Bug #83758 Make mysql server SSL options dynamic
Submitted: 9 Nov 2016 18:14 Modified: 2 Dec 2019 12:10
Reporter: Jaime Crespo (OCA) Email Updates:
Status: Open Impact on me:
Category:MySQL Server: Security: Encryption Severity:S4 (Feature request)
Version: OS:Any
Assigned to: CPU Architecture:Any

[9 Nov 2016 18:14] Jaime Crespo
OpenSSL, and by extension, any SSL library, is a constant thread to the security, being a library that is vital to secure comunications; but at the same time, specially lately, very prone to 0days and vulnerabilityies: https://en.wikipedia.org/wiki/OpenSSL#Notable_vulnerabilities

In other pieces of software, like Apache, ssh, etc.- we have the option of reloading the servers with little with no downtime. With mysql, with the exception of places such as the options on the replication io_thread, that is not true. So staying up to date with the important updates is difficult (requires doubling the database resources, and even after that, the switchover are never seamless- replication lag, filling the buffer pool). To prevent that we have to use a proxy or other kinds of tunnelization with allows more dynamism on cert/keys compromise or expiration.

I think 5.7 has taken the path to make a lot of "secure by default" options (autogenerating in some cases the certificates, not creating anaonymouse users). Extending that will to make this dynamic will contribute at that effort.

How to repeat:
mysql> SET GLOBAL ssl_ca = '/etc/ssl/certs/ca.pem';
ERROR 1238 (HY000): Variable 'ssl_ca' is a read only variable

mysql> SET GLOBAL ssl_key = '/etc/ssl/certs/key.pem';
ERROR 1238 (HY000): Variable 'ssl_key' is a read only variable

mysql> SET GLOBAL ssl_cert = '/etc/ssl/certs/cert.pem';
ERROR 1238 (HY000): Variable 'ssl_cert' is a read only variable

Suggested fix:
As a feature requests, make the above global variables dynamic, even if it requires some restrictions or it only affects the new connections.
[13 Jan 2018 15:04] Jaime Crespo
Heads up: I will be talking about MySQL and TLS at Fosdem 2018: https://fosdem.org/2018/schedule/event/tls_mysql/
and most likely I will mention this feature request.
[5 Feb 2018 20:19] Daniël van Eeden
It would also be nice to have the option to dynamically set "ssl=OFF".
[2 Dec 2019 12:10] Jaime Crespo
Is it possible that https://dev.mysql.com/doc/refman/8.0/en/alter-instance.html#alter-instance-reload-tls may fulfill this and #75404 ? I haven't tested it yet.
[3 Dec 2019 7:45] Daniël van Eeden
Yes, I consider this fixed.