Skip to content

MySQL and encrypted connections

2006 slides by Rasmus Lerdorf

Since 5.0, MySQL does allow natively encrypted connections to the database, and supposedly also does support client certs for user authentication. Supposedly, because I never tried.

MySQL as a database performs well with transient connections as they are prevalent in two-tier deployments (mod_php, mod_perl, mod_python to database), in which a database connection is made upon web request, and the connection is torn down at the end of the request. This model does not scale so well with encryption in the mix, as on connection a full TLS/SSL exchange must be made.

The talk given by Rasmus Lerdorf starts out with Postgres, and then switches to MySQL, but the big gain at the beginning is really from dropping the TLS/SSL connection establishment overhead, not from anything else. It would be the same, no matter what database is doing the work behind that channel.

For customers who had the need of talking to the database on a secure channel, I always recommended a VPN tunnel such as IPsec, openvpn or similar, and then connecting in clear through it. This not only avoids connection establishment/teardown overhead, but also secures all other administrative communication to the server that will happen, but typically does not use the MySQL protocol (such as backups, bulk downloads of dumps and other traffic).

Daniël van Eeden has been less lazy than me:

In conversation with Daniël I learned a few more things. For example, I always thought that community MySQL is linked against OpenSSL, and Enterprise MySQL uses YaSSL for license reasons, but that is a) wrong and b) a problem.

It is wrong, because apparently OpenSSL uses it’s own little license and that one appears to be GPL incompatible (like about any license that is not the GPL itself).

It’s yaSSL that’s GPL. But – yaSSL is dying, and the replacement product is WolfSSL, which is also GPL’ed, but not used by MySQL, yet.

OTOH, Daniël pointed out that current versions of xtrabackup seem to be linked against OpenSSL, which would have to be changed (or the license situation cleared up otherwise).

So – it’s complicated already at the organisational and licensing level, before you even start to dive into the tech specifics.

Anyway, Daniël is planning more articles about MySQL and encryption in his blog, so if you aren’t subscribed, do it now.

Published inHackerterrorcybercyberMySQL


  1. The issue with XtraBackup:

    There is a patch which replaces YaSSL with WolfSSL

    About TLS Performance:
    The server already supports TLS session tickets, it’s up to the client to use those or not. Bug #76921 Resume SSL / TLS sessions (use TLS tickets)

Leave a Reply

Your email address will not be published. Required fields are marked *