All Products
Search
Document Center

ApsaraDB RDS:Enable SSL with a cloud certificate

Last Updated:May 16, 2026

The Secure Sockets Layer (SSL) encryption feature for ApsaraDB RDS for MySQL encrypts data in transit to enhance the security of database connections and meet compliance requirements. By default, SSL encryption is disabled for ApsaraDB RDS for MySQL instances. This topic explains how to enable SSL encryption with a cloud certificate.

Prerequisites

  • SSL encryption is supported on the following MySQL versions: 8.4, 8.0, 5.7, or 5.6.

  • Forced SSL encryption is supported on the following ApsaraDB RDS for MySQL instance versions:

    • MySQL 8.4

    • MySQL 8.0 or 5.7 with a minor engine version of 20241130 or later

Note
  • You can view this information on the Basic Information page of your instance.

  • If you convert a non-serverless Basic Edition instance to a serverless instance, you must re-enable SSL encryption.

  • Some instances that meet the preceding requirements may return an error indicating that SSL is not supported. If this occurs, upgrade the minor engine version and try again.

Overview

SSL encryption encrypts data in transit between an ApsaraDB RDS for MySQL instance and a client to prevent the data from being monitored, intercepted, or tampered with.

After you enable SSL encryption, you can choose to use either an encrypted or a non-encrypted connection to the ApsaraDB RDS for MySQL instance. After you enable forced SSL encryption, you can use only an SSL-encrypted connection from your client or database proxy to the ApsaraDB RDS for MySQL instance.

When you enable SSL encryption, ApsaraDB RDS for MySQL generates a server certificate and a public-private key pair.

When establishing an encrypted connection, the ApsaraDB RDS for MySQL instance sends the server certificate, which contains the public key, to the client. The client uses this public key to encrypt a symmetric key. Only the ApsaraDB RDS for MySQL instance, with its private key, can decrypt this symmetric key. Both parties then use the symmetric key to encrypt and decrypt data, ensuring communication confidentiality. To prevent man-in-the-middle (MITM) attacks, the client can also use a CA certificate to validate the server certificate and confirm the server's authenticity.

The following table compares the SSL encryption configurations that are supported by ApsaraDB RDS for MySQL instances.

Item

Cloud certificate

Custom certificate

Method

Configure a cloud certificate for your instance.

Issued by a certificate authority (CA) or self-signed.

Validity period

365 days

Custom

Number of protected endpoints

1

1

Function

Enables SSL encryption and allows the client to verify the server's authenticity.

Enables SSL encryption and allows the client to verify the server's authenticity.

Impacts

  • Enabling or disabling SSL encryption restarts the instance for all versions, which triggers a primary/secondary switchover. We recommend that you perform this operation during off-peak hours and ensure that your application has an automatic reconnection mechanism. For more information about the impacts of an instance switchover, see Impacts of a switchover.

  • When you update the certificate, instances that run MySQL 5.6, 5.7, or 8.4 are restarted. Instances that run MySQL 8.0 are not restarted.

  • After you enable SSL encryption, using encrypted connections significantly increases CPU utilization. We recommend that you enable SSL encryption only when you require encryption for a public endpoint. Internal endpoints are relatively secure and typically do not require encryption.

  • After you enable forced SSL encryption, only SSL-encrypted connections from clients or database proxies are allowed. Non-encrypted connections are rejected.

TLS versions

Transport Layer Security (TLS) is a widely used protocol that ensures the privacy and data integrity of internet communications. The TLS protocol has multiple versions. The following table describes the TLS versions supported by different major versions of ApsaraDB RDS for MySQL.

ApsaraDB RDS for MySQL version

TLSv1.0

TLSv1.1

TLSv1.2

TLSv1.3

8.4

Not supported

Not supported

Supported

Supported

8.0

Supported

Supported

Supported

Supported

(Since minor engine version 20221231)

5.7

Supported

Supported

Supported

Not supported

5.6

Supported

Supported

Supported

Not supported

Note

TLS 1.0 and TLS 1.1 were deprecated by the Internet Engineering Task Force (IETF) in 2021 (RFC 8996). For security reasons, we recommend that you use TLS 1.2 or later for secure communication.

