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQLOhio Linux Fest -- MySQL's NoSQL
Ohio Linux Fest -- MySQL's NoSQL
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
JDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
JDD2015: Taste of new in Java 9 - Arkadiusz SokołowskiJDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
JDD2015: Taste of new in Java 9 - Arkadiusz Sokołowski
 
Secret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret DragonsSecret Management Journey - Here Be Dragons aka Secret Dragons
Secret Management Journey - Here Be Dragons aka Secret Dragons
 
SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE SSL/TLS implementation using JSSE
SSL/TLS implementation using JSSE
 
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitationsMySQL/MariaDB Parallel Replication: inventory, use-case and limitations
MySQL/MariaDB Parallel Replication: inventory, use-case and limitations
 
Monitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With ZabbixMonitoring all Elements of Your Database Operations With Zabbix
Monitoring all Elements of Your Database Operations With Zabbix
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
Demystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash SafetyDemystifying MySQL Replication Crash Safety
Demystifying MySQL Replication Crash Safety
 
Tomcat openssl
Tomcat opensslTomcat openssl
Tomcat openssl
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 

Similar to Protecting MySQL Network traffic

MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best Practices
Federico Razzoli
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 
Enhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesEnhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificates
Mydbops
 
MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015
Dave Stokes
 
Secure PostgreSQL deployment
Secure PostgreSQL deploymentSecure PostgreSQL deployment
Secure PostgreSQL deployment
Command Prompt., Inc
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
confluent
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
behrad eslamifar
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014
Miguel Zuniga
 
Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015
Netgate
 
Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Slides: Introducing the new ClusterControl 1.2.9 - with live demo Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Severalnines
 
Securing your database servers from external attacks
Securing your database servers from external attacksSecuring your database servers from external attacks
Securing your database servers from external attacks
Alkin Tezuysal
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
DouglasPickett
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014
Puppet
 
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Severalnines
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
ScyllaDB
 
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios
 
MySQL's new Secure by Default Install -- All Things Open October 20th 2015
MySQL's new Secure by Default Install -- All Things Open October 20th 2015MySQL's new Secure by Default Install -- All Things Open October 20th 2015
MySQL's new Secure by Default Install -- All Things Open October 20th 2015
Dave Stokes
 
The Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication TutorialThe Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication Tutorial
Jean-François Gagné
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
Muhammad Moinur Rahman
 
A first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use themA first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use them
Federico Razzoli
 

Similar to Protecting MySQL Network traffic (20)

MariaDB Security Best Practices
MariaDB Security Best PracticesMariaDB Security Best Practices
MariaDB Security Best Practices
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
Enhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificatesEnhancing Security of MySQL Connections using SSL certificates
Enhancing Security of MySQL Connections using SSL certificates
 
MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015MySQL Utilities -- PyTexas 2015
MySQL Utilities -- PyTexas 2015
 
Secure PostgreSQL deployment
Secure PostgreSQL deploymentSecure PostgreSQL deployment
Secure PostgreSQL deployment
 
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
The Easiest Way to Configure Security for Clients AND Servers (Dani Traphagen...
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014
 
Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015
 
Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Slides: Introducing the new ClusterControl 1.2.9 - with live demo Slides: Introducing the new ClusterControl 1.2.9 - with live demo
Slides: Introducing the new ClusterControl 1.2.9 - with live demo
 
Securing your database servers from external attacks
Securing your database servers from external attacksSecuring your database servers from external attacks
Securing your database servers from external attacks
 
Digital certificates
Digital certificatesDigital certificates
Digital certificates
 
Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014Managing and Scaling Puppet - PuppetConf 2014
Managing and Scaling Puppet - PuppetConf 2014
 
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
Webinar slides: 9 DevOps Tips for Going in Production with Galera Cluster for...
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
 
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios CoreNagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
Nagios Conference 2014 - Eric Mislivec - Getting Started With Nagios Core
 
MySQL's new Secure by Default Install -- All Things Open October 20th 2015
MySQL's new Secure by Default Install -- All Things Open October 20th 2015MySQL's new Secure by Default Install -- All Things Open October 20th 2015
MySQL's new Secure by Default Install -- All Things Open October 20th 2015
 
The Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication TutorialThe Full MySQL and MariaDB Parallel Replication Tutorial
The Full MySQL and MariaDB Parallel Replication Tutorial
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
A first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use themA first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use them
 

Recently uploaded

Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies
 
TMU毕业证书精仿办理
TMU毕业证书精仿办理TMU毕业证书精仿办理
TMU毕业证书精仿办理
aeeva
 
Kubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale: Going Multi-Cluster with IstioKubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale: Going Multi-Cluster with Istio
Severalnines
 
Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
Manyata Tech Park Bangalore_ Infrastructure, Facilities and MoreManyata Tech Park Bangalore_ Infrastructure, Facilities and More
Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
narinav14
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
sjcobrien
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)
alowpalsadig
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
campbellclarkson
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
dakas1
 
Liberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptxLiberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptx
Massimo Artizzu
 
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
OnePlan Solutions
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
Pedro J. Molina
 
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
kalichargn70th171
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
Alberto Brandolini
 

Recently uploaded (20)

Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdf
 
Upturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in NashikUpturn India Technologies - Web development company in Nashik
Upturn India Technologies - Web development company in Nashik
 
TMU毕业证书精仿办理
TMU毕业证书精仿办理TMU毕业证书精仿办理
TMU毕业证书精仿办理
 
Kubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale: Going Multi-Cluster with IstioKubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale: Going Multi-Cluster with Istio
 
Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
Manyata Tech Park Bangalore_ Infrastructure, Facilities and MoreManyata Tech Park Bangalore_ Infrastructure, Facilities and More
Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)Photoshop Tutorial for Beginners (2024 Edition)
Photoshop Tutorial for Beginners (2024 Edition)
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
 
Liberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptxLiberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptx
 
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
 
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
 

Protecting MySQL Network traffic

  • 1. Protecting MySQL network traffic Daniël van Eeden | 25 April 2017
  • 2. Booking.com at a glance ● Started in 1996; still based in Amsterdam ● Member of the Priceline Group since 2005 (stock: PCLN) ● Amazing growth; continuous scaling challenges ● Online Hotel/Accommodation/Travel Agent (OTA): ● Over 1.2 million active properties in 227 countries ● Over 1.2 million room nights reserved daily ● 40+ languages (website and customer service) ● Over 13,000 people working in 187 offices in 70 countries ● We use a lot of MySQL and MariaDB: ● Thousands (1000s) of servers, ~90% replicating ● >150 masters: ~30 >50 slaves & ~10 >100 slaves 2
  • 3. Why protect MySQL network traffic? ● Protect leaking of authentication data (passwords, etc) ● Protect leaking of sensitive data (PII, credit card numbers, medical records) ● Ensure data is not tampered with. ● Because of regulations ● Because why not? Are you still using telnet to manage servers?
  • 5. SSL Support in MySQL ● MySQL doesn't have SSL support ● MySQL never had any SSL support ● MySQL has TLS support.. this is what is called SSL but isn't ● Supported since 4.0.0 (~2003) ● For now just assume SSL and TLS are the same
  • 6. What is NOT protected by TLS ● Data-at-rest ○ InnoDB and MyISAM data files ○ Binlogs, redo logs, slow query logs ○ Backups ● Does not protect against a DoS ○ e.g. corrupting traffic ● Might not protect the query text ○ performance_schema etc. ● Does not hide the traffic pattern
  • 7. First steps with TLS 1. Get a certificate 2. Restart MySQL 3. Enable TLS on the client 4. Check if the connection actually uses TLS
  • 8. Generating the certificate ● With 5.7 and up: Might already be done by your installation ● If not use mysql_ssl_rsa_setup ● For older versions: https://github.com/dveeden/mysslgen ● Or use the openssl commandline utilities as described in the reference manual on https://dev.mysql.com/doc/mysql/en/creating-ssl-files-using-openssl.html ● Did you know MySQL Workbench has a SSL Wizard?
  • 9. Configuration ● On 5.7+: Place the ca.pem, server-cert.pem and server-key.pem in your datadir. (already the case if you use mysql_ssl_rsa_setup) ● Or set ssl-ca, ssl-key, ssl-cert in your my.cnf ● Restart MySQL ● Enable SSL in your application. You probably want to copy your ca.pem file to your client
  • 10. Checking your connection ● 'status' or s ● Look for 'Cipher in use' ● Or check the 'Ssl_cipher' session status.
  • 11. What if it doesn't work? ● Check your mysqld.log ● Check the permissions on the pem files ○ Should be readable for the mysql user ● Try to connect with --ssl-mode=REQUIRED ● Use the OpenSSL commandline tools to see what's in the certificate. ● Use Wireshark. ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ERROR 2026 (HY000): SSL connection error: unknown error number ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed ERROR 2026 (HY000): SSL connection error: protocol version mismatch ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections ERROR 2026 (HY000): SSL connection error: Failed to set ciphers to use ERROR 2026 (HY000): SSL connection error: Unable to get certificate ERROR 2026 (HY000): SSL connection error: Unable to get private key
  • 12. Now let's make it more secure ● Require the use of TLS on the server ● Require the use of TLS on the client ● Enable more security checks ● Security updates
  • 13. Make TLS a requirement ● On a per user basis: ○ ALTER USER foo REQUIRE SSL ○ Undo: ALTER USER foo REQUIRE NONE ● But what happens if you accidentally create a user? ○ e.g. GRANT on a nonexistent user? ○ Set: sql_mode=NO_AUTO_CREATE_USER,… ● On a server level: ○ SET GLOBAL require_secure_transport=ON ○ This still allows UNIX socket connections w/o TLS
  • 14. Issues with full-on TLS ● Is your monitoring capable of using TLS connections? ● What about load balancer health checks?
  • 15. On the client ● Use --ssl-mode=REQUIRED ○ The default in 5.7 is PREFERRED ○ Older releases default to DISABLED ● This only makes a TLS connection a requirement ○ Does not check if issued by a trusted CA ○ Does not check if the hostname matches the cert ○ To do this use VERIFY_CA or VERIFY_IDENTITY ● On older versions: ○ Use --ssl-ca to allow TLS and enable CA checks ○ Use --ssl-verify-server-cert to do hostname checks. ○ Often not possible to force the use of TLS: this is the BACKRONYM vulnerability ● Use --ssl-ca=/path/to/ca.pem to specify which CA(s) are trusted.
  • 16. Client checks ● The client could do these checks: ○ Is the certificate signed by a trusted CA? ○ Does the CommonName (CN) in the certificate match the hostname we are connecting to? ○ Is the certificate expired?
  • 17. Certificate Authority validation ● Validates that the server certificate is signed by one of the CA's present in the specified CA file. ● Note that a CA file can have multiple CA's ● There is also a CA path option. ● The auto generated certificates from mysql_ssl_rsa_setup all have their own CA.
