tls for mysql at large scale
play

TLS for MySQL at Large Scale Jaime Crespo Things we Security - PowerPoint PPT Presentation

Feb 13, 2023 •335 likes •529 views

TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals are *NOT* At rest encryption Best practices for web/HTTP going to encryption How perfectly and good we are- we made

  1. TLS for MySQL at Large Scale Jaime Crespo

  2. Things we ● Security and encryption fundamentals are *NOT* ● “At rest” encryption ● Best practices for web/HTTP going to encryption ● How perfectly and good we are- we made mistakes and we will present talk about: them to you

  3. Things we ● “On the wire” encryption ● Focused on for large scale web *ARE* going applications ● Operational/DBA point of view to talk ● Feature requests for MySQL/MariaDB developers ● Failures that can serve as lessons about: learned for other ops

  4. Why ● Privacy and security over cost- we aim for full stack encryption deploying ● Known, documented security threads TLS for ● Compliance with modern security standards; getting modern MySQL? authentication methods

  5. ● TLS is slow ● TLS doesn’t work at scale TLS Myths ● TLS is not needed on a private network/for databases ● TLS is hard - it is not, it is mostly an operational challenge

  6. TLS on MySQL is easy * Latest MySQL versions even do this for you automatically

  7. Thank you! Author: Jaime Crespo/Wikimedia Foundation License: CC-BY-SA-3.0 (except where noted)

  8. TLS for MySQL at Large Scale Jaime Crespo

  9. ”The greatest failure, teacher is” -- Yoda. Star Wars: The Last Jedi Author: GPS https://www.flickr.com/photos/zoxcleb/8732125673/ License: CC-BY-SA-2.5

  10. We were going to activate a second ● datacenter for the first time - people on top wanted encryption rolled in ASAP We rushed We setup some initial configuration ● with some test certificates to We ended up working 3 times as much: ● first when we set them up, again to production remove it and setup it again ● Resources were limited: 1 full time employee (which were already in charge of all MySQL maintenance and firefighting); no external resources

  11. TLS at internal storage treated like ● rolling public HTTPS - different use We didn’t case and problems ● We didn’t have a proper certificate have manager service ● Older OpenSSL version had frequent proper security problems ● Every time OpenSSL or MySQL had to orchestrati be upgraded, we had to restart the daemon on in place If the change was incompatible (e.g. ● CA update), you had to sync client/server and master/replicas

  12. ● MySQL/MariaDB older version (5.5) had Server problems with modern ciphers/protocols support ● Only OpenSSL-linked servers had proper modern TLS support (>=1.2) ● OpenSSL was not GPL-compatible was poor ● We had to deploy our own package (wmf-mariadb, wmf-mysql)

  13. ● Client libraries also had to be upgraded/linked to OpenSSL Client and ● Some problems with clients (Mono/Sharp) silently enabling TLS for 3rd party “MySQL as a service” products Most issues related to TLSv1.2 support ● support ● Old client connectors (PHP5) incompatibilities was poor ● ProxySQL did not support TLSv1.2 Colleagues report mysql cli “no longer ● works”

  14. ● We rolled TLS at first opt-in- This allowed easy rollback. We defaulted to TLS enabled, though. Successes ● Communicated the change to fellow ops ● Organization support and ● We went for replication channel and administration encryption first- things we indetectable overhead due to almost no reconnections did right ● We went for TLSv1.2 from the beginning (2015) ● 100% coverage is not rushed- we can wait for CA, licensing and client library support

  15. ● Same-DC, non-SSL: 0.001132071018219 s/conn ○ ○ 0.00024072647094727 s/query ● Same-DC, SSL: ○ 0.057012629508972 s/conn 0.00025907039642334 s/query ○ ● Cross-DC, non-SSL: Metrics ○ 0.1113884806633 s/conn ○ 0.036313643455505 s/query Cross-DC, SSL: ● ○ 0.22943157196045 s/conn ○ 0.036422135829926 sec/query ● Local ProxySQL+Cross-DC, non-SSL: 0.0002328896522522 s/conn ○ ○ 0.036425504684448 s/query

  16. Easier certificate/TLS library handling ● from the servers (#81461, #75404, #83758) MySQL Proper TLS 1.2+ support from ● connectors/clients/middleware (e.g. community ProxySQL #1247) ● Proper OpenSSL 1.1+ support (#83814, wishlist #12811) ● Sharing more tests/metrics/ performance benchmarks

  17. ● Setup persistent connections (not only for TLS, but also for active-active Pending cross-dc requests) ● Enable TLS also for regular connections work for us ● Better monitoring (certificate expiration) ● Enforce TLS at grant level ● Roll in modern authentication (sha256)

