First of all, my english is really bad, so sorry for my english mistakes.
I have a MariaDB 10.2.15. I installed SSL, and its working fine, but I cant force use SSL to users.
my.cnf:
[mysqld]
ssl
ssl-ca=/etc/mariadb/ssl/ca.pem
ssl-cert=/etc/mariadb/ssl/server-cert.pem
ssl-key=/etc/mariadb/ssl/server-key.pem
ssl-cipher = AES128+EECDH:AES128+EDH
ssl variables:
+---------------------+----------------------------------+
| Variable_name | Value |
+---------------------+----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mariadb/ssl/ca.pem |
| ssl_capath | |
| ssl_cert | /etc/mariadb/ssl/server-cert.pem |
| ssl_cipher | AES128+EECDH:AES128+EDH |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mariadb/ssl/server-key.pem |
| version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013 |
+---------------------+----------------------------------+
I found this variable:
require_secure_transport
and I also found this:
MySQL-only variable determining whether client to server connections
need to be secure.
So, can I do anything else? Cause now, the users can connect without SSL. I feel its really unnecessary without forcing.
UPDATE for clear:
SHOW GRANTS:
GRANT ALL PRIVILEGES ON *.* TO 'denes'@'%' IDENTIFIED BY PASSWORD '*SOMETHINGPASSWORD' REQUIRE SSL WITH GRANT OPTION
And I still can login to MariaDB over TCP without SSL
Best Answer
REQUIRE SSL
grant option on users is what you need. It works for me as intended:You can see how workbench works with SSL, but fails to connect if I force it to not use SSL:
require_secure_transport
is MySQL 5.7+ only, and while it has something to do with forcing TLS, it also considers secure local unencrypted connections.