  • 18. Hostname validation ● mysql_ssl_rsa_setup generates certificates with ○ CN=MySQL_Server_5.7.18_Auto_Generated_Server_Certificate ● So generate the certificates manually if want this to match your hostname ● A certificate can have a list of hostnames in SubjectAltName ○ MySQL doesn't check those... Bug #68052 ● So if you use a virtual-IP, cname, etc. it might be difficult to match this. ● What if your clients connect on a CNAME and your replicas connect on the hostname? You can't have both!
  • 19. Security updates ● I reported a few issues to Oracle. ● CVE-2017-3590 for Connector/Python ● CVE-2017-3469 for MySQL Workbench ● CVE-2017-3467 for libmysqlclient ● Those are fixed. See the Oracle Critical Patch Update for details. ● But if you care about security you should follow the release notes and Critical Patch Update anyways...
  • 20. What library does MySQL use? ● Community Edition: YaSSL ○ Because GPL and the OpenSSL license are not really compatible ○ This library is maintained by WolfSSL ○ This not CyaSSL/WolfSSL ○ WolfSSL made a patch to include WolfSSL in MySQL 5.6.30 (https://github.com/wolfSSL/mysql-patch) ● Enterprise Edition: OpenSSL ● If you build MySQL yourself: you can compile against either of them.
  • 21. Why not TLS? ● Because it is SLOW! ● Because we trust our network! ● Because we encrypt with: ○ The application (store encrypted data) ○ SSH (Also works great with Workbench) ○ VPN ● Because we want to inspect our network traffic! ○ Wireshark can decrypt it if you hand over your private key. Some ciphers require you to somehow extract session keys.
  • 22. How slow is slow? ● Overhead in milliseconds for setting up a TLS connection on localhost with TCP. ● Client: go ● 5.7 is faster than 5.6 ● OpenSSL is faster than YaSSL ● Using TLS tickets (OpenSSL only) helps ● Best case: 0.99ms (5.7 OpenSSL w/ tickets) vs. 0.60ms (no TLS) ● TLS does need more roundtrips, but this will change with TLS 1.3 ● OpenSSL performs better because it uses AVX2 and AES-NI
  • 23. Bulk transfer performance ● Easy to test: mysqldump with and without TLS ● Different ciphers do make a difference. mysqldump performance with MySQL 5.6.35 (YaSSL) No TLS 4.5s TLS Default 10.4s RC4-MD5 7.1s DES-CBC3-SHA 23.2s
  • 24. Monitoring ● Monitor the Expiry of certificates ● Not just the certificate on disk, also the one in memory. ● Use TLS for your monitoring on 5.6 and earlier, otherwise you might not see the status vars ● Performance schema can show you the ciphers and TLS versions in use by all connections ● Using SYS is even easier: ○ SELECT * FROM session_ssl_status
  • 25.
  • 26. Client certificates ● This allows mutual authentication ● Often used together with a password ● You might want to use REQUIRE SUBJECT or REQUIRE ISSUER on accounts. ● At least use REQUIRE X509 instead of REQUIRE SSL
  • 27. Replication ● Use CHANGE MASTER TO MASTER_SSL=1, etc ● Think about what happens if your certificate(s) expire ● Does the hostname match the certificate?
  • 28. Changing certificates ● Needs restart ● Moving slaves around might not work until you restart.. ● Same for a switchover.
  • 29. CRL and OCSP ● Only possible with OpenSSL ● Does not auto download the CRL from the distribution point ● Does not use OCSP ● Basically restart MySQL every time your CRL changes.. which is not practical
  • 30. Where to get your certificate? ● Official CA? ● Internal CA? ● Self signed?
  • 31. TLS handshake with MySQL ● server helo with ssl flag set ● 'empty' login packet with ssl flag set ● Start SSL handshake ● Basically STARTTLS-ish ○ SSL and non-SSL on the same port
  • 32. Protection of authentication data ● native password with nonce ● sha256 password with RSA keys or TLS ● cleartext plugin
  • 33. TLS ciphers ● Possible to set restriction on Server and Client ● How are you going manage and maintain that? ● 'REQUIRE cipher' also requires client certificates ● One practical use case would be to use a faster cipher for mysqldump ● Might help with compliance ● 5.7.10 already places more strict requirements on the list of ciphers
  • 34. TLS versions ● Can be limited on the server and client ● Note that YaSSL only has TLS 1.0 and TLS 1.1 support ● Minimum is TLS 1.0
  • 35. What about MariaDB? ● Doesn't use --ssl-mode ● Does have good TLS support ● MariaDB Connector/C has support for ○ fingerprint verification ○ password protected private keys ● 19 Open MDEV's tagged with SSL
  • 36. Connector support ● Works for C, C++, Python (multiple), Perl, Java, ODBC, Go, etc ● The Go MySQL driver lets you specify a TLS Config, which is really flexible. ● Do update your Connector.. Many connectors did have security updates related to TLS.
  • 37. Don't forget these ● MySQL Cluster (NDB) communication within the cluster ● Galera communication ● Sending backups to a central location (xbstream etc) ● Network traffic for iSCSI, FCP, NFS
  • 38. Future ● TLSv1.3 with 0-RTT ● WolfSSL?
  • 39. Oh, and Booking.com is hiring! ● Almost any role: ● MySQL Engineer / DBA ● System Administrator ● System Engineer ● Site Reliability Engineer ● Developer ● Designer ● Technical Team Lead ● Product Owner ● Data Scientist ● And many more… ● https://workingatbooking.com/39
  • 40. Thank you! All references to “Booking.com", including any mention of “us”, “we” and “our” refer to Booking.com BV, the company behind Booking.com™