As noted in an earlier post, MySQL Server 5.7 prefers and enables SSL/TLS connections by default. That’s great and useful progress towards secure connections, but we know that not all SSL/TLS ciphers are created equal – some are older and more vulnerable. Furthermore, some recent vulnerabilities rely on the ability to negotiate less-secure ciphers during the handshake. Monitoring which ciphers are used can help identify connections using low-grade ciphers, but also to build an appropriate restricted cipher list. Using improvements to
PERFORMANCE_SCHEMA introduced in 5.7, you can now easily do this – and this post will show you how.
Continue reading Practical P_S: Which TLS ciphers are connections using?
Complimenting the expanded
CREATE USER syntax introduced in MySQL Server 5.7.6 is more useful
ALTER USER syntax. Before MySQL Server 5.7.6,
ALTER USER could only be used to expire a user’s password. That’s pretty limited. With changes made in MySQL Server 5.7.6, a better distinction is made between privilege-level attributes (those which are managed via
REVOKE statements) and account-level attributes (those managed using
CREATE USER and
ALTER USER statements). MySQL has a long history of confusing these – for example, requiring a
GRANT command to set account resource limits or require SSL. This all changes for the better in MySQL Server 5.7 – here’s how: Continue reading Improved ALTER USER syntax support in 5.7
As I wrote earlier, we want the default experience in MySQL 5.7 to be secure by default. Part of this includes securing connections by automatically creating key material and using TLS for connections where possible. This may have some significant implications for third-party software – especially products which depend upon capturing, evaluating and/or redirecting client/server traffic at the network level. This blog post is intended to highlight for developers and users of such products potential issues they may want to consider or address during the pre-GA period for MySQL Server 5.7. Continue reading Implications of TLS plans for third-party products
MySQL 5.7 aims to be the most secure MySQL Server release ever, and that means some significant changes in SSL/TLS. This post aims to tie together individual enhancements introduced over the span of several Development Milestone Releases (DMRs) into the larger initiative. In the simplest terms, we hope to have a minimal TLS configuration enabled by default, and for connections to prefer TLS by default. Let’s dig into the various aspects of this:
Continue reading SSL/TLS in MySQL 5.7
Prior to MySQL 5.7, the
CREATE USER command had a number of limitations:
- No way to set both authentication plugin and password
- No way to disable a user
- No way to define user resource limitations
- No way to set a non-default password expiration policy
- No way to require SSL/x509
All of these things could be done through other means, but typically involved other statements, such as
GRANT commands. Starting with MySQL 5.7.6, these can all be done through a new and improved
CREATE USER syntax:
Continue reading Building a better CREATE USER command
MySQL has provided support for proxy users since version 5.5, but the roles-like capabilities offered have been largely unnoticed until recently. Part of that has been due to limitations on which types of accounts could leverage proxy user capabilities. This changes with the release of MySQL Server 5.7.7 (Release Candidate), which includes support for proxy user mapping for the standard mysql_native_password and sha256_password authentication plugins. This post will introduce the new functionality and explain how to leverage it to emulate certain features of roles without any need for PAM or external authentication systems.
Continue reading Emulating roles with expanded proxy user support in 5.7.7
A series of related discussions triggered by difficulty in setting passwords via scripts using the mysql command-line client when an account has an expired password caused me to look into the interaction between expired passwords and batch mode, and this blog post resulted. I hope it’s a useful explanation of the behavior and the workaround to those troubled by it, and amplifies the excellent documentation in the user manual. Continue reading Batch mode and expired passwords
[UPDATE: Please see related post regarding oCERT assessment 2015-003.]
MySQL clients have long had a –ssl option. Casual users may think specifying this option will cause clients to secure connections using SSL. That is not the case: Continue reading Redefining –ssl option
I’ve previously noted my wish to have a comprehensive password policy in MySQL Server. MySQL Server 5.7.4 takes a significant step towards this goal by adding native support for enforcing password lifetime policy. This complements the validate_password plugin introduced in MySQL Server 5.6, which helps ensure adequate password complexity, and builds on the password expiration mechanism also introduced in MySQL Server 5.6. This new feature has a new documentation page, and is covered in the MySQL Server 5.7.4 change logs, which state:
MySQL now enables database administrators to establish a policy for automatic password expiration: Any user who connects to the server using an account for which the password is past its permitted lifetime must change the password.
Good stuff – let’s look at it in some detail. Continue reading Password expiration policy in MySQL Server 5.7
Joro wrote recently about MySQL 5.6.17‘s new support for AES-256 encryption, and it’s a great improvement for people need to encrypt their data at rest. The new session block_encryption_mode variable controls what variant of AES is used, and for backwards compatibility, the default behavior remains 128-bit key length with ECB block cipher mode. If you’re happy with that level of encryption, nothing changes – your existing code will work the same on 5.6.17 as it has on earlier versions (note that users of statement-based replication will experience new warnings). There are good examples of how to use the new functionality in the updated public test cases, but this blog post is intended to help orient users to the new options as well.