tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Data Security Audit
    Documentation

    Practical Tutorial of MySQL Encryption Audit

    Last updated: 2024-10-16 16:43:53

      Application Scenarios

      CDS has supported SSL encryption audits for self-hosted MySQL and MariaDB since version 6.0.2. This document provides necessary information on the limitations, configuration, and frequently asked questions regarding this feature.

      Feature Limits

      The limits of this feature are as follows:
      It only supports self-built MySQL and MariaDB. CloudDB for MySQL supports encryption audit through cloud native auditing, without the need for separate configuration.
      Supported encryption algorithms: TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256.

      Detection Methods

      Step 1: Checking If Encryption Is Enabled

      1. In the database, input the following command to check if SSL encryption is enabled.
      show global variables like '%ssl%';
      2. If the value of have_ssl is YES, it indicates that SSL is enabled, and you need to disable SSL to allow auditing.
      dba:(none)> show global variables like '%ssl%';
      +---------------+-----------------+
      | Variable_name | Value           |
      +---------------+-----------------+
      | have_openssl  | YES             |
      | have_ssl      | YES             |    #SSL is enabled.
      | ssl_ca        | ca.pem          |
      | ssl_capath    |                 |
      | ssl_cert      | server-cert.pem |
      | ssl_cipher    |                 |
      | ssl_crl       |                 |
      | ssl_crlpath   |                 |
      | ssl_key       | server-key.pem  |
      +---------------+-----------------+

      Step 2: Checking the Encryption Algorithm

      1. In the database, input the following command to check the encryption algorithm.
      show global variables like 'ssl_cipher';
      2. If the value of ssl_cipher contains one or more of AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256 only, it is supported; otherwise, it is not supported and needs to be modified.
      dba:(none)> show global variables like 'ssl_cipher';
      +---------------+-----------------+
      | Variable_name | Value           |
      +---------------+-----------------+
      | ssl_cipher    |                 |     #This area is empty and needs modification.
      +---------------+-----------------+

      Modification Methods

      Modify the related configuration of the database so that CDS can audit the database statements. You can choose any of the following modification methods according to the actual situation.

      Disabling SSL Encryption

      Although SSL in MySQL enhances security, it also sacrifices some performance. If there's no mandatory regulation requiring SSL encryption at the user's organization, consider disabling SSL encryption.
      Note:
      This method requires restarting the database.
      1. Modify the configuration file my.cnf, and add the following under [mysqld]:
      [mysqld]
      # disable_ssl
      skip_ssl
      2. Enter the following command to restart MySQL.
      service mysqld restart
      3. Use the above detection method to verify if the modification was successful.
      dba:(none)> show global variables like '%ssl%';
      +---------------+-----------------+
      | Variable_name | Value           |
      +---------------+-----------------+
      | have_openssl  | DISABLED        |
      | have_ssl      | DISABLED        |    #SSL has been disabled.
      | ssl_ca        | ca.pem          |
      | ssl_capath    |                 |
      | ssl_cert      | server-cert.pem |
      | ssl_cipher    |                 |
      | ssl_crl       |                 |
      | ssl_crlpath   |                 |
      | ssl_key       | server-key.pem  |
      +---------------+-----------------+

      Setting Encryption Algorithms

      In the configuration file, set the encryption algorithm. This method affects all connections to the database.
      Note:
      This method requires restarting the database.
      1. Modify the configuration file my.cnf, and add the following under [mysqld]:
      [mysqld]
      # Set encryption algorithms.
      ssl_cipher="AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256"
      2. Enter the following command to restart MySQL.
      service mysqld restart
      3. Use the above detection method to verify if the modification was successful.
      dba:(none)> show global variables like 'ssl_cipher';
      +---------------+--------------------------------------------------+
      | Variable_name | Value                                            |
      +---------------+--------------------------------------------------+
      | ssl_cipher    | AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256|     
      +---------------+--------------------------------------------------+

      Specifying Parameters when a Client Connection Is Established

      If you don't want to modify the database configuration, you can specify parameters when establishing a client connection, such as:
      mysql -u root  -pxxxx -h10.3.1.17 --ssl-cipher=AES128-SHA
      Description:
      This method only applies to the current connection and will not affect other connections.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy