The SSL encryption feature of ApsaraDB RDS for MySQL is used to encrypt data in transit. This feature is suitable for scenarios that require connection security and compliance. By default, the SSL encryption feature is disabled for ApsaraDB RDS for MySQL instances.
Prerequisites
Your RDS instance runs one of the following MySQL versions and RDS editions:
MySQL 8.0, MySQL 5.7, or MySQL 5.6 on RDS High-availability Edition
MySQL 8.0 or MySQL 5.7 on RDS Cluster Edition
MySQL 8.0 or MySQL 5.7 on RDS Basic Edition
You can go to the Basic Information page of the RDS instance to view the preceding information.
If you change the billing method of a non-serverless RDS instance that runs RDS Basic Edition to serverless, you must enable the SSL encryption feature again.
If your RDS instance meets the preceding requirements but an error message indicating that the SSL encryption feature is not supported is still displayed, you can update the minor engine version of the RDS instance. For more information, see Update the minor engine version.
Feature description
The SSL encryption feature can be used to encrypt data that is transmitted between ApsaraDB RDS for MySQL instances and clients. This prevents data from being monitored, intercepted, or tampered with by third parties.
After the SSL encryption feature is enabled, you can connect your client to your RDS instance over SSL-encrypted or non-SSL-encrypted connections.
When you enable the SSL encryption feature for your RDS instance, a server certificate, a public key, and a private key are generated.
When an encrypted connection is established, the system sends the server certificate, including the public key, to the client. The client encrypts the generated symmetric key by using the received public key. Then, the system uses the private key to decrypt the symmetric key. This way, the RDS instance and the client use the symmetric key to encrypt and decrypt data. This ensures the confidentiality of communication. The client can also use the certificate authority (CA) certificate to verify the received server certificate to confirm the identity of the RDS instance and prevent man-in-the-middle attacks.
The following table provides a comparison of the SSL encryption configurations and benefits among various certificates.
Item | ||
Method to obtain | Issued by Alibaba Cloud. | Issued by a certification authority (CA) or from a self-signed certificate. |
Validity period | 365 days. | Customized. |
Number of protected endpoints | 1 | 1 |
Purpose | Used to enable SSL encryption and used by the client to authenticate the server. | Used to enable SSL encryption and used by the client to authenticate the server. |
Impacts
If you enable the SSL encryption feature, disable the SSL encryption feature, or update the SSL certificates, the RDS instance restarts, and a primary/secondary switchover is triggered. We recommend that you perform the operations during off-peak hours. Make sure that your application is configured to automatically reconnect to the RDS instance. You can modify the code of your application to enable automatic reconnection. If you update the SSL certificates for an RDS instance that runs MySQL 5.6 or MySQL 5.7, the RDS instance restarts. If you update the SSL certificates for an RDS instance that runs MySQL 8.0, the RDS instance does not restart. For more information about the impacts of an instance switchover, see Impacts of an instance switchover.
After you enable the SSL encryption feature, encrypted connections significantly increase CPU utilization. We recommend that you enable the SSL encryption feature only if you need to encrypt the connections to the public endpoint of your RDS instance.
TLS versions
Transport Layer Security (TLS) is a widely used transport-layer security protocol that ensures the data privacy and security of Internet communication. Multiple TLS versions are available. The TLS versions that are supported by ApsaraDB RDS for MySQL instances vary based on the major engine versions of the RDS instances.
Major engine version | TLSv1.0 | TLSv1.1 | TLSv1.2 | TLSv1.3 |
8.0 | Supported | Supported | Supported | Supported (From the minor engine version of 20221231) |
5.7 | Supported | Supported | Supported | Not supported |
5.6 | Supported | Supported | Supported | Not supported |
TLSv1.0 and TLSv1.1 have been deprecated by the Internet Engineering Task Force (IETF) in 2021. To ensure data security, we recommend that you use TLSv1.2 or later. For more information, see RFC 8996.
ssl_cipher configuration
ApsaraDB RDS for MySQL uses OpenSSL for TLS to provide secure communication. OpenSSL is upgraded to OpenSSL 3.0 for RDS instances that run MySQL 5.7 and a minor engine version of 20230831 and RDS instances that run MySQL 8.0 and a minor engine version of 20230930. By default, OpenSSL 3.0 no longer supports communication over TLSv1.0 and TLSv1.1. For more information, see OpenSSL documentation.
To ensure data compatibility in ApsaraDB RDS for MySQL, the value of the ssl_cipher parameter is changed to "ALL:@SECLEVEL=0"
to support TLSv1.0 and TLSv1.1.
If your workloads use only TLSv1.2 or later, we recommend that you set the ssl_cipher parameter to an empty string (""
) in the ApsaraDB RDS console to ensure higher security.
