Rechercher dans le manuel MySQL

6.4.6 Encrypted Connection Protocols and Ciphers

Table des matières

To determine which encryption protocol and cipher are in use for an encrypted connection, use the following statements to check the values of the Ssl_version and Ssl_cipher status variables:

  1. mysql> SHOW SESSION STATUS LIKE 'Ssl_version';
  2. +---------------+-------+
  3. | Variable_name | Value |
  4. +---------------+-------+
  5. | Ssl_version   | TLSv1 |
  6. +---------------+-------+
  7. mysql> SHOW SESSION STATUS LIKE 'Ssl_cipher';
  8. +---------------+---------------------------+
  9. | Variable_name | Value                     |
  10. +---------------+---------------------------+
  11. | Ssl_cipher    | DHE-RSA-AES128-GCM-SHA256 |
  12. +---------------+---------------------------+

If the connection is not encrypted, both variables have an empty value.

MySQL supports encrypted connections using the TLSv1, TLSv1.1, and TLSv1.2 protocols.

The value of the tls_version system variable determines which protocols the server is permitted to use from those that are available. The tls_version value is a comma-separated list containing one or more of these protocols (not case-sensitive): TLSv1, TLSv1.1, TLSv1.2. By default, this variable lists all protocols supported by the SSL library used to compile MySQL. To determine the value of tls_version at runtime, use this statement:

  1. mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
  2. +---------------+-----------------------+
  3. | Variable_name | Value                 |
  4. +---------------+-----------------------+
  5. | tls_version   | TLSv1,TLSv1.1,TLSv1.2 |
  6. +---------------+-----------------------+

To change the value of tls_version, set it at server startup. For example, to prohibit connections that use the less-secure TLSv1 protocol, use these lines in the server my.cnf file: 

[mysqld]
tls_version=TLSv1.1,TLSv1.2

To be even more restrict and permit only TLSv1.2 connections, set tls_version like this: 

[mysqld]
tls_version=TLSv1.2

For client programs, the --tls-version option enables specifying the TLS protocols permitted per client invocation. The value format is the same as for tls_version.

By default, MySQL attempts to use the highest TLS protocol version available, depending on which SSL library was used to compile the server and client, which key size is used, and whether the server or client are restricted from using some protocols; for example, by means of tls_version/--tls-version:

  • TLSv1.2 is used if possible.

  • TLSv1.2 does not work with all ciphers that have a key size of 512 bits or less. To use this protocol with such a key, use --ssl-cipher to specify the cipher name explicitly: 

    AES128-SHA
AES128-SHA256
AES256-SHA
AES256-SHA256
CAMELLIA128-SHA
CAMELLIA256-SHA
DES-CBC3-SHA
DHE-RSA-AES256-SHA
RC4-MD5
RC4-SHA
SEED-SHA

  • For better security, use a certificate with an RSA key size of at least 2048 bits.

If the server and client protocol capabilities have no protocol in common, the server terminates the connection request. For example, if the server is configured with tls_version=TLSv1.1,TLSv1.2, connection attempts will fail for clients invoked with --tls-version=TLSv1, and for older clients that do not support the --tls-version option and implicitly support only TLSv1.

MySQL permits specifying a list of protocols to support. This list is passed directly down to the underlying SSL library and is ultimately up to that library what protocols it actually enables from the supplied list. Please refer to the MySQL source code and SSL_CTX_new documentation for information about how the SSL library handles this. For OpenSSL, see the SSL_CTX_new documentation.

To determine which ciphers a given server supports, use the following statement to check the value of the Ssl_cipher_list status variable:

  1. SHOW SESSION STATUS LIKE 'Ssl_cipher_list';

Order of ciphers passed by MySQL to the SSL library is significant. More secure ciphers are mentioned first in the list, and the first cipher supported by the provided certificate is selected.

MySQL passes this cipher list to the SSL library: 

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-SHA256
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-DSS-AES128-SHA
DHE-RSA-AES128-SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
DHE-RSA-AES256-SHA
AES128-GCM-SHA256
DH-DSS-AES128-GCM-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
AES256-GCM-SHA384
DH-DSS-AES256-GCM-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
AES128-SHA256
DH-DSS-AES128-SHA256
ECDH-ECDSA-AES128-SHA256
AES256-SHA256
DH-DSS-AES256-SHA256
ECDH-ECDSA-AES256-SHA384
AES128-SHA
DH-DSS-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES256-SHA
DH-DSS-AES256-SHA
ECDH-ECDSA-AES256-SHA
DHE-RSA-AES256-GCM-SHA384
DH-RSA-AES128-GCM-SHA256
ECDH-RSA-AES128-GCM-SHA256
DH-RSA-AES256-GCM-SHA384
ECDH-RSA-AES256-GCM-SHA384
DH-RSA-AES128-SHA256
ECDH-RSA-AES128-SHA256
DH-RSA-AES256-SHA256
ECDH-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-DSS-AES128-SHA
DHE-RSA-AES128-SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
DHE-RSA-AES256-SHA
AES128-SHA
DH-DSS-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES256-SHA
DH-DSS-AES256-SHA
ECDH-ECDSA-AES256-SHA
DH-RSA-AES128-SHA
ECDH-RSA-AES128-SHA
DH-RSA-AES256-SHA
ECDH-RSA-AES256-SHA
DES-CBC3-SHA

These cipher restrictions are in place:

  • The following ciphers are permanently restricted: 

    !DHE-DSS-DES-CBC3-SHA
!DHE-RSA-DES-CBC3-SHA
!ECDH-RSA-DES-CBC3-SHA
!ECDH-ECDSA-DES-CBC3-SHA
!ECDHE-RSA-DES-CBC3-SHA
!ECDHE-ECDSA-DES-CBC3-SHA

  • The following categories of ciphers are permanently restricted: 

    !aNULL
!eNULL
!EXPORT
!LOW
!MD5
!DES
!RC2
!RC4
!PSK
!SSLv3

If the server is started using a compatible certificate that uses any of the preceding restricted ciphers or cipher categories, the server starts with support for encrypted connections disabled.


Rechercher dans le manuel MySQL

Traduction non disponible

Le manuel MySQL n'est pas encore traduit en français sur l'infobrol. Seule la version anglaise est disponible pour l'instant.

Document créé le 26/06/2006, dernière modification le 26/10/2018
Source du document imprimé : https://www.gaudry.be/mysql-rf-encrypted-connection-protocols-ciphers.html

L'infobrol est un site personnel dont le contenu n'engage que moi. Le texte est mis à disposition sous licence CreativeCommons(BY-NC-SA). Plus d'info sur les conditions d'utilisation et sur l'auteur.

Références

  1. Consulter le document html Langue du document :en Manuel MySQL : https://dev.mysql.com/

Ces références et liens indiquent des documents consultés lors de la rédaction de cette page, ou qui peuvent apporter un complément d'information, mais les auteurs de ces sources ne peuvent être tenus responsables du contenu de cette page.
L'auteur de ce site est seul responsable de la manière dont sont présentés ici les différents concepts, et des libertés qui sont prises avec les ouvrages de référence. N'oubliez pas que vous devez croiser les informations de sources multiples afin de diminuer les risques d'erreurs.

Table des matières Haut