Client Configuration for Secure Client Connections
To ensure secure connections, clients must be properly configured to require a secure connection and verify the appropriate server certificate. Otherwise, the client may or may not use SSL to connect to SingleStore DB even if SSL is enabled on the SingleStore DB cluster, and man in the middle attacks can compromise security, e.g. an attacker may impersonate a server with SSL disabled or impersonate a server while presenting a different server certificate.
The instructions below describe how to configure the MySQL command-line client to connect to SingleStore DB with a secure connection. Other clients may need to be configured differently.
Copy ca-cert.pem
to your client machine. Specify the path to ca-cert.pem
with the --ssl-ca
option. This can be given as a command line option, as in --ssl-ca=path/ca-cert.pem
, or by setting the appropriate option in the configuration files for the MySQL command-line client. Add the --ssl-mode=REQUIRED
option to require a secure connection (this is necessary in older versions of the MySQL client, even when --ssl-ca
is specified). The client will abort with an error if a secure connection cannot be established, e.g. if the server is misconfigured or an attacker is modifying the connection.
You can use the status
command to print connection details. For example:
$ mysql -uroot -h1.2.3.4 --ssl-ca=ca-cert.pem -e 'status' -------------- mysql Ver 14.14 Distrib 5.6.19, for osx10.9 (x86_64) using EditLine wrapper Connection id: 13 Current database: Current user: root@4.5.6.7 SSL: Cipher in use is AES256-SHA Current pager: stdout Using outfile: '' Using delimiter: ; Server version: 5.5.8 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial) Protocol version: 10 Connection: 1.2.3.4 via TCP/IP Server characterset: utf8 Db characterset: utf8 Client characterset: utf8 Conn. characterset: utf8 TCP port: 3306 --------------