Скачать или смотреть How to Enable TLS in MariaDB While Allowing Non-TLS Connections

Discover how to secure your MariaDB connections with TLS, while ensuring that existing applications can still connect without it.
---
This video is based on the question https://stackoverflow.com/q/70216016/ asked by the user 'Sauer' ( https://stackoverflow.com/u/822664/ ) and on the answer https://stackoverflow.com/a/70216733/ provided by the user 'Benjamin' ( https://stackoverflow.com/u/17581535/ ) at 'Stack Overflow' website. Thanks to these great users and Stackexchange community for their contributions.

Visit these links for original content and any more details, such as alternate solutions, latest updates/developments on topic, comments, revision history etc. For example, the original title of the Question was: MariaDB enable TLS but still allow connections without TLS

Also, Content (except music) licensed under CC BY-SA https://meta.stackexchange.com/help/l...
The original Question post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license, and the original Answer post is licensed under the 'CC BY-SA 4.0' ( https://creativecommons.org/licenses/... ) license.

If anything seems off to you, please feel free to write me at vlogize [AT] gmail [DOT] com.
---
Enabling TLS in MariaDB While Allowing Non-TLS Connections

In today's digital landscape, securing database connections is crucial for protecting sensitive data. However, there are situations where an application may not support Transport Layer Security (TLS). If you're using MariaDB and want to enable TLS for secure connections while still allowing unencrypted connections, you've come to the right place. Let's explore how you can achieve this without disrupting your existing applications.

The Scenario

Consider a setup where you have:

MariaDB (M) on your local machine.

Application A running on the same machine as MariaDB.

Application B running on a different server, which accesses the MariaDB instance.

Given this scenario, you may want to enable TLS for the connection from Application B to MariaDB to enhance security. However, due to certain reasons, you cannot modify the configuration of Application A. The big question here is: Can you enable TLS without affecting the unencrypted connection from Application A to MariaDB? The answer is yes!

Solution Overview

1. Understanding TLS in MariaDB

TLS is a cryptographic protocol designed to provide secure communication over networks. By enabling TLS in MariaDB, you can ensure that sensitive exchanges between your database and applications are encrypted, thus safeguarding them against potential eavesdropping and attacks.

2. Default Behavior of MariaDB

When you enable TLS in MariaDB, it does not automatically enforce the requirement for encrypted connections. In the absence of any specific configuration, both secure (TLS) and non-secure (non-TLS) connections will work seamlessly.

3. Implementing TLS without Disruption

To enable TLS while allowing unencrypted connections, follow these steps:

Step 1: Enable TLS in MariaDB

You will need to configure your MariaDB server to support TLS. This generally involves specifying TLS certificates and keys in the MariaDB configuration file (my.cnf). Here's a simple configuration snippet:

[[See Video to Reveal this Text or Code Snippet]]

In this case, require_secure_transport is set to ON, which is important but does not enforce security yet.

Step 2: Allow Non-TLS Connections

By default, MariaDB allows both TLS and non-TLS connections if you do not enforce encrypted connections. To ensure this explicitly, you can adjust configurations on a per-user basis.

Per-User Configuration:

If you want to enforce TLS for specific users while allowing others to connect without it, use the following command:

[[See Video to Reveal this Text or Code Snippet]]

This command commands the specified user to always use TLS when interacting with the database. If a connection attempt is made without TLS from this user, the connection will be rejected.

4. Ensuring Application A Works Smoothly

Since Application A’s configuration cannot be changed, it can continue to connect without TLS, while you ensure that the connections from Application B are secured with TLS.

Conclusion

Enabling TLS in MariaDB is vital for protecting your data, especially in scenarios involving multiple applications. With the proper configuration, you can successfully implement TLS for Application B without disrupting the existing setup for Application A. This flexibility allows you to enhance security while maintaining operational integrity across your applications.

Now that you have the knowledge to configure your MariaDB for both secure and unsecure connections, you can proceed to implement TLS and safeguard your database practices. Happy securing!