Large Scale Deployment of SSL/TLS For MySQL

Deploying SSL/TLS with MySQL at Booking.com on thousands of servers is not without issues. In this session I’ll tell you what steps we took, what problems we hit, and how we improved various parts of the MySQL ecosystem while doing so. To start we go over the basics: Which TLS settings are there in MySQL and MariaDB and how does this differ from HTTPS as used in browsers. And why do we want TLS in the first place? Is TLS and SSL the same thing? The first set of problems is inside MySQL: YaSSL vs. OpenSSL, verification issues and reloading of certificates. The second set of problems is inside Connectors: I’ll touch on DBD::mysql (Perl), Go-MySQL-Driver, libmysqlclient (C) Not all connectors have the same options and defaults. I’ll go into TLSv1.2 support. The third set of problems is tools: Using the require_secure_transport option caused issues with Percona Toolkit and Orchestrator. I’ll also cover: RSA v.s EC, security issues I found and how I wrote a Proxy for MySQL