[MXS-86] Client Side SSL Requirements Created: 2015-04-06  Updated: 2015-06-09  Resolved: 2015-06-09

Status: Closed
Project: MariaDB MaxScale
Component/s: Documentation
Affects Version/s: None
Fix Version/s: 1.2.0

Type: Task Priority: Major
Reporter: Dipti Joshi (Inactive) Assignee: Dipti Joshi (Inactive)
Resolution: Fixed Votes: 0
Labels: None

Epic Link: MaxScale 1.2 Features

 Description   

MaxScale should support mysql and mariadb client to connect over SSL as supported by standard MySQL/MariaDB protocol.

In MaxScale.cnf, MaxScale needs to support three additional options for each listener that uses MySQL Client protocol
ssl_CA_cert: CA certificate file in PEM format
ssl_client_cert: client certificate file in PEM format
ssl_client_key: client public key file in PEM format

When a client connects to MaxScale on a listener using connection string that have "--ssl-ca=ca-cert.pem --ssl-key=client-key.pem --ssl-cert=client-cert.pem" options,
For a connection using SSL, following should be the hand shake process upon connection

  • Client connects to a MaxScale on a listener that is configured for with SSL.
  • MaxScale sends a copy of its SSL Certificate, including the MaxScale's public key.
  • Client checks the certificate and if it trusts the certificate, it creates, encrypts, and sends back a symmetric session key using the MaxScale's public key.
  • MaxScale decrypts the symmetric session key using its private key and sends back an acknowledgement encrypted with the session key to start the encrypted session.
  • MaxScale and Client now encrypt all transmitted data with the session key.

How MySQL does the handshake is here http://dev.mysql.com/doc/internals/en/initial-handshake.html
Generated at Thu Feb 08 03:56:41 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.