Connect to SingleStore Helios using TLS/SSL


The singlestore_bundle.pem file, which SQL clients can use to connect to SingleStore Helios, will be updated as of October 20, 2023.

If your SQL client uses the singlestore_bundle.pem file and the --ssl-mode=VERIFY_CA flag to connect, and your SQL client can no longer connect to SingleStore Helios, please download and use the latest singlestore_bundle.pem file.

To ensure a secure connection to SingleStore Helios, SQL clients must be properly configured to both require a secure connection and to verify the supplied server certificate. Otherwise, the SQL client will not use TLS/SSL connections to SingleStore Helios, even if TLS/SSL is enabled on the workspace. This can compromise security and lead to man-in-the-middle attacks, where a would-be attacker can impersonate a server when SSL is disabled, or create a secure connection by impersonating a server using an illegitimate server certificate.

Refer to SingleStore Helios Endpoints and Server Configuration to Require Secure Client Connections for more information.

Configure the SingleStore Helios Connection

These instructions describe how to configure the MySQL command-line client to connect to SingleStore Helios with a secure connection. SQL clients other than MySQL’s will likely require a different configuration.

  1. Download the singlestore_bundle.pem certificate file and save it to your MySQL client machine.

  2. When connecting to SingleStore Helios, be sure to include:

    a. The host shown under the Endpoint from your workspace in the Cloud Portal.

    b. Port 3306.

    c. The --default-auth=mysql_native_password option.

    d. The --ssl-ca option, including the path to the singlestore_bundle.pem file. This can be done via command-line option, as in --ssl-ca=/path/singlestore_bundle.pem, or by setting the appropriate option in the configuration files for the MySQL command-line client. Include the --ssl-mode=REQUIRED when using older versions of the MySQL client, even when the --ssl-ca option is specified.

    e. The --ssl-mode=VERIFY_CA option to verify the certificate.

  3. Test the connection to SingleStore Helios. The MySQL client will abort with an error if a secure connection cannot be established. While this is most likely due to a misconfiguration, it can also be due to a would-be attacker manipulating the secure connection to SingleStore Helios.

    mysql -u admin -p -h <endpoint-host> -P 3306 \
    --default-auth=mysql_native_password \
    --ssl-ca=./singlestore_bundle.pem \
  4. Verify that a secure connection has been established to SingleStore Helios via the status command.

    mysql -u admin -p -h <endpoint-host> -P 3306 \
    --default-auth=mysql_native_password \
    --ssl-ca=./singlestore_bundle.pem -e 'status' \
    mysql  Ver 14.14 Distrib 5.6.19, for osx10.9 (x86_64) using  EditLine wrapper
    Connection id:        13
    Current database:
    Current user:         root@yyy.yyy.yyy.yyy
    SSL:                  Cipher in use is AES256-SHA
    Current pager:        stdout
    Using outfile:        ''
    Using delimiter:      ;
    Server version:       5.5.8 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial)
    Protocol version:     10
    Connection:  via TCP/IP
    Server characterset:  utf8
    Db     characterset:  utf8
    Client characterset:  utf8
    Conn.  characterset:  utf8
    TCP port:             3306

Last modified: April 24, 2024

Was this article helpful?