  18. Thank you! Author: Jaime Crespo/Wikimedia Foundation License: CC-BY-SA-3.0 (except where noted)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Managing MySQL at Scale Pradeep Nayak & Junyi (Luke) Lu Production Engineers - MySQL Infra

Managing MySQL at Scale Pradeep Nayak & Junyi (Luke) Lu Production Engineers - MySQL Infra

Managing MySQL at Scale Pradeep Nayak & Junyi (Luke) Lu Production Engineers - MySQL Infra Agenda 1 Terminology 2 Lifecycle of a MySQL instance 3 How do we migrate MySQL instance 4 How do we migrate shard 5 Balancing 6 Testing

919 views • 50 slides
Large Scale Deployment of SSL/TLS For MySQL Danil van Eeden | Percona Live 2019 Austin | May

Large Scale Deployment of SSL/TLS For MySQL Danil van Eeden | Percona Live 2019 Austin | May

Large Scale Deployment of SSL/TLS For MySQL Danil van Eeden | Percona Live 2019 Austin | May 2019 Agenda. Introduction Reasons to deploy TLS Rolling out TLS Introduction. Me: Danil van Eeden Senior Database

777 views • 33 slides
What's new in MySQL 5.5? Performance/Scale Unleashed Mikael Ronstrm Senior MySQL Architect The

What's new in MySQL 5.5? Performance/Scale Unleashed Mikael Ronstrm Senior MySQL Architect The

<Insert Picture Here> What's new in MySQL 5.5? Performance/Scale Unleashed Mikael Ronstrm Senior MySQL Architect The preceding is intended to outline our general product direction. It is intended for information purposes only, and may

710 views • 38 slides
MySQL Backup and Restore at Facebook Scale Ola Berjak Production Engineer at MySQL

MySQL Backup and Restore at Facebook Scale Ola Berjak Production Engineer at MySQL

MySQL Backup and Restore at Facebook Scale Ola Berjak Production Engineer at MySQL Infrastructure, Facebook London MySQL Backup and Restore at Facebook Scale and how its not rocket science Ola Berjak Production Engineer at MySQL

849 views • 60 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
MySQL Replication Update MySQL 5.5 (GA) & MySQL 5.6.2 (Dev. Milestone) Lars Thalmann

MySQL Replication Update MySQL 5.5 (GA) & MySQL 5.6.2 (Dev. Milestone) Lars Thalmann

<Insert Picture Here> MySQL Replication Update MySQL 5.5 (GA) & MySQL 5.6.2 (Dev. Milestone) Lars Thalmann Development Director MySQL Replication, Backup & Connectors O'Reilly MySQL Users Conference, April 2011 MySQL Releases

456 views • 42 slides
MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers

MySQL Proxy Making MySQL more flexible Jan Kneschke jan@mysql.com MySQL Proxy proxy-servers forward requests to backends and can transform, handle or block them released under the GPL see http://forge.mysql.com/wiki/MySQL_Proxy

945 views • 27 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

711 views • 22 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
MySQL at Scale at Square Daniel Nichter Percona Live 2018 1 April 23, 2018 An honest

MySQL at Scale at Square Daniel Nichter Percona Live 2018 1 April 23, 2018 An honest

MySQL at Scale at Square Daniel Nichter Percona Live 2018 1 April 23, 2018 An honest financial network for everyone Square Global: USA, Canada, UK, Japan, Australia Payment transaction data stored in MySQL We are hiring

840 views • 47 slides
PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction

PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction

Berner Fachhochschule - HTI PHP and MySQL Dr. E. Benoist Winter Term 2006-2007 PHP and MySQL 1 PHP and MySQL Introduction Basics of MySQL Create a Table See the content of a DB Tables: Change rows and Insert data Select

637 views • 53 slides
Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is graphene? Graphene is a truly 2D system made of Carbon atoms arranged in an honeycomb hexagonal lattice Zero-gap semiconductor with a low-energy linear

268 views • 6 slides
MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is

MySQL Proxy meets: binlogs Jan Kneschke MySQL Enterprise Tools mailto: jan@mysql.com What is MySQL Proxy Started Feb 2007 Current: MySQL Proxy 0.7.0 Source available on launchpad.net $ bzr branch lp:mysql-proxy Foundation of

308 views • 17 slides
Bash One-Liners and Other Tools to Simplify MySQL Ops at Scale Percona Live Santa Clara,

Bash One-Liners and Other Tools to Simplify MySQL Ops at Scale Percona Live Santa Clara,

