(2024.1) MySQL 8 Secure Login
Notes on Installation:
The DISA MYSQL STIG has syntax errors in the cipher strings they require, which caused the server to not start up with SSL support.
They have the tls_ciphersuites comma separated, where-as they should be colon separated in the configuration.
The database user has to be created without a password, just specifying SSL is required. To do this, you have to temporarily disable password validation since it prevents creation of a user without a password.
MySQL Server
Add the openssl-perl package to support CRL download script, enter:
yum --setopt=install_weak_deps=False install openssl-perl
Run the steps for dod_crl.sh script: (2024.1) dod_crl.sh script
File System Commands
mkdir -p /var/lib/mysql/tls chown -R mysql:mysql /var/lib/mysql/tls/ chmod -R 750 /var/lib/mysql/tls/ chcon -u system_u -R /var/lib/mysql/tls/
Add the server cert, key and CA bundle to /var/lib/mysql/tls/
https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html
https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-rsa-files-using-mysql.html
Note that when installing for GSMO the certificates that were auto created by the MySQL install had to be manually overwritten with the new certs to get the server to use them.
Certs should be owned by mysql:mysql with 640 perms
Key should be owned by mysql:mysql with 600 perms
Add the following to /etc/my.cnf
ssl_fips_mode = ON ssl_ca = /var/lib/mysql/tls/jitc-ca-bundle.pem ssl_cert = /var/lib/mysql/tls/path-to-server.pem ssl_key = /var/lib/mysql/tls/path-to-server.key ssl_crlpath = /etc/pki/tls/crl/ require_secure_transport = ON tls_version = TLSv1.2,TLSv1.3 ssl_cipher = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256 tls_ciphersuites = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256
Restart the MySQL server and login as root
Please note the following values must be substituted with valid data:
SERVER_NAMEFrom MySQL cmdline as root
MySQL Client
Add the openssl-perl package to support CRL download script, enter:
Run the steps for dod_crl.sh script. (2024.1) dod_crl.sh script
Example client connection from mysql client:
PHP/PDO Connection
PCR-360 Config
Here is how to get the driver_options parameters to use based on the PHP PDO parameters they map to.
Apply the PCR-360 configuration with an empty password, and set the correct options for the SSL Key, Cert and CA plus the Cipher to use.
With all of that in place, the PCR360 commands to create the SQL scripts that build the database should work
For the GSMO install, the FAPOLICY was preventing the application from using the certificates. This lead to a MySQL connection error. They had to update the fapolicy to allow this.