Client Configuration for Secure Client Connections

To ensure secure connections, clients must be properly configured to require a secure connection and verify the appropriate server certificate. Otherwise, the client may or may not use SSL to connect to SingleStoreDB even if SSL is enabled on the SingleStoreDBcluster, and man in the middle attacks can compromise security, e.g. an attacker may impersonate a server with SSL disabled or impersonate a server while presenting a different server certificate.

The instructions below describe how to configure the MySQL command-line client to connect to SingleStoreDB with a secure connection. Other clients may need to be configured differently.

Copy ca-cert.pem to your client machine. Specify the path to ca-cert.pem with the --ssl-ca option. This can be given as a command line option, as in --ssl-ca=path/ca-cert.pem, or by setting the appropriate option in the configuration files for the MySQL command-line client. Add the --ssl-mode=REQUIRED option to require a secure connection (this is necessary in older versions of the MySQL client, even when --ssl-ca is specified). The client will abort with an error if a secure connection cannot be established, e.g. if the server is misconfigured or an attacker is modifying the connection.

You can use the status command to print connection details. For example:

mysql -uroot -h1.2.3.4 --ssl-ca=ca-cert.pem -e 'status'
****
--------------
mysql  Ver 14.14 Distrib 5.6.19, for osx10.9 (x86_64) using  EditLine wrapper

Connection id:      13
Current database:
Current user:       root@4.5.6.7
SSL:            Cipher in use is AES256-SHA
Current pager:      stdout
Using outfile:      ''
Using delimiter:    ;
Server version:     5.5.8 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial)
Protocol version:   10
Connection:     1.2.3.4 via TCP/IP
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
TCP port:       3306
--------------