MySQL Forums
Forum List  »  Security

Re: question on "--ssl-ca" flag during ssl connection
Posted by: Georgi Kodinov
Date: August 29, 2024 01:57AM

I suggest that you familiarize yourself with https://en.wikipedia.org/wiki/Certificate_authority
And then see how this applies to MySQL in https://dev.mysql.com/doc/refman/8.4/en/using-encrypted-connections.html#using-encrypted-connections-server-side-runtime-configuration.

Now, to answer your immediate question:

Trusted third parties are a convenient way to make sure that the other party in a communication exchange is what they say they are. This is done by verifying the signature on their certificate against the public key of a 3d party that you both trust (a.k.a. certificate authority).

If you do not supply a certificate authority certificate (containing the public key) such a check cannot be performed. So, while your connection cannot be eavesdropped on, you will not be sure that the connecting client or server on the other end of the wire is not some impersonator (a.k.a. as a man-in-the-middle attack).

So, I would advice that you provide a ca certificate on the server so that the authenticity of the connecting client certificate can be verified. And vice versa: I would advice to provide a CA certificate on the client to verify the authenticity of the certificate presented to the client by the server. Note that the CA certificate can be a chain too: e.g. root CA is a self-signed cert, it's then used to sign an intermediary CA cert that is in turn used to sign your server or client cert. And if you trust the root CA (and have the certificate of the intermediate CA) you by extension trust the intermediate CA and the signatures it does too.

MySQL goes one step beyond that too and uses the local certificate authority to verify the local cert at startup. E.g. on the server you can specify --ssl-ca=foo --ssl-key=bar.priv --ssl-cert=bar.cert. And the server will use the CA cert foo to verify the signature on the bar.cert at startup.

Note also that the --ssl-ca file can contain multiple certs. This is needed if you have multiple CAs that you trust (like e.g. your browser does).

And it goes on and on from here. Get a good book or video on the TLS, X.509 certs and trust and read trough it.

Georgi "Joro" Kodinov
MySQL SrvGen team lead
Plovdiv, Bulgaria

Options: ReplyQuote


Subject
Views
Written By
Posted
Re: question on "--ssl-ca" flag during ssl connection
47
August 29, 2024 01:57AM


Sorry, only registered users may post in this forum.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.