How to Secure MySQL Port 3306: Enabling TLS/SSL Encryption for Remote Database Connections


1 views

By default, MySQL connections on port 3306 are not encrypted. The protocol transmits data in plaintext, including credentials and sensitive information. This creates significant security risks, especially when accessing databases over public networks or between geographically separated office locations.

Without encryption, attackers can:

  • Intercept database credentials through MITM attacks
  • Capture sensitive business data in transit
  • Execute packet injection attacks
  • Violate compliance requirements (GDPR, HIPAA, etc.)

MySQL supports native TLS encryption without requiring SSH tunnels or VPNs. Here's how to implement it:

Step 1: Generate SSL Certificates

# Generate CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem

# Create server certificate
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# Create client certificate (repeat for each client if needed)
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

Step 2: Configure MySQL Server

[mysqld]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
require_secure_transport=ON  # Enforces SSL for all connections

Using MySQL Client:

mysql --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -h db.example.com -u user -p

Programmatic Connection (Python Example):

import mysql.connector

config = {
  'user': 'dbuser',
  'password': 'securepassword',
  'host': 'db.example.com',
  'database': 'appdb',
  'ssl_ca': '/path/to/ca-cert.pem',
  'ssl_cert': '/path/to/client-cert.pem',
  'ssl_key': '/path/to/client-key.pem',
  'ssl_verify_cert': True
}

connection = mysql.connector.connect(**config)

Check active connections with:

SHOW STATUS LIKE 'Ssl_cipher';

Should return a cipher name (not empty) for encrypted connections.

For legacy systems that can't use certificate-based auth:

ALTER USER 'appuser'@'%' 
IDENTIFIED WITH mysql_native_password BY 'password' 
REQUIRE SSL;

SSL encryption adds ~5-15% overhead. Mitigate with:

  • Modern cipher suites (AES256-GCM-SHA384)
  • Session resumption
  • Optimized certificate chains

Error 2026 (SSL connection error): Verify certificates have proper permissions (mysql user must read them)

Error 3159 (No cipher overlap): Update OpenSSL libraries on both client and server

Connection timeouts: Check firewall rules for port 3306

By default, MySQL connections on port 3306 are not encrypted. The protocol transmits data in plaintext, making it vulnerable to eavesdropping and man-in-the-middle attacks when used over public networks.

When accessing MySQL servers across untrusted networks (like the internet between office and external servers), encryption becomes non-negotiable. Compliance standards like PCI DSS, HIPAA, and GDPR often mandate encrypted database connections.

Here's how to implement native MySQL encryption without relying on SSH tunnels or VPNs:

1. Verify Current SSL Status

First check if SSL is already enabled:

mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| have_openssl  | YES             |
| have_ssl      | DISABLED        |  ← Needs to be 'YES'
+---------------+-----------------+

2. Generate SSL Certificates

Create these in your MySQL data directory (typically /var/lib/mysql/):

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem > server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

3. Configure MySQL Server

Add to your my.cnf (or my.ini on Windows):

[mysqld]
ssl-ca=/var/lib/mysql/ca-cert.pem
ssl-cert=/var/lib/mysql/server-cert.pem
ssl-key=/var/lib/mysql/server-key.pem

4. Restart MySQL and Verify

sudo systemctl restart mysql
mysql -u root -p -e "SHOW STATUS LIKE 'Ssl_cipher';"

For applications connecting to MySQL:

Command Line Client

mysql --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem

PHP PDO Example

$db = new PDO('mysql:host=external.server.com;dbname=production',
    'dbuser',
    'dbpass',
    array(
        PDO::MYSQL_ATTR_SSL_CA => '/path/to/ca-cert.pem',
        PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true,
    )
);

Python MySQL Connector

import mysql.connector

config = {
    'user': 'scott',
    'password': 'tiger',
    'host': 'external.server.com',
    'database': 'production',
    'ssl_ca': '/path/to/ca-cert.pem',
    'ssl_verify_cert': True
}

cnx = mysql.connector.connect(**config)

Check active connections:

mysql> SELECT ssl_version, cipher FROM performance_schema.status_by_thread WHERE thread_id = PS_CURRENT_THREAD_ID();
+-------------+------------------------+
| ssl_version | cipher                 |
+-------------+------------------------+
| TLSv1.2     | ECDHE-RSA-AES256-GCM-SHA384 |
+-------------+------------------------+

To require SSL for specific users:

CREATE USER 'remote_user'@'%' IDENTIFIED BY 'password' REQUIRE SSL;
GRANT ALL PRIVILEGES ON production.* TO 'remote_user'@'%';

Or globally for all users:

[mysqld]
require_secure_transport = ON

SSL adds ~5-10% overhead. For better performance:

  • Use modern cipher suites (avoid RC4, 3DES)
  • Consider AES-NI capable servers
  • Balance security level with performance needs