Connect to SingleStoreDB Cloud using TLS/SSL

To ensure a secure connection to SingleStoreDB Cloud, SQL clients must be properly configured to both require a secure connection and to verify the supplied server certificate. Otherwise, the SQL client will not use TLS/SSL connections to SingleStoreDB Cloud, even if TLS/SSL is enabled on the workspace. This can compromise security and lead to man-in-the-middle attacks, where a would-be attacker can impersonate a server when SSL is disabled, or create a secure connection by impersonating a server using an illegitimate server certificate.

Configure the SingleStoreDB Cloud Connection

These instructions describe how to configure the MySQL command-line client to connect to SingleStoreDB Cloud with a secure connection. SQL clients other than MySQL’s will likely require a different configuration.

  1. Download the singlestore_bundle.pem certificate file and save it to your MySQL client machine.

  2. When connecting to SingleStoreDB Cloud, be sure to include:

    a. The host shown under the Endpoint from your workspace in the Customer Portal.

    b. Port 3306.

    c. The --default-auth=mysql_native_password option.

    d. The --ssl-ca option, including the path to the singlestore_bundle.pem file. This can be done via command-line option, as in --ssl-ca=/path/singlestore_bundle.pem, or by setting the appropriate option in the configuration files for the MySQL command-line client. Include the --ssl-mode=REQUIRED when using older versions of the MySQL client, even when the --ssl-ca option is specified.

    e. The --ssl-mode=VERIFY_CA option to verify the certificate.

  3. Test the connection to SingleStoreDB Cloud. The MySQL client will abort with an error if a secure connection cannot be established. While this is most likely due to a misconfiguration, it can also be due to a would-be attacker manipulating the secure connection to SingleStoreDB Cloud.

    mysql -u admin -p -h <endpoint-host> -P 3306 \
    --default-auth=mysql_native_password \
    --ssl-ca=./singlestore_bundle.pem \
    --ssl-mode=VERIFY_CA
    
  4. Verify that a secure connection has been established to SingleStoreDB Cloud via the status command.

    mysql -u admin -p -h <endpoint-host> -P 3306 \
    --default-auth=mysql_native_password \
    --ssl-ca=./singlestore_bundle.pem -e 'status' \
    --ssl-mode=VERIFY_CA
    ****
    mysql  Ver 14.14 Distrib 5.6.19, for osx10.9 (x86_64) using  EditLine wrapper
    
    Connection id:        13
    Current database:
    Current user:         root@yyy.yyy.yyy.yyy
    SSL:                  Cipher in use is AES256-SHA
    Current pager:        stdout
    Using outfile:        ''
    Using delimiter:      ;
    Server version:       5.5.8 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial)
    Protocol version:     10
    Connection:           xxx.xxx.xxx.xxx via TCP/IP
    Server characterset:  utf8
    Db     characterset:  utf8
    Client characterset:  utf8
    Conn.  characterset:  utf8
    TCP port:             3306