Step 1: Enable the SSL encryption feature for an RDS instance
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
On the SSL tab of the page that appears, turn on the switch to the right of Disabled.
NoteIf the SSL tab does not appear, you must check whether the RDS instance meets all requirements in Prerequisites.
In the dialog box that appears, select the endpoint that you want to protect and click OK.
You can encrypt the connections to the internal or public endpoint based on your business requirements. You can encrypt the connections only to one endpoint.
Wait for approximately 1 minute for the process to enable the SSL encryption feature to complete. You can refresh the page to view the status of the feature.
Step 2: Download the CA certificate
After you configure the cloud certificate, the RDS instance provides a server CA certificate for you to download. When you connect to the RDS instance from a client, you can use the server CA certificate to authenticate the RDS instance.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane of the page that appears, click Data Security. On the SSL tab, click Download CA Certificate.
The file that you downloaded is a package that contains the following files:
PEM file: suitable for most scenarios.
JKS file: suitable for Java applications. In most cases, the PEM-formatted CA certificate file must be imported to a truststore for conversion into a JKS file. You can use the JKS file in Java applications. The password of the file is apsaradb.
P7B file: suitable for a small number of Windows applications that require PKCS#7-formatted certificate files.
Step 3: Connect to the RDS instance from the database client
After you enable the SSL encryption feature, the type and settings of the client determine whether to encrypt the connections between the client and the RDS instance. For example, the connections from the client to the RDS instance may be encrypted by default. You can modify the settings or code of the client to enable connection encryption and verify the identity of the RDS instance.
CLI
For clients that run MySQL 5.7.11 or later, you can add the --ssl-mode option to the connection command to configure the SSL encryption feature.
For clients that run MySQL versions earlier than MySQL 5.7.11 and MariaDB clients, you can use options such as --ssl and --ssl-verify-server-cert to configure the SSL encryption feature. For more information, see official MariaDB and MySQL documentation.
If the --ssl-mode option is set to DISABLED, connections are not encrypted.
If the -- ssl-mode option is set to PREFERRED or if the option is not used, the system attempts to establish encrypted connections. If the attempt fails, unencrypted connections are established.
If the -- ssl-mode option is set to REQUIRED, only encrypted connections are allowed. If the connections cannot be encrypted, the connections fail to be established.
If the -- ssl-mode option is set to VERIFY_CA, only encrypted connections are allowed, and the CA certificate on the on-premises device must be used to check whether the server certificate is valid.
If the -- ssl-mode option is set to VERIFY_IDENTITY, only encrypted connections are allowed, and the CA certificate on the on-premises device must be used to check whether the server certificate is valid and whether the hostname or IP address of the server certificate matches the hostname or IP address of the actual connection.
Example 1: The system attempts to establish encrypted connections. If the attempt fails, unencrypted connections are established.
mysql -h {Endpoint of the RDS instance} -u {Account of the RDS instance} -p --ssl-mode=PREFERRED
Example 2: Encrypted connections are required, and the validity of the server certificate must be verified.
mysql -h {Endpoint of the RDS instance} -u {Account of the RDS instance} -p --ssl-mode=VERIFY_CA --ssl-ca={Path to the CA certificate}/ApsaraDB-CA-Chain.pem
You must configure the Endpoint of the RDS instance, Account of the RDS instance, and Path to the CA certificate parameters based on your business requirements.
For more information about the --ssl-mode option, see MySQL documentation.
MySQL Workbench
Start MySQL Workbench and choose
.Enter the username and password of the account and the endpoint that are used to connect to the RDS instance.
On the SSL tab, configure the Use SSL parameter, set the SSL CA File parameter to the downloaded PEM-formatted CA certificate, and then click Test Connection or OK.
For more information about the options of the Use SSL parameter, see the description of the --ssl-mode option in the "CLI" section of this topic.
DMS
When you register the RDS instance with Data Management (DMS), you can configure the Enable SSL parameter. For more information, see Register an Alibaba Cloud database instance.
You can also right-click an instance, select Edit, and then configure the Enable SSL parameter in the Advanced Information section.
Application code
Java
MySQL Connector/J (mysql-connector-java) is the official JDBC driver for MySQL. In this example, mysql-connector-java 8.0.19 is used as the dependency.
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.19</version>
</dependency>
The following code provides an example on how to use the sslMode property to specify the SSL mode. The property is supported from mysql-connector-java 8.0.13. If you use an earlier version, you must use the useSSL, requireSSL, and verifyServerCertificate properties. For more information, see MySQL documentation.
