Bug #70734 Generate SSL/TLS and RSA keys during installation
Submitted: 26 Oct 2013 15:24 Modified: 6 Aug 2015 14:56
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Installing Severity:S4 (Feature request)
Version:5.7 OS:Any
Assigned to: CPU Architecture:Any

[26 Oct 2013 15:24] Daniël van Eeden
Description:
As SSL/TLS provides both connection security and peer verification it is best for it to be setup by the administrator of the server. However many servers run completely without SSL and neither support connnection security or peer verification.

For the SHA256 password authentication to work either SSL is needed or a RSA keypair must be generated.

Many user don't known the correct settings for the CREATE USER and/or GRANT syntax. So users think they have configured and required SSL and that the client certificate will be checked, but this might nog be the case (REQUIRE SSL vs. REQUIRE X509).

How to repeat:
See description.

Suggested fix:
1. The server could generate or ship a default SSL certificate and thus provide at least the option to secure the connection. 

2. The RSA keypair for the SHA256 authentication should be generated during the installation, just like OpenSSH does.

3. A script could be shipped with the server or the mysql utilities. Then the script can be used as a wizzard to generate the keys, certificates and maybe even the client certificates and then provide the user with the correct settings for the configuration or grant syntax.
[2 Jan 2014 19:43] Daniël van Eeden
An example for how the SSL certs could be generated:
https://github.com/dveeden/myssl
[6 Jan 2014 15:09] Todd Farmer
Thanks for the very valid suggestion, Daniël!  We've had a series of internal discussions about this, and one proposal is to generate SSL certs and RSA keys to a default (secure) location at server startup if they don't already exist, and the server is not provided with explicit SSL options.  I assume that would be an acceptable solution, here, but please let us know if you think it needs something else.
[6 Jan 2014 16:52] Daniël van Eeden
@Todd: That would be great.
[6 Aug 2015 14:56] Todd Farmer
This feature is implemented in MySQL 5.7.6, and the following blog post describes the generation process of key material in greater detail:

http://mysqlblog.fivefarmers.com/2015/04/09/ssltls-in-mysql-5-7/

Thanks for the feature request!