Default ssl_cipher configuration

ApsaraDB RDS for MySQL uses OpenSSL to implement secure TLS communication. In minor engine version 20230831 for MySQL 5.7 and minor engine version 20230930 for MySQL 8.0, ApsaraDB RDS for MySQL was upgraded to OpenSSL 3.0. By default, OpenSSL 3.0 does not support communication using TLS 1.0 or TLS 1.1. For more information, see the official OpenSSL documentation.

For compatibility, ApsaraDB RDS for MySQL adjusts the default value of the ssl_cipher parameter to "ALL:@SECLEVEL=0" to restore support for TLS 1.0 and TLS 1.1.

If your workloads use only TLS 1.2 or later, we recommend that you set the ssl_cipher parameter to "" (an empty string) in the ApsaraDB RDS console to achieve a higher level of security.

Step 1: Enable SSL encryption

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the left-side navigation pane, click Data Security.

  3. On the SSL Encryption tab, click the switch next to Disabled.

    Note

    If the SSL tab does not appear, check that your instance meets the requirements in the Prerequisites section.

  4. In the dialog box that appears, select the endpoint for which you want to enable SSL encryption.

    You can encrypt either the internal endpoint or the public endpoint, but you can select only one endpoint.

  5. (Optional) To enable forced SSL encryption, click the switch next to Forceful Encryption.

    Important
    • To enable forced SSL encryption, the instance must run MySQL 8.4, or MySQL 8.0 or 5.7 with a minor engine version of 20241130 or later.

    • After you enable forced SSL encryption, only SSL-encrypted connections from clients or database proxies are allowed. Non-encrypted connections are rejected.

  6. Click OK to enable SSL encryption.

    The process takes about one minute. You can manually refresh the page to view the instance status.

Step 2: Download the CA certificate

After you enable SSL encryption, you can download the CA certificate for the ApsaraDB RDS for MySQL instance. Clients use this certificate to verify the authenticity of the RDS instance.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the left-side navigation pane, click Data Security. On the SSL tab, click Download CA Certificate.

    The downloaded file is a compressed package that contains the following three CA files:

    • PEM file: suitable for most scenarios.

    • JKS file: suitable for Java applications. The password is apsaradb. A CA certificate in PEM format must typically be imported into a truststore, which means it must be converted to a JKS file before it can be used in Java.

    • p7b file: suitable for a few Windows applications that require PKCS #7 certificate files.

Step 3: Connect from a client

After you enable SSL encryption, whether a client connection is encrypted depends on the client's type and settings. For example, some clients may use encrypted connections by default. You can change the client settings or code to ensure that encrypted connections are established and the identity of the ApsaraDB RDS for MySQL instance is verified.

Important

If you enable forced SSL encryption, only SSL-encrypted connections are allowed between a client and the ApsaraDB RDS for MySQL instance.

CLI

For MySQL clients version 5.7.11 or later, you can add the --ssl-mode option to the connection command to configure SSL encryption.

Note

For MariaDB clients and MySQL clients earlier than 5.7.11, use options such as --ssl and --ssl-verify-server-cert. For more information, see the official MariaDB and MySQL documentation.

  • --ssl-mode=DISABLED: The connection is not encrypted.

  • --ssl-mode=PREFERRED or if the --ssl-mode option is not specified: An attempt is made to establish an encrypted connection. If an encrypted connection cannot be established, a non-encrypted connection is used.

  • --ssl-mode=REQUIRED: An encrypted connection is required. If an encrypted connection cannot be established, the connection fails.

  • --ssl-mode=VERIFY_CA: An encrypted connection is required, and the client uses its local CA certificate to verify the server certificate.

  • --ssl-mode=VERIFY_IDENTITY: An encrypted connection is required. The client uses its local CA certificate to verify the server certificate and also verifies that the server hostname or IP address matches the one specified in the certificate.

