This is the pymysql code I am using to connect to the database. I am testing with an AWS RDS Mysql instance with Mysql verison 5.7.22. I am getting the certificate from https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
pymysql.connect(secret_dict['host'], user=secret_dict['username'],
passwd=secret_dict['password'], port=port, db=dbname,
connect_timeout=5, ssl={'ca': './rds-combined-ca-bundle.pem'})
This code works with my test database with the user with ssl enabled and the user wo ssl enabled. - (Via ALTER USER 'encrypted_user'#'%' REQUIRE SSL; )
My question is is this pymysql behavior that I am seeing true of any MySQL verison database or documented anywhere? The behavior I am referring to is that if you add the ssl option to the connect call, it should work (successful connection) regardless or not the actual user has SSL required on it. I prefer not to test with every Mysql version :)
From taking a look at the pymysql code, what it seems to do is check if there are any ssl parameters associated with the request, adds it to an ssl map, and then creates a ctx_object from that ssl map and uses that ctx_ object when initializing a socket with the database.
Just found this on the Mysql 7 documentation guide
"On the server side, the --ssl option specifies that the server permits but does not require encrypted connections. This option is enabled by default, so it need not be specified explicitly."
"By default, MySQL client programs attempt to establish an encrypted connection if the server supports encrypted connections, with further control available through the --ssl-mode option:"
"In the absence of an --ssl-mode option, clients attempt to connect using encryption, falling back to an unencrypted connection if an encrypted connection cannot be established. This is also the behavior with an explicit --ssl-mode=PREFERRED option."
"PREFERRED: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. This is the default if --ssl-mode is not specified."
So I believe what's happening is that pymysql doesn't specify the ssl-mode option so the ssl client side mode being used is PREFERRED which means that the client(pymysql) will try to establish an ssl connection(which I think fails because the user doesn't require it) and then fallback to the unencrypted connection which will be successful.
Related
I've set up MySQL to be accessible by TLS authenticated connections only. However, when attempting to access the connection to the server,
having specified the [client] connection in .my.cnf on the client the connection fails to use them to authenticate
but if they are not specified in /my.cnf but just dumped (as they were before) in /etc/ssl/certs/ then the connection picks them up.
The guide I've been working through is https://openvpn.net/vpn-server-resources/configuration-database-management-and-backups/#create-ssl-connection-to-mysql using the on-prem stream. However to test it explicitly I've been connecting from the host at the command line. I've been consulting https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html
I've confirmed that the connection uses the certificates using \s in MySQL from the connection at the command line. However I don't know how I can force the certificates to be the specified ones in .my.cnf, to make the deployment explicit. So the question is explicitly: Why is MySQL picking up the certificates automatically yet can't when they are specified in .my.cnf.
I have given a mysql user that has SSL capability. DBA said that there should be no changes on application level since it is a user configuration.
While I can use the said user in MySQL Workbench, I can't use it in the Spring Boot application.
Will there be any changes in the connection string when using this SSL-enabled user? Or is it really possible to use the server side certificate?
Connection string is: jdbc:mysql://host:port/schema?autoReconnect=true&verifyServerCertificate=false&useSSL=false&requireSSL=false&zeroDateTimeBehavior=convertToNull
I have managed to have turned on SSL connection (require_secure_transport=ON) on MySQL server 5.7. It works fine for both remote and localhost users. However, I don't want the localhost users connected via SSL connection. However can I exempt the local user from the SSL requirement? thanks
I believe the only way to do this would be to update the global configuration to require_secure_transport=OFF and then for every remote user set REQUIRE SSL flag. Essentially switching to an opt-in type of setup for SSL.
The issue with this is you'd have to remember to add this flag every time you add a new remote user, and could easily be forgotten. May be safer bet to resolve any issues with connecting over SSL locally instead.
I have successfully setup my MySQL server to support SSL connections I'm just wondering if I need to copy client certs to each other server I want to connect to it OR if I can get away with just specifying:
[client]
ssl-cipher = DHE-RSA-AES256-SHA:AES128-SHA
All I need to do is encrypt the traffic between servers (sitting in EC2) and the MySQL server elsewhere, so I don't think I need to send certs out left, right and centre... Or am I wrong?
If I can get away with doing this, what are the implications of not going the whole hog and specifying the client certs too? Is there any reasonable real-world risk to NOT specifying a full set of client certs to the mysql client program?
It appears that specification of JUST the ssl-cipher option is enough to secure the connection between a client and an SSL enabled MySQL Server (If anyone else out there knows any different please let me know).
Tests using TCPdump to monitor traffic show clear text commands being sent as expected when a user not requiring SSL connects to the server, but once the server is setup to accept SSL connections, if you connect with a user that requires SSL specifiying only ssl-cipher these plain text commands are encrypted within the packets i.e. they can't be seen.
Is there a way to set up a ColdFusion data source to connect to a MySQL server over a secure connection using SSL?
I don't see any obvious option to enable a SSL connection on the data source in CF administrator.
The only option I can think of is to use the "connection string" field.
This is for a current configuration that is set up. We have other options, but I am curious as to if this is possible. Thanks.
You would need to use the "other" option in the Drivers dropdown and build your own connection string. Here's an article I found on SSL for MySQL through JDBC drivers: http://www.razorsql.com/articles/mysql_ssl_jdbc.html
UPDATE: Here is another article with information on connecting via SSL and updating the keystore with certificate data. There is also some good content in the comments of the page: http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-using-ssl.html