(mysql.info.gz) Secure GRANT
Info Catalog
(mysql.info.gz) Secure create certs
(mysql.info.gz) Secure connections
(mysql.info.gz) SSL options
5.6.7.4 SSL `GRANT' Options
...........................
MySQL can check X509 certificate attributes in addition to the usual
authentication that is based on the username and password. To specify
SSL-related options for a MySQL account, use the `REQUIRE' clause of
the `GRANT' statement. `GRANT' GRANT.
There are different possibilities for limiting connection types for an
account:
* If an account has no SSL or X509 requirements, unencrypted
connections are allowed if the username and password are valid.
However, encrypted connections also can be used at the client's
option, if the client has the proper certificate and key files.
* `REQUIRE SSL' option limits the server to allow only SSL encrypted
connections for the account. Note that this option can be omitted
if there are any ACL records that allow non-SSL connections.
mysql> GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
-> IDENTIFIED BY 'goodsecret' REQUIRE SSL;
* `REQUIRE X509' means that the client must have a valid certificate
but that the exact certificate, issuer, and subject do not matter.
The only requirement is that it should be possible to verify its
signature with one of the CA certificates.
mysql> GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
-> IDENTIFIED BY 'goodsecret' REQUIRE X509;
* `REQUIRE ISSUER 'issuer'' places the restriction on connection
attempts that the client must present a valid X509 certificate
issued by CA `'issuer''. If the client presents a certificate
that is valid but has a different issuer, the server rejects the
connection. Use of X509 certificates always implies encryption,
so the `SSL' option is unnecessary.
mysql> GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
-> IDENTIFIED BY 'goodsecret'
-> REQUIRE ISSUER '/C=FI/ST=Some-State/L=Helsinki/
O=MySQL Finland AB/CN=Tonu Samuel/Email=tonu@example.com';
Note that the `ISSUER' value should be entered as a single string.
* `REQUIRE SUBJECT 'subject'' places the restriction on connection
attempts that the client must present a valid X509 certificate
with subject `'subject'' on it. If the client presents a
certificate that is valid but has a different subject, the server
rejects the connection.
mysql> GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
-> IDENTIFIED BY 'goodsecret'
-> REQUIRE SUBJECT '/C=EE/ST=Some-State/L=Tallinn/
O=MySQL demo client certificate/
CN=Tonu Samuel/Email=tonu@example.com';
Note that the `SUBJECT' value should be entered as a single string.
* `REQUIRE CIPHER 'cipher'' is needed to ensure that strong enough
ciphers and key lengths will be used. SSL itself can be weak if
old algorithms with short encryption keys are used. Using this
option, we can ask for some exact cipher method to allow a
connection.
mysql> GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
-> IDENTIFIED BY 'goodsecret'
-> REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA';
The `SUBJECT', `ISSUER', and `CIPHER' options can be combined in the
`REQUIRE' clause like this:
mysql> GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
-> IDENTIFIED BY 'goodsecret'
-> REQUIRE SUBJECT '/C=EE/ST=Some-State/L=Tallinn/
O=MySQL demo client certificate/
CN=Tonu Samuel/Email=tonu@example.com'
-> AND ISSUER '/C=FI/ST=Some-State/L=Helsinki/
O=MySQL Finland AB/CN=Tonu Samuel/Email=tonu@example.com'
-> AND CIPHER 'EDH-RSA-DES-CBC3-SHA';
Note that the `SUBJECT' and `ISSUER' values each should be entered as a
single string.
Starting from MySQL 4.0.4, the `AND' keyword is optional between
`REQUIRE' options.
The order of the options does not matter, but no option can be specified
twice.
Info Catalog
(mysql.info.gz) Secure create certs
(mysql.info.gz) Secure connections
(mysql.info.gz) SSL options
automatically generated byinfo2html