Client Configuration for Secure Client Connections


As of SingleStore 8.1, OpenSSL 3.0 is now used to establish secure connections to SingleStore. As a consequence, a client certificate that uses SHA or MD5 hash functions in its signature must be replaced with a certificate that uses SHA256 at a minimum, or a secure connection to SingleStore cannot be established. While SingleStore supports TLS v1, TLS v1.1, and TLS v1.2, using TLS v1.2 is recommended. When FIPS is enabled, only TLS v1.2 is supported. Refer to Troubleshoot OpenSSL 3.0 Connections for more information.

To ensure secure connections, clients must be properly configured to require a secure connection and verify the appropriate server certificate. Otherwise, the client may or may not use SSL to connect to SingleStore even if SSL is enabled on the SingleStorecluster, and man in the middle attacks can compromise security, e.g. an attacker may impersonate a server with SSL disabled or impersonate a server while presenting a different server certificate.

The instructions below describe how to configure the MySQL command-line client to connect to SingleStore with a secure connection. Other clients may need to be configured differently.

Copy ca-cert.pem to your client machine. Specify the path to ca-cert.pem with the --ssl-ca option. This can be given as a command line option, as in --ssl-ca=path/ca-cert.pem, or by setting the appropriate option in the configuration files for the MySQL command-line client. Add the --ssl-mode=REQUIRED option to require a secure connection (this is necessary in older versions of the MySQL client, even when --ssl-ca is specified). The client will abort with an error if a secure connection cannot be established, e.g. if the server is misconfigured or an attacker is modifying the connection.

You can use the status command to print connection details. For example:

mysql -uroot -h1.2.3.4 --ssl-ca=ca-cert.pem -e 'status'
mysql  Ver 14.14 Distrib 5.6.19, for osx10.9 (x86_64) using  EditLine wrapper

Connection id:      13
Current database:
Current user:       root@
SSL:            Cipher in use is AES256-SHA
Current pager:      stdout
Using outfile:      ''
Using delimiter:    ;
Server version:     5.5.8 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial)
Protocol version:   10
Connection: via TCP/IP
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
TCP port:       3306

Last modified: May 9, 2023

Was this article helpful?