I want to set up SSL connections to a distant MariaDB server. I followed the instructions here. I generated the certificate for the server, restarted it, and got this:
+---------------------+-------------------------------------------------+
| Variable_name | Value |
+---------------------+-------------------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/packages/MariaDB10/etc/ssl/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /var/packages/MariaDB10/etc/ssl/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /var/packages/MariaDB10/etc/ssl/server-key.pem |
| version_ssl_library | OpenSSL 1.0.2r-fips 26 Feb 2019 |
+---------------------+-------------------------------------------------+
I also generated the client certificate. However, to make sure I understand the process, I proceeded step by step, and did not install them. I first changed the user settings to REQUIRE SSL. Then
mysql --user=user --password=password
fails with a
ERROR 1045 (28000): Access denied for user 'user'@'host' (using password: YES)
So far so good. However,
mysql --user=user --password=password --ssl
succeeds, even though I did not provide any client certificate. status shows
SSL: Cipher in use is DHE-RSA-AES256-GCM-SHA384
which, if I understand correctly, means that the connection is indeed using SSL. How is that possible, is it the expected behavior?
I am using MariaDB 10.3.
Best Answer
REQURE SSL only requires a TLS connection. Use
REQUIRE X509to enforce a TLS client certificate, or better, useREQUIRE SUBJECTorREQUIRE ISSUERto ensure that is the identical certificate that matches the one issued.