[MXS-86] Client Side SSL Requirements - Jira

XML

Word

Printable

Details

Type: Task
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.2.0
Component/s: Documentation
Labels:
None

Epic Link:
MaxScale 1.2 Features

Description

MaxScale should support mysql and mariadb client to connect over SSL as supported by standard MySQL/MariaDB protocol.

In MaxScale.cnf, MaxScale needs to support three additional options for each listener that uses MySQL Client protocol
ssl_CA_cert: CA certificate file in PEM format
ssl_client_cert: client certificate file in PEM format
ssl_client_key: client public key file in PEM format

When a client connects to MaxScale on a listener using connection string that have "--ssl-ca=ca-cert.pem --ssl-key=client-key.pem --ssl-cert=client-cert.pem" options,
For a connection using SSL, following should be the hand shake process upon connection

Client connects to a MaxScale on a listener that is configured for with SSL.
MaxScale sends a copy of its SSL Certificate, including the MaxScale's public key.
Client checks the certificate and if it trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the MaxScale's public key.
MaxScale decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session.
MaxScale and Client now encrypt all transmitted data with the session key.

How MySQL does the handshake is here http://dev.mysql.com/doc/internals/en/initial-handshake.html

Attachments

Activity

People

Assignee:: Dipti Joshi (Inactive)

Reporter:: Dipti Joshi (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2015-04-06 03:45

Updated:: 2015-06-09 17:18

Resolved:: 2015-06-09 17:18

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.