Sample code:
package com.aliyun.sample;
import com.mysql.cj.jdbc.MysqlDataSource;
import java.sql.Connection;
import java.sql.SQLException;
public class Sample {
public static void main(String[] args) {
Connection conn = null;
MysqlDataSource mysqlDS=null;
try{
mysqlDS = new MysqlDataSource();
//You can specify the sslMode property based on your business requirements. For more information about the options for this property, see the description in the "CLI" section of this topic.
mysqlDS.setSslMode("VERIFY_IDENTITY");
//The truststore is used to store the CA certificate. In this example, the truststore type is set to JKS.
mysqlDS.setTrustCertificateKeyStoreType("JKS");
//You must replace the content following file:/ with the actual path to your ApsaraDB-CA-Chain.jks file.
mysqlDS.setTrustCertificateKeyStoreUrl("file:/D:\\ApsaraDB-CA-Chain\\ApsaraDB-CA-Chain.jks");
//The password of the downloaded JKS file is fixed as apsaradb.
mysqlDS.setTrustCertificateKeyStorePassword("apsaradb");
//The endpoint of your RDS instance.
mysqlDS.setServerName("rm-xxxxxx.mysql.rds.aliyuncs.com");
//The port number of your RDS instance.
mysqlDS.setPort(3306);
//The username of the account that is used to connect to your RDS instance.
mysqlDS.setUser("xxxxxx");
//The password of the account that is used to connect to your RDS instance.
mysqlDS.setPassword("xxxxxx");
//The name of the database that you want to connect on your RDS instance.
mysqlDS.setDatabaseName("xxxxxx");
conn = mysqlDS.getConnection();
}catch(Exception e){
e.printStackTrace();
} finally {
try {
if (conn != null)
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
}
Python
# Run the pip install pymysql command to install PyMySQL.
import pymysql
try:
ssl_config = {"ca":"/path/to/path/ca.crt", "mode":"VERIFY_CA"} # You must set ca to the path to the certificate and mode to the SSL mode that you use.
conn = pymysql.connect(host='******.mysql.rds.aliyuncs.com', user='*****', passwd='******', db='*****', ssl=ssl_config)
cursor = conn.cursor()
cursor.execute('select version()')
data = cursor.fetchone()
print('Database version:', data[0])
cursor.close()
except pymysql.Error as e:
print(e)
What to do next
Update a cloud certificate
The cloud certificate of an RDS instance is valid for one year. If you do not update the cloud certificate after the certificate expires, the client that uses encrypted connections cannot connect to the RDS instance. If the cloud certificate is about to expire, Alibaba Cloud notifies you by email or internal message and automatically updates the certificate within a specific period of time. You can specify the time to update the cloud certificate in the Schedule Event dialog box. For more information, see Manage scheduled events. You can also perform the following operations to manually update a server certificate.
After the cloud certificate is automatically updated, the client that uses encrypted connections can connect to the database without the need to download or configure the CA certificate again.
For more information about how to update a custom certificate, see Update the created custom certificate.
If you update a certificate for an RDS instance that runs MySQL 8.0, the instance does not restart. If you update a certificate for an RDS instance that runs MySQL 5.6 or MySQL 5.7, the instance restarts.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
On the page that appears, click the SSL tab. Then, click Update Expiration Time.
View the details about connection encryption
View the cipher suite that is used by the current session. If the return value is not empty, the current connection is encrypted.
SHOW STATUS LIKE 'Ssl_cipher';
View the SSL or TLS version that is used by the current session.
SHOW STATUS LIKE 'Ssl_version';
If you use a MySQL command-line tool, you can run the
\s
command to check whether the current connection is encrypted. If the current connection is encrypted, the SSL value in the command output indicates the cipher suite that is used by the current connection.
Forcefully use encrypted connections
Configure your server to use only encrypted connections
This operation is not supported.
Configure your client to use only encrypted connections
In this example, a command-line tool is used. In the connection command, set the SSL mode to REQUIRED, VERIFY_CA, or VERIFY_IDENTITY to use only encrypted connections. If the connections cannot be encrypted, the connections fail to be established.
Configure specific users to use only encrypted connections
In this example, the testuser user is configured to use only encrypted connections.
ALTER USER 'testuser'@'%' REQUIRE SSL;
View the content of the CA certificate
Run the following command to view the content of the CA certificate:
openssl x509 -in {Path to the CA certificate}/ApsaraDB-CA-Chain.pem -text
Disable the SSL encryption feature
If you disable the SSL encryption feature, your RDS instance restarts. In this case, the system triggers a primary/secondary switchover to reduce the impacts on your workloads. We recommend that you disable the SSL encryption feature during off-peak hours.
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
On the page that appears, click the SSL tab.
Turn off SSL Encryption. In the message that appears, click OK.
FAQ
Features
How do I implement mutual authentication that verifies the identities of the server and client?
In ApsaraDB RDS for MySQL, the client identity cannot be verified during an SSL handshake. You can use whitelists and account management to implement access control.
How do I configure SSL encryption for the read/write splitting endpoint?
For more information, see Configure SSL encryption for a database proxy endpoint.