Example 1: Attempt to establish an encrypted connection. If an encrypted connection cannot be established, use a non-encrypted connection.

mysql -h {RDS_ENDPOINT} -u {RDS_ACCOUNT} -p --ssl-mode=PREFERRED

Example 2: Require an encrypted connection and verify the server certificate.

mysql -h {RDS_ENDPOINT} -u {RDS_ACCOUNT} -p --ssl-mode=VERIFY_CA --ssl-ca={CA_CERTIFICATE_PATH}/ApsaraDB-CA-Chain.pem
Note
  • In the preceding examples, replace {RDS_ENDPOINT}, {RDS_ACCOUNT}, and {CA_CERTIFICATE_PATH} with their actual values.

  • For more information about the --ssl-mode option, see the official MySQL documentation.

MySQL Workbench

  1. Open MySQL Workbench and choose Database > Manage Connections.

  2. Enter the RDS endpoint, username, and password.

  3. On the SSL tab, set Use SSL, specify SSL CA File as the downloaded CA certificate in PEM format, and then click Test Connection or ok.

    The options for the Use SSL parameter correspond to the --ssl-mode options described in the CLI section.

Data Management (DMS)

When you register an ApsaraDB RDS for MySQL instance in Data Management (DMS), you can turn on the Enable SSL switch. For more information, see Register an Alibaba Cloud database instance.

You can also right-click an existing registered instance, choose Edit, and then configure the settings in the Advanced Information tab.

Application code

Java

Connector/J (mysql-connector-java) is the official JDBC driver for MySQL. This example uses mysql-connector-java 8.0.19 as a dependency.

<dependency>
    <groupId>mysql</groupId>
    <artifactId>mysql-connector-java</artifactId>
    <version>8.0.19</version>
</dependency>
Note

The following sample code uses the sslMode property to specify the SSL mode. This property has been supported since mysql-connector-java 8.0.13. If you use an earlier version, you must use the useSSL, requireSSL, and verifyServerCertificate properties. For more information, see the MySQL documentation.

Sample code:

package com.aliyun.sample;

import com.mysql.cj.jdbc.MysqlDataSource;
import java.sql.Connection;
import java.sql.SQLException;

public class Sample {

    public static void main(String[] args) {

        Connection conn = null;
        MysqlDataSource mysqlDS=null;

        try{
            mysqlDS = new MysqlDataSource();
            // Set sslMode as needed. For options, see the CLI section.
            mysqlDS.setSslMode("VERIFY_IDENTITY");
          
            // The truststore stores the CA certificate. This example uses JKS format.
            mysqlDS.setTrustCertificateKeyStoreType("JKS");
            // Replace the path after file:/ with the path to your ApsaraDB-CA-Chain.jks file.
            mysqlDS.setTrustCertificateKeyStoreUrl("file:/D:\\ApsaraDB-CA-Chain\\ApsaraDB-CA-Chain.jks");
            // The password for the downloaded JKS file is apsaradb and cannot be changed.
            mysqlDS.setTrustCertificateKeyStorePassword("apsaradb");
          
            // Your database endpoint
            mysqlDS.setServerName("rm-xxxxxx.mysql.rds.aliyuncs.com");
            // Your database port
            mysqlDS.setPort(3306);
            // Your database account
            mysqlDS.setUser("xxxxxx");
            // Your database password
            mysqlDS.setPassword("xxxxxx");
            // Your database name
            mysqlDS.setDatabaseName("xxxxxx");

            conn = mysqlDS.getConnection();

        }catch(Exception e){
            e.printStackTrace();
        } finally {
            try {
                if (conn != null)
                    conn.close();
            } catch (SQLException e) {
                e.printStackTrace();
            }
        }
    }

}

Python

# Install pymysql: pip install pymysql

import pymysql

try:
    # ca: The path to the CA certificate file. mode: The SSL mode to use.
    ssl_config = {"ca":"/path/to/path/ca.crt", "mode":"VERIFY_CA"}
    conn = pymysql.connect(host='******.mysql.rds.aliyuncs.com', user='*****', passwd='******', db='*****', ssl=ssl_config)
    cursor = conn.cursor()
    cursor.execute('select version()')
    data = cursor.fetchone()
    print('Database version:', data[0])
    cursor.close()
except pymysql.Error as e:
    print(e)

More Actions

Update a cloud certificate

The cloud certificate for an ApsaraDB RDS for MySQL instance has a validity period of 1 year. If the certificate is not updated after it expires, client applications that use encrypted connections cannot connect to the instance. Before the certificate expires, Alibaba Cloud sends you notifications through emails, and internal messages in Message Center.

