Connect to SingleStoreDB Cloud using TLS/SSL

To ensure a secure connection to SingleStoreDB Cloud, SQL clients must be properly configured to both require a secure connection and to verify the supplied server certificate. Otherwise, the SQL client will not use TLS/SSL connections to SingleStoreDB Cloud, even if TLS/SSL is enabled on the workspace. This can compromise security and lead to man-in-the-middle attacks, where a would-be attacker can impersonate a server when SSL is disabled, or create a secure connection by impersonating a server using an illegitimate server certificate.

Configure the SingleStoreDB Cloud Connection

These instructions describe how to configure the MySQL command-line client to connect to SingleStoreDB Cloud with a secure connection. SQL clients other than MySQL’s will likely require a different configuration.

  1. Download the singlestore_bundle.pem certificate file and save it to your MySQL client machine.

  2. When connecting to SingleStoreDB Cloud, be sure to include:

    a. The host shown under the Endpoint from your workspace in the Customer Portal.

    b. Port 3306.

    c. The --default-auth=mysql_native_password option.

    d. The --ssl-ca option, including the path to the singlestore_bundle.pem file. This can be done via command-line option, as in --ssl-ca=/path/singlestore_bundle.pem, or by setting the appropriate option in the configuration files for the MySQL command-line client. Include the --ssl-mode=REQUIRED when using older versions of the MySQL client, even when the --ssl-ca option is specified.

    e. The --ssl-mode=VERIFY_CA option to verify the certificate.

  3. Test the connection to SingleStoreDB Cloud. The MySQL client will abort with an error if a secure connection cannot be established. While this is most likely due to a misconfiguration, it can also be due to a would-be attacker manipulating the secure connection to SingleStoreDB Cloud.

    mysql -u admin -p -h <endpoint-host> -P 3306 \
--default-auth=mysql_native_password \
--ssl-ca=./singlestore_bundle.pem \
--ssl-mode=VERIFY_CA

  4. Verify that a secure connection has been established to SingleStoreDB Cloud via the status command.

    mysql -u admin -p -h <endpoint-host> -P 3306 \
--default-auth=mysql_native_password \
--ssl-ca=./singlestore_bundle.pem -e 'status' \
--ssl-mode=VERIFY_CA
****
mysql  Ver 14.14 Distrib 5.6.19, for osx10.9 (x86_64) using  EditLine wrapper

Connection id:        13
Current database:
Current user:         root@yyy.yyy.yyy.yyy
SSL:                  Cipher in use is AES256-SHA
Current pager:        stdout
Using outfile:        ''
Using delimiter:      ;
Server version:       5.5.8 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial)
Protocol version:     10
Connection:           xxx.xxx.xxx.xxx via TCP/IP
Server characterset:  utf8
Db     characterset:  utf8
Client characterset:  utf8
Conn.  characterset:  utf8
TCP port:             3306
In this section: