MySQL Forums
Forum List  »  Security

Re: SSL connection validation
Posted by: Georgi Kodinov
Date: August 11, 2016 09:36AM

Luke,

Ssl_client_connects is tracking the outgoing TLS sessions (e.g. the server connecting to a replication master).
But ssl_accepts should be increasing for each successful TLS connection to the server.

Thus I must assume the AWS RDS MySQL clone is playing tricks on you.

Can you please download a real mysql server from dev.mysql.com and try with that ?

Yes, you are supposed to be able to connect to a TLS enabled server even if you don't have keys configured at the client.

This will get you an encrypted connection, but it won't be guaranteed against e.g. Man-in-the-middle attack since there'll be no certificate verification possible due to the client not using any certificates to either verify the server's certificate signatures or to supply a certificate to the server so it can verify them.

Both the mysql server and the mysql connectors can enforce certificate verification.
The server can enforce certificate verification for client connections to particular user accounts via CREATE|ALTER USER ... REQUIRE options.
The client (at least the 5.7+ libmysql based ones) can enforce server certificate verification through the --ssl-mode parameter.

The best way to check if your current connection is encrypted is by looking at the Ssl_cipher status variable. It should not be empty for encrypted connections.

Again the AWS mysql clone can be adding its own deviations to the above functionality as exposed by the MySQL server.

Options: ReplyQuote


Subject
Views
Written By
Posted
2249
August 08, 2016 02:12PM
Re: SSL connection validation
1208
August 11, 2016 09:36AM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.