22.5.3 Using Encrypted Connections with X Plugin (original) (raw)

22.5.3 Using Encrypted Connections with X Plugin

This section explains how to configure X Plugin to use encrypted connections. For more background information, seeSection 8.3, “Using Encrypted Connections”.

To enable configuring support for encrypted connections, X Plugin has mysqlx_ssl_ _`xxx`_ system variables, which can have different values from thessl_ _`xxx`_ system variables used with MySQL Server. For example, X Plugin can have SSL key, certificate, and certificate authority files that differ from those used for MySQL Server. These variables are described atSection 22.5.6.2, “X Plugin Options and System Variables”. Similarly, X Plugin has its ownMysqlx_ssl_ _`xxx`_ status variables that correspond to the MySQL Server encrypted-connectionSsl_ _`xxx`_ status variables. See Section 22.5.6.3, “X Plugin Status Variables”.

At initialization, X Plugin determines its TLS context for encrypted connections as follows:

• If allmysqlx_ssl_ _`xxx`_ system variables have their default values, X Plugin uses the same TLS context as the MySQL Server main connection interface, which is determined by the values of thessl_ _`xxx`_ system variables.
• If anymysqlx_ssl_ _`xxx`_ variable has a nondefault value, X Plugin uses the TLS context defined by the values of its own system variables. (This is the case if anymysqlx_ssl_ _`xxx`_ system variable is set to a value different from its default.)

This means that, on a server with X Plugin enabled, you can choose to have MySQL Protocol and X Protocol connections share the same encryption configuration by setting only thessl_ _`xxx`_ variables, or have separate encryption configurations for MySQL Protocol and X Protocol connections by configuring thessl_ _`xxx`_ andmysqlx_ssl_ _`xxx`_ variables separately.

To have MySQL Protocol and X Protocol connections use the same encryption configuration, set only thessl_ _`xxx`_ system variables in my.cnf:

[mysqld]
ssl_ca=ca.pem
ssl_cert=server-cert.pem
ssl_key=server-key.pem

To configure encryption separately for MySQL Protocol and X Protocol connections, set both thessl_ _`xxx`_ andmysqlx_ssl_ _`xxx`_ system variables in my.cnf:

[mysqld]
ssl_ca=ca1.pem
ssl_cert=server-cert1.pem
ssl_key=server-key1.pem

mysqlx_ssl_ca=ca2.pem
mysqlx_ssl_cert=server-cert2.pem
mysqlx_ssl_key=server-key2.pem

For general information about configuring connection-encryption support, see Section 8.3.1, “Configuring MySQL to Use Encrypted Connections”. That discussion is written for MySQL Server, but the parameter names are similar for X Plugin. (The X Pluginmysqlx_ssl_ _`xxx`_ system variable names correspond to the MySQL Serverssl_ _`xxx`_ system variable names.)

The tls_version system variable that determines the permitted TLS versions for MySQL Protocol connections also applies to X Protocol connections. The permitted TLS versions for both types of connections are therefore the same.

Encryption per connection is optional, but a specific user can be required to use encryption for X Protocol and MySQL Protocol connections by including an appropriate REQUIRE clause in the CREATE USER statement that creates the user. For details, seeSection 15.7.1.3, “CREATE USER Statement”. Alternatively, to require all users to use encryption for X Protocol and MySQL Protocol connections, enable therequire_secure_transport system variable. For additional information, seeConfiguring Encrypted Connections as Mandatory.