You can use Schedule Event to customize the automatic update time for the cloud certificate of your ApsaraDB RDS for MySQL instance. For more information, see Scheduled events. You can also manually update the validity period of the certificate.

Note
  • After the cloud certificate is automatically updated, client applications that use encrypted connections do not need to download and configure the CA certificate again.

  • To update a custom certificate, see Update a custom certificate.

Important

Updating the certificate for a MySQL 8.0 instance does not restart the instance. Updating the certificate for a MySQL 5.6, 5.7, or 8.4 instance restarts the instance.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

  2. In the navigation pane on the left, click Data Security.

  3. Click the SSL tab, and then click Update Expiration Time.

Check connection encryption status

  • Check the cipher suite that is used by the current session. If a value is returned, the current connection is encrypted.

    SHOW STATUS LIKE 'Ssl_cipher';
  • Check the SSL/TLS version that is used by the current session.

    SHOW STATUS LIKE 'Ssl_version';
  • If you use the MySQL command-line client, you can also run the \s command to check whether the current connection is encrypted. If the connection is encrypted, the SSL value that is returned indicates the current cipher suite.

Enforce encrypted connections

Configure the server to allow only encrypted connections

This is supported. For more information, see Step 1: Enable SSL encryption for an ApsaraDB RDS for MySQL instance.

Configure the client to allow only encrypted connections

For example, if you use the command-line client, set the SSL mode to REQUIRED, VERIFY_CA, or VERIFY_IDENTITY in the connection command. This allows only encrypted connections. If an encrypted connection cannot be established, the connection fails.

Configure a specific user to use only encrypted connections

For example, the following command configures the testuser account to use only encrypted connections.

ALTER USER 'testuser'@'%' REQUIRE SSL;

View the content of a CA certificate

Run the following command to view the content of the CA certificate.

openssl x509 -in {path_to_the_CA_certificate}/ApsaraDB-CA-Chain.pem -text

Disable SSL encryption

Important

Disabling SSL encryption restarts your RDS instance. The system triggers a primary/secondary switchover to reduce the impact. However, perform this operation during off-peak hours.

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.

    2. In the navigation pane on the left, click Data Security.

    3. Click the SSL tab.

    4. Turn off the switch next to Enabled. In the message that appears, click OK.

    FAQ

    Functionality

    • Q1: How do I implement two-way authentication? This means authenticating the client in addition to the server.

      A: ApsaraDB RDS for MySQL does not support client authentication during the SSL handshake. Use allow lists and account management to control access.

    • Q2: How do I encrypt a read/write splitting endpoint?

      A: For more information, see Set up proxy SSL encryption.

    • Q3: How do I disable SSL?

      A: For more information, see Disable SSL encryption.

    Troubleshooting

    Connection error for Java applications: Javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

    This error can occur in JDK 7 and JDK 8 if you do not modify the default security settings. Similar errors are also typically caused by Java security settings.

    Modify the default JDK security configuration. In the jre/lib/security/Java.security file on the application host, change the following two settings:

    jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
    jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

    Connection error for Java applications: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

    When you use Connector/J 8.0.18 or earlier to connect to MySQL 5.6 or 5.7, TLS 1.2 and later versions are disabled for compatibility reasons. To resolve this issue, use one of the following methods.

    • Use Connector/J 8.0.19 or a later version.

    • Upgrade to ApsaraDB RDS for MySQL 8.0.

    • Specify the TLS version in your code. For example, set the enabledTLSProtocols or tlsVersions property to TLSv1.2.

    Related APIs