New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

server: SSL/TLS support #3716

Merged
merged 52 commits into from Sep 7, 2017

Conversation

Projects
None yet
4 participants
@breeswish
Member

breeswish commented Jul 11, 2017

As requested in #882

  • Support SSL connection

  • Check compatibility with old MySQL clients

    • mysql-client 5.5 & 5.6:

      working (negotiate with TLS 1.0 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)

      mysql -u root --host 127.0.0.1 --port 4000 --ssl-mode=REQUIRED --ssl-cipher=ECDHE-RSA-AES256-SHA
      
    • mysql-client 5.7:

      working (negotiate with TLS 1.2 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)

      mysql -u root --host 127.0.0.1 --port 4000 --ssl-mode=REQUIRED
      
  • Check compatibility with popular MySQL drivers

    • Navicat 11.1:

      working (negotiate with TLS 1.0 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)

    • php5.6-mysqli:

      working (negotiate with TLS 1.0 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)

  • Confirm SSL fallback is working

  • Confirm behavior when handshake fails

  • Support SSL client authentication

  • Confirm SSL server authentication is working

  • Provide SSL related system variables

    • ssl_ca
    • ssl_cert
    • ssl_cipher
    • ssl_key
    • have_ssl (have_openssl)
    • tls_version
  • Provide SSL related status variables

    • Ssl_cipher
    • Ssl_cipher_list
    • Ssl_version

Features won't be implemented currently:

  • Support password-protected private key
  • Allow enforcing specific user to connect with SSL only (ref)

Usage

1. Generate RSA Key-pairs

mysql_ssl_rsa_setup --datadir=certs

2. Start Server with TLS Enabled

./bin/tidb-server --ssl-cert=certs/server-cert.pem --ssl-key=certs/server-key.pem

Optionally, the path to a CA cert can be specified so that the server will do client verification as MySQL:

./bin/tidb-server --ssl-cert=certs/server-cert.pem --ssl-key=certs/server-key.pem --ssl-ca=certs/ca.pem

3. Connect from mysql-client via TLS

Basic:

mysql -u root --host 127.0.0.1 --port 4000 --ssl-mode=REQUIRED

To enable server identity verification (CA must be specified at server side):

mysql -u root --host 127.0.0.1 --port 4000 --ssl-cert=certs/client-cert.pem --ssl-key=certs/client-key.pem --ssl-ca=certs/ca.pem --ssl-mode=VERIFY_IDENTITY

4. Check Connection

When connect via normal connection:

Notice: TLS is enabled by default for mysql-client >= 5.7, thus ssl-mode=DISABLED is given.

mysql -u root --host 127.0.0.1 --port 4000 --ssl-mode=DISABLED

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.7.18, for osx10.10 (x86_64) using  EditLine wrapper

Connection id:		3
Current database:	
Current user:		root@127.0.0.1
SSL:			Not in use
Current pager:		less
Using outfile:		''
Using delimiter:	;
Server version:		5.7.1-TiDB-1.0 MySQL Community Server (Apache License 2.0)
Protocol version:	10
Connection:		127.0.0.1 via TCP/IP
Server characterset:	latin1
Db     characterset:	latin1
Client characterset:	latin1
Conn.  characterset:	latin1
TCP port:		4000
--------------

mysql> show status like "%Ssl%";
+-----------------+-------+
| Variable_name   | Value |
+-----------------+-------+
| Ssl_version     |       |
| Ssl_cipher      |       |
| Ssl_cipher_list |       |
| Ssl_verify_mode | 0     |
+-----------------+-------+
4 rows in set (0.00 sec)

When connect via TLS:

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.7.18, for osx10.10 (x86_64) using  EditLine wrapper

Connection id:		2
Current database:	
Current user:		root@127.0.0.1
SSL:			Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager:		less
Using outfile:		''
Using delimiter:	;
Server version:		5.7.1-TiDB-1.0 MySQL Community Server (Apache License 2.0)
Protocol version:	10
Connection:		127.0.0.1 via TCP/IP
Server characterset:	latin1
Db     characterset:	latin1
Client characterset:	latin1
Conn.  characterset:	latin1
TCP port:		4000
--------------

mysql> show status like "%Ssl%";
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Variable_name   | Value                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Ssl_verify_mode | 5                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| Ssl_version     | TLSv1.2                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| Ssl_cipher      | ECDHE-RSA-AES128-GCM-SHA256                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| Ssl_cipher_list | RC4-SHA:DES-CBC3-SHA:AES128-SHA:AES256-SHA:AES128-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-RC4-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305: |
+-----------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
4 rows in set (0.00 sec)

Related Docs Update

pingcap/docs#147

pingcap/docs-cn#219

@breeswish breeswish requested a review from shenli Jul 11, 2017

@breeswish breeswish self-assigned this Jul 11, 2017

@breeswish breeswish changed the title from [WIP] server: SSL/TLS support to server: SSL/TLS support Jul 18, 2017

@breeswish

This comment has been minimized.

