# MySQL 5.5 Server with SSL support



## jailed (Jul 27, 2016)

Hello,

I want to use MySQL server with SSL support. Although I am selecting SSL option while installing MySQL server port, it doesn't support SSL. Here's the mysql output:


```
mysql> show global variables like 'have_%ssl';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_openssl  | DISABLED |
| have_ssl      | DISABLED |
+---------------+----------+
2 rows in set (0.02 sec)
```

Then I've added this line to /etc/make.conf


```
DEFAULT_VERSIONS+=ssl=openssl
```

When I try to compile MySQL, it gives this security error:



```
1 problem(s) in the installed packages found.
=> Please update your ports tree and try again.
=> Note: Vulnerable ports are marked as such even if there is no update available.
=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/databases/mysql55-server
*** Error code 1

Stop.
make: stopped in /usr/ports/databases/mysql55-server

===>>> make build failed for databases/mysql55-server
===>>> Aborting update

===>>> Update for mysql55-server-5.5.49 failed
===>>> Aborting update

===>>> There are messages from installed ports to display,
       but first take a moment to review the error messages
       above.  Then press Enter when ready to proceed. ^[[23~

===>>> pkg-message for mysql55-client-5.5.49
Always:
* * * * * * * * * * * * * * * * * * * * * * * *

Please be aware the database client is vulnerable
to CVE-2015-3152 - SSL Downgrade aka "BACKRONYM".
You may find more information at the following URL:

http://www.vuxml.org/freebsd/36bd352d-299b-11e5-86ff-14dae9d210b8.html

Although this database client is not listed as
"affected", it is vulnerable and will not be
receiving a patch. Please take note of this when
deploying this software.

* * * * * * * * * * * * * * * * * * * * * * * *
```

This setup is for remote MySQL replication over internet and I want to enable SSL for secutiy matters. What can you suggest for me to install MySQL with SSL enabled? Is it secure to install it anyway with DISABLE_VULNERABILITIES=yes option?

Thanks for your help.


----------



## SirDice (Jul 28, 2016)

jailed said:


> Is it secure to install it anyway with DISABLE_VULNERABILITIES=yes option?


As long as you understand it's vulnerable and what the implications are. You could build it anyway and add a firewall rule, for example, to only allow the replication, minimizing the risk.


----------



## Murph (Jul 28, 2016)

Alternatively, forget adding SSL support to MySQL, and instead setup IPSec between your servers, which has the benefit of providing secure comms between them for other things in addition to the replication.


----------



## jailed (Jul 28, 2016)

Thank you for your replies.

Unfortunately DEFAULT_VERSIONS+=ssl=openssl and DISABLE_VULNERABILITIES=yes didn't work as I've expected. Still there is no SSL with MySQL. I still don't know how to enable SSL with MySQL.

Murph,

Is there an easy way of seting up IPSec between FreeBSD servers? Or should I set IPSec on router level?


----------



## Murph (Jul 28, 2016)

jailed said:


> Is there an easy way of seting up IPSec between FreeBSD servers? Or should I set IPSec on router level?



Well, if the routers have both the necessary features and the CPU power to do it, I would probably setup a GRE/IPSec tunnel between them, with the benefit of enabling secure comms for all devices between the two LANs.  That's assuming that both LANs and the routers are essentially within your trusted zone, i.e. the area you are protecting against is the nasty public bit between the two routers.

Setting it up between FreeBSD systems is covered in the handbook:

https://www.freebsd.org/doc/handbook/ipsec.html


----------

