Oct 27 2021

Debian: MariaDB + SSL

MariaDB Server is one of the most popular open source relational databases. It’s made by the original developers of MySQL and guaranteed to stay open source. It is part of most cloud offerings and the default in most Linux distributions.

It is built upon the values of performance, stability, and openness, and MariaDB Foundation ensures contributions will be accepted on technical merit. Recent new functionality includes advanced clustering with Galera Cluster 4, compatibility features with Oracle Database and Temporal Data Tables, allowing one to query the data as it stood at any point in the past.

Step 1: Install Packages

The MariaDB Database server is included in the default Debian/Ubuntu repository. To install it, run

# apt install mariadb-server

Enable the service and start it

# systemctl enable mariadb-server
# systemctl start mariadb-server

Step 2: Generate Server and Client SSL Certificates

Create both client and server private and signed certificates and store them in the following location:

# mkdir /etc/mysql/ssl

Place the server and client keys in this created location as such:

client-private-key ==> /etc/mysql/ssl/mysql-client.key 
client-signed-key ==> /etc/mysql/ssl/mysql-client.crt 
server-private-key ==> /etc/mysql/ssl/mysql-server.key 
server-signed-key ==> /etc/mysql/ssl/mysql-server.crt

Step 3: Configure MariaDB Server

In the /etc/mysql/mariadb.conf.detc/50-server.cnf configuration file, change and set the following options to enable network access and SSL/TLS:

... 
bind-address = 0.0.0.0

...

ssl-ca      = /etc/ssl/certs/CA-Server.pem
ssl-cert    = /etc/mysql/ssl/mysql-server.crt
ssl-key     = /etc/mysql/ssl/mysql-server.key

# enforce at least > TLSv1.2
tls_version = TLSv1.2,TLSv1.3

...

Step 3:Configure MariaDB Clients

In the /etc/mysql/mariadb.conf.detc/50-client.cnf configuration file, change and set the following options to enable  SSL/TLS for server connections:

... 

[client]
ssl-ca = /etc/ssl/certs/Cyberfront-CA.pem
ssl-cert = /etc/mysql/ssl/mysql-client.crt
ssl-key = /etc/mysql/ssl/mysql-client.key

...

Step 4:Testing Connections

One can test if the connections work with the following commands:

# mysql -p

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 9715
Server version: 10.5.12-MariaDB-0+deb11u1 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| tls_version   | TLSv1.2,TLSv1.3 |
+---------------+-----------------+
1 row in set (0.003 sec)

MariaDB [(none)]> show variables like '%ssl%';
+---------------------+----------------------------------+
| Variable_name       | Value                            |
+---------------------+----------------------------------+
| have_openssl        | YES                              |
| have_ssl            | YES                              |
| ssl_ca              | /etc/ssl/certs/CA-Server.pem |
| ssl_capath          |                                  |
| ssl_cert            | /etc/mysql/ssl/mysql-server.crt  |
| ssl_cipher          |                                  |
| ssl_crl             |                                  |
| ssl_crlpath         |                                  |
| ssl_key             | /etc/mysql/ssl/mysql-server.key  |
| version_ssl_library | OpenSSL 1.1.1k  25 Mar 2021      |
+---------------------+----------------------------------+
10 rows in set (0.002 sec)

MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| tls_version   | TLSv1.2,TLSv1.3 |
+---------------+-----------------+
1 row in set (0.003 sec)