Specifying the TLS Version
Warning
SingleStore 9.0 gives you the opportunity to preview, evaluate, and provide feedback on new and upcoming features prior to their general availability. In the interim, SingleStore 8.9 is recommended for production workloads, which can later be upgraded to SingleStore 9.0.
On this page
Use the tls_
global variable to specify the TLS versions allowed by the server.
As of SingleStore 8.
To see the current TLS version, run the following command.
SELECT @@tls_version;
+-----------------------+
| @@tls_version |
+-----------------------+
| TLSv1,TLSv1.1,TLSv1.2 |
+-----------------------+
Configuring TLSv1.
Use the ssl_
Client Compatibility Issues
Restricting the available cipher suites used by SingleStore may cause compatibility issues with client applications.
Supported Cipher Suite |
OpenSSL 1. |
OpenSSL 3. |
AES128-GCM-SHA256 |
✔ |
|
AES128-SHA |
✔ |
|
AES128-SHA256 |
✔ |
|
AES256-GCM-SHA384 |
✔ |
|
AES256-SHA |
✔ |
|
AES256-SHA256 |
✔ |
|
DHE-RSA-AES128-GCM-SHA256 |
✔ |
✔ |
DHE-RSA-AES128-SHA |
✔ |
|
DHE-RSA-AES128-SHA256 |
✔ |
|
DHE-RSA-AES256-GCM-SHA384 |
✔ |
✔ |
DHE-RSA-AES256-SHA |
✔ |
|
DHE-RSA-AES256-SHA256 |
✔ |
|
ECDHE-ECDSA-AES128-GCM-SHA256 |
✔ |
✔ |
ECDHE-ECDSA-AES128-SHA |
✔ |
|
ECDHE-ECDSA-AES128-SHA256 |
✔ |
|
ECDHE-ECDSA-AES256-GCM-SHA384 |
✔ |
✔ |
ECDHE-ECDSA-AES256-SHA |
✔ |
|
ECDHE-ECDSA-AES256-SHA384 |
✔ |
|
ECDHE-RSA-AES128-GCM-SHA256 |
✔ |
✔ |
ECDHE-RSA-AES128-SHA |
✔ |
|
ECDHE-RSA-AES128-SHA256 |
✔ |
|
ECDHE-RSA-AES256-GCM-SHA384 |
✔ |
✔ |
ECDHE-RSA-AES256-SHA |
✔ |
|
ECDHE-RSA-AES256-SHA384 |
✔ |
Refer to Troubleshoot OpenSSL 3.
Note
SingleStore Helios does not force TLS 1.
The following examples demonstrate how you can update the tls_
and ssl_
variables on the nodes by running Toolbox commands.
Toolbox
The following command updates the TLS version to TLSv1.
on all nodes in the cluster.
sdb-admin update-config --key tls_version --value TLSv1.2 --all
Toolbox is about to run 'memsqlctl update-config --key tls_version --value TLSv1.2' on the following nodes:
- On host 127.0.0.1:
+ 27235D3E385B1056478CE11258959592CE49EE82
+ F9F6A7E64946D5D3D1E6F00C175EF00FC240AB97
Would you like to continue? [y/N]: y
✓ Updated configuration on 127.0.0.1
Operation completed successfully
The following command restarts all nodes in the cluster for the new tls_
value to take effect.
sdb-admin stop-node --all
✓ Successfully connected to host 127.0.0.1
Toolbox is about to perform the following actions:
· Stop all nodes in the cluster
Would you like to continue? [y/N]: y
✓ Stopped Master node on 127.0.0.1 (1/1)
✓ Successfully stopped Master node on 1 host
✓ Stopped Master node
✓ Stopped Leaf nodes on 127.0.0.1 (1/1)
✓ Successfully stopped Leaf nodes on 1 host
✓ Stopped Leaf node
Operation completed successfully
sdb-admin start-node --all
Toolbox is about to perform the following actions:
· Start all nodes in the cluster
Would you like to continue? [y/N]: y
✓ Successfully connected to host 127.0.0.1
✓ Started Leaf nodes on 127.0.0.1 (1/1)
✓ Successfully started Leaf nodes on 1 host
✓ Successfully connected to Leaf node
✓ Started Master node on 127.0.0.1 (1/1)
✓ Successfully started Master node on 1 host
✓ Successfully connected to Master node
Operation completed successfully
singlestore -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.5.58 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
No entry for terminal type "xterm-256color";
using dumb terminal settings.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
SELECT @@tls_version;
+---------------+
| @@tls_version |
+---------------+
| TLSv1.2 |
+---------------+
1 row in set (0.01 sec)
The following command updates the ssl_
variable:
sdb-admin update-config --key ssl_cipher --value DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 --all
Last modified: March 8, 2024