Bash One-Liners and Other Tools to Simplify MySQL Ops at Scale Percona Live Santa Clara, California | April 25th, 2017 Brian Cain (Dropbox) Brian Cain Working at Dropbox as a MySQL SRE Database Engineer Python and Bash Developer

234 views • 20 slides
Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA Masters level course: Chalmers MPALG and MPSOF programmes (DAT345) GU Applied Data Science programme (DIT871) Learning outcomes include:

305 views • 18 slides
An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of U.S. Government Employees DC-AAPOR Summer Conference Preview/Review Bureau of Labor Statistics Conference Center Washington DC Washington, DC

1.17k views • 25 slides
Temporal Logic of Actions Advanced Topics in Distributed Computing Dominik Grewe Saarland

Temporal Logic of Actions Advanced Topics in Distributed Computing Dominik Grewe Saarland

Temporal Logic of Actions Temporal Logic of Actions Advanced Topics in Distributed Computing Dominik Grewe Saarland University March 20, 2008 Temporal Logic of Actions Outline Basic Concepts Transition Systems Temporal Operators Fairness

480 views • 32 slides
Topological Protection of Quantum States for Quantum Computation Rukhsan Ul Haq, Data Analytics

Topological Protection of Quantum States for Quantum Computation Rukhsan Ul Haq, Data Analytics

Topological Protection of Quantum States for Quantum Computation Rukhsan Ul Haq, Data Analytics Unit, Centre of Excellence, Skoruz Technologies, Bangalore India 1st July 2020 Rukhsan Ul Haq, Data Analytics Unit, Centre of Excellence, Skoruz

413 views • 23 slides
Nonlinear response theory in long-range Hamiltonian systems Yoshiyuki Y. YAMAGUCHI (Kyoto

Nonlinear response theory in long-range Hamiltonian systems Yoshiyuki Y. YAMAGUCHI (Kyoto

2014/05/27@The Galileo Galilei Institute for Theoretical Physics Advances in Nonequilibrium Statistical Mechanics: large deviations and long-range correlations, extreme value statistics, anomalous transport and long-range interactions Nonlinear

766 views • 48 slides
www.cornwall-insight.com Anna Moss and Alex Wynn HELPING YOU MAKE SENSE OF THE HELPING YOU MAKE

www.cornwall-insight.com Anna Moss and Alex Wynn HELPING YOU MAKE SENSE OF THE HELPING YOU MAKE

www.cornwall-insight.com Anna Moss and Alex Wynn HELPING YOU MAKE SENSE OF THE HELPING YOU MAKE SENSE OF THE www.cornwall-insight.com ENERGY AND WATER SECTORS ENERGY AND WATER SECTORS The knock-on effect of the British Gas price

277 views • 16 slides
In-kernel TLS Framing and Encryp6on for FreeBSD John Baldwin BSDCan June 2020 Overview

In-kernel TLS Framing and Encryp6on for FreeBSD John Baldwin BSDCan June 2020 Overview

In-kernel TLS Framing and Encryp6on for FreeBSD John Baldwin BSDCan June 2020 Overview What is KTLS? TLS Transmit TLS Receive Current Status What is TLS? Transport Layer Security (TLS) is an applica6on layer protocol

597 views • 25 slides
In-Kernel TLS Framing and Encryp6on for FreeBSD John Baldwin vBSDCon September 6, 2019

In-Kernel TLS Framing and Encryp6on for FreeBSD John Baldwin vBSDCon September 6, 2019

In-Kernel TLS Framing and Encryp6on for FreeBSD John Baldwin vBSDCon September 6, 2019 Overview Mo6va6on Kernel TLS SoJware TLS NIC TLS Numbers Why KTLS? The story of KTLS is really a repeat of the story of sendfile(2)

531 views • 35 slides
(and the teens coming of age behind them) are the most problematic generation in modern history.

(and the teens coming of age behind them) are the most problematic generation in modern history.

(and the teens coming of age behind them) are the most problematic generation in modern history. Beyond their kombucha-fueled rampage through DoSomething.org and its consultancy arm, TMI countless industries, young people are consistently

314 views • 4 slides
MADISON GRANTEE DEI SURVEY DRAFT RESULTS Other Hewlett Grantees TMI Grantees M E A N P E R C E

MADISON GRANTEE DEI SURVEY DRAFT RESULTS Other Hewlett Grantees TMI Grantees M E A N P E R C E

MADISON GRANTEE DEI SURVEY DRAFT RESULTS Other Hewlett Grantees TMI Grantees M E A N P E R C E N T A G E P E O P L E O F C O L O R A C R O S S G R A N T E E S Board Members All Staff 36% 31% 31% 24% Foundation Grantees TMI Grantees

483 views • 6 slides

More recommend