Specifying the TLS Version
On this page
Use the tls_ global variable to specify the TLS versions allowed by the server.
As of SingleStore 8.
To see the current TLS version, run the following command.
SELECT @@tls_version;
+-----------------------+
| @@tls_version |
+-----------------------+
| TLSv1,TLSv1.1,TLSv1.2 |
+-----------------------+
Configuring TLSv1.
Use the ssl_
Client Compatibility Issues
Restricting the available cipher suites used by SingleStore may cause compatibility issues with client applications.
|
Supported Cipher Suite |
OpenSSL 1. |
OpenSSL 3. |
|
AES128-GCM-SHA256 |
✔ |
|
|
AES128-SHA |
✔ |
|
|
AES128-SHA256 |
✔ |
|
|
AES256-GCM-SHA384 |
✔ |
|
|
AES256-SHA |
✔ |
|
|
AES256-SHA256 |
✔ |
|
|
DHE-RSA-AES128-GCM-SHA256 |
✔ |
✔ |
|
DHE-RSA-AES128-SHA |
✔ |
|
|
DHE-RSA-AES128-SHA256 |
✔ |
|
|
DHE-RSA-AES256-GCM-SHA384 |
✔ |
✔ |
|
DHE-RSA-AES256-SHA |
✔ |
|
|
DHE-RSA-AES256-SHA256 |
✔ |
|
|
ECDHE-ECDSA-AES128-GCM-SHA256 |
✔ |
✔ |
|
ECDHE-ECDSA-AES128-SHA |
✔ |
|
|
ECDHE-ECDSA-AES128-SHA256 |
✔ |
|
|
ECDHE-ECDSA-AES256-GCM-SHA384 |
✔ |
✔ |
|
ECDHE-ECDSA-AES256-SHA |
✔ |
|
|
ECDHE-ECDSA-AES256-SHA384 |
✔ |
|
|
ECDHE-RSA-AES128-GCM-SHA256 |
✔ |
✔ |
|
ECDHE-RSA-AES128-SHA |
✔ |
|
|
ECDHE-RSA-AES128-SHA256 |
✔ |
|
|
ECDHE-RSA-AES256-GCM-SHA384 |
✔ |
✔ |
|
ECDHE-RSA-AES256-SHA |
✔ |
|
|
ECDHE-RSA-AES256-SHA384 |
✔ |
Refer to Troubleshoot OpenSSL 3.
Note
SingleStore Helios does not force TLS 1.
The following examples demonstrate how you can update the tls_ and ssl_ variables on the nodes by running Toolbox commands.
Toolbox
The following command updates the TLS version to TLSv1. on all nodes in the cluster.
sdb-admin update-config --key tls_version --value TLSv1.2 --all
Toolbox is about to run 'memsqlctl update-config --key tls_version --value TLSv1.2' on the following nodes:
- On host 127.0.0.1:
+ 27235D3E385B1056478CE11258959592CE49EE82
+ F9F6A7E64946D5D3D1E6F00C175EF00FC240AB97
Would you like to continue? [y/N]: y
✓ Updated configuration on 127.0.0.1
Operation completed successfullyThe following command restarts all nodes in the cluster for the new tls_ value to take effect.
sdb-admin stop-node --all
✓ Successfully connected to host 127.0.0.1
Toolbox is about to perform the following actions:
· Stop all nodes in the cluster
Would you like to continue? [y/N]: y
✓ Stopped Master node on 127.0.0.1 (1/1)
✓ Successfully stopped Master node on 1 host
✓ Stopped Master node
✓ Stopped Leaf nodes on 127.0.0.1 (1/1)
✓ Successfully stopped Leaf nodes on 1 host
✓ Stopped Leaf node
Operation completed successfullysdb-admin start-node --all
Toolbox is about to perform the following actions:
· Start all nodes in the cluster
Would you like to continue? [y/N]: y
✓ Successfully connected to host 127.0.0.1
✓ Started Leaf nodes on 127.0.0.1 (1/1)
✓ Successfully started Leaf nodes on 1 host
✓ Successfully connected to Leaf node
✓ Started Master node on 127.0.0.1 (1/1)
✓ Successfully started Master node on 1 host
✓ Successfully connected to Master node
Operation completed successfullysinglestore -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.5.58 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
No entry for terminal type "xterm-256color";
using dumb terminal settings.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.SELECT @@tls_version;
+---------------+
| @@tls_version |
+---------------+
| TLSv1.2 |
+---------------+
1 row in set (0.01 sec)The following command updates the ssl_ variable:
sdb-admin update-config --key ssl_cipher --value DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 --all
Last modified: March 8, 2024