Show comment
Hide comment
@breeswish
Member

breeswish commented Jul 18, 2017

breeswish added some commits Jul 18, 2017

@breeswish

This comment has been minimized.

Show comment
Hide comment
@breeswish
Member

breeswish commented Jul 20, 2017

Show outdated Hide outdated ddl/stat.go
Show outdated Hide outdated ddl/ddl.go
Show outdated Hide outdated server/conn.go
Show outdated Hide outdated server/conn.go
Show outdated Hide outdated server/conn.go
Show outdated Hide outdated sessionctx/variable/statusvar.go
"Ssl_version": {ScopeGlobal | ScopeSession, ""},
}
type defaultStatusStat struct {

This comment has been minimized.

@tiancaiamao

tiancaiamao Jul 27, 2017

Contributor

why new a StatusStat type rather than use the original code?

@tiancaiamao

tiancaiamao Jul 27, 2017

Contributor

why new a StatusStat type rather than use the original code?

This comment has been minimized.

@breeswish

breeswish Jul 27, 2017

Member

Our status variable package accepts multiple Stats. This piece of code creates a Stats so that its status variable can be shown. The status variable package itself does not contain built-in status variables.

@breeswish

breeswish Jul 27, 2017

Member

Our status variable package accepts multiple Stats. This piece of code creates a Stats so that its status variable can be shown. The status variable package itself does not contain built-in status variables.

Show outdated Hide outdated tidb-server/main.go
Show outdated Hide outdated tidb-server/main.go
Show outdated Hide outdated server/server.go
@breeswish

This comment has been minimized.

Show comment
Hide comment
@breeswish

breeswish Aug 24, 2017

Member

TLS test cases are added as well. @shenli PTAL

Member

breeswish commented Aug 24, 2017

TLS test cases are added as well. @shenli PTAL

@breeswish

This comment has been minimized.

Show comment
Hide comment
@breeswish
Member

breeswish commented Aug 30, 2017

@breeswish

This comment has been minimized.

Show comment
Hide comment
@breeswish
Member

breeswish commented Sep 5, 2017

@coocood PTAL

Show outdated Hide outdated server/conn.go
Show outdated Hide outdated server/conn.go
Show outdated Hide outdated server/packetio.go
Show outdated Hide outdated server/packetio.go
Show outdated Hide outdated server/packetio.go

breeswish added some commits Sep 6, 2017

@breeswish

This comment has been minimized.

Show comment
Hide comment
@breeswish

breeswish Sep 6, 2017

Member

@coocood Updated, PTAL

Member

breeswish commented Sep 6, 2017

@coocood Updated, PTAL

@breeswish

This comment has been minimized.

Show comment
Hide comment
@breeswish

breeswish Sep 6, 2017

Member

/ok-to-test

Member

breeswish commented Sep 6, 2017

/ok-to-test

breeswish added some commits Sep 7, 2017

@coocood

coocood approved these changes Sep 7, 2017

LGTM

@coocood coocood added the status/LGT2 label Sep 7, 2017

@coocood

This comment has been minimized.

Show comment
Hide comment
@coocood

coocood Sep 7, 2017

Member

/run-all-test

Member

coocood commented Sep 7, 2017

/run-all-test

@breeswish breeswish merged commit 31a48f8 into master Sep 7, 2017

3 of 4 checks passed

continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
ci/circleci Your tests passed on CircleCI!
Details
jenkins-ci-tidb/build Jenkins job succeeded.
Details
license/cla Contributor License Agreement is signed.
Details

@breeswish breeswish deleted the wenxuan/ssl-connection branch Sep 7, 2017

lamxTyler added a commit that referenced this pull request Sep 7, 2017

mccxj added a commit to mccxj/tidb that referenced this pull request Sep 7, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment