Client Configuration for Secure Client Connections
Note
As of SingleStoreDB 8.1, OpenSSL 3.0 is now used to establish secure connections to SingleStoreDB. As a consequence, a client certificate that uses SHA or MD5 hash functions in its signature must be replaced with a certificate that uses SHA256 at a minimum, or a secure connection to SingleStoreDB cannot be established. While SingleStoreDB supports TLS v1, TLS v1.1, and TLS v1.2, using TLS v1.2 is recommended. When FIPS is enabled, only TLS v1.2 is supported. Refer to Troubleshoot OpenSSL 3.0 Connections for more information.
To ensure secure connections, clients must be properly configured to require a secure connection and verify the appropriate server certificate. Otherwise, the client may or may not use SSL to connect to SingleStoreDB even if SSL is enabled on the SingleStoreDBcluster, and man in the middle attacks can compromise security, e.g. an attacker may impersonate a server with SSL disabled or impersonate a server while presenting a different server certificate.
The instructions below describe how to configure the MySQL command-line client to connect to SingleStoreDB with a secure connection. Other clients may need to be configured differently.
Copy ca-cert.pem
to your client machine. Specify the path to ca-cert.pem
with the --ssl-ca
option. This can be given as a command line option, as in --ssl-ca=path/ca-cert.pem
, or by setting the appropriate option in the configuration files for the MySQL command-line client. Add the --ssl-mode=REQUIRED
option to require a secure connection (this is necessary in older versions of the MySQL client, even when --ssl-ca
is specified). The client will abort with an error if a secure connection cannot be established, e.g. if the server is misconfigured or an attacker is modifying the connection.
You can use the status
command to print connection details. For example:
mysql -uroot -h1.2.3.4 --ssl-ca=ca-cert.pem -e 'status' **** -------------- mysql Ver 14.14 Distrib 5.6.19, for osx10.9 (x86_64) using EditLine wrapper Connection id: 13 Current database: Current user: root@4.5.6.7 SSL: Cipher in use is AES256-SHA Current pager: stdout Using outfile: '' Using delimiter: ; Server version: 5.5.8 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial) Protocol version: 10 Connection: 1.2.3.4 via TCP/IP Server characterset: utf8 Db characterset: utf8 Client characterset: utf8 Conn. characterset: utf8 TCP port: 3306 --------------