All Products
Search
Document Center

ApsaraDB RDS:Configure the SSL encryption feature

Last Updated:May 31, 2024

The SSL encryption feature of ApsaraDB RDS for MySQL is used to encrypt data in transit. This feature is suitable for scenarios that require connection security and compliance.

Prerequisites

Your RDS instance runs one of the following MySQL versions and RDS editions:

  • MySQL 8.0, MySQL 5.7, or MySQL 5.6 on RDS High-availability Edition

  • MySQL 8.0 or MySQL 5.7 on RDS Cluster Edition

  • MySQL 8.0 or MySQL 5.7 on RDS Basic Edition

  • MySQL 8.0, MySQL 5.7, or MySQL 5.6 on RDS Enterprise Edition

Note
  • You can go to the Basic Information page of the RDS instance to view the preceding information.

  • If you want to change the billing method of a non-serverless RDS instance that runs RDS Basic Edition to serverless, you must enable the SSL encryption feature again.

  • If your RDS instance meets the preceding requirements but you still receive an error message indicating that the SSL encryption feature is not supported, you can update the minor engine version of the RDS instance. For more information, see Update the minor engine version.

Feature description

The SSL encryption feature can be used to encrypt data that is transmitted between ApsaraDB RDS for MySQL instances and clients. This prevents data from being monitored, intercepted, or tampered with by third parties.

After the SSL encryption feature is enabled, you can connect your client to your RDS instance over SSL-encrypted or non-SSL-encrypted connections.

When you enable the SSL encryption feature for your RDS instance, a server certificate, a public key, and a private key are generated.

When an encrypted connection is established, the system sends the server certificate, including the public key, to the client. The client encrypts the generated symmetric key by using the received public key. Then, the system uses the private key to decrypt the symmetric key. This way, the RDS instance and the client use the symmetric key to encrypt and decrypt data. This ensures the confidentiality of communication. The client can also use the certificate authority (CA) certificate to verify the received server certificate to confirm the identity of the RDS instance and prevent man-in-the-middle attacks.

Impacts

  • If you enable the SSL encryption feature, disable the SSL encryption feature, or update the SSL certificates, the RDS instance restarts, and a primary/secondary switchover is triggered. We recommend that you perform the operations during off-peak hours. Make sure that your application is configured to automatically reconnect to the RDS instance. You can modify the code of your application to enable automatic reconnection. If you update the SSL certificates for an RDS instance that runs MySQL 5.6 or MySQL 5.7, the RDS instance restarts. If you update the SSL certificates for an RDS instance that runs MySQL 8.0, the RDS instance does not restart. For more information about the impacts of primary/secondary switchovers, see Impacts of primary/secondary switchovers.

  • After you enable the SSL encryption feature, encrypted connections significantly increase CPU utilization. We recommend that you enable the SSL encryption feature only if you need to encrypt the connections to the public endpoint of your RDS instance.

TLS versions

Transport Layer Security (TLS) is a widely used transport-layer security protocol that ensures the data privacy and security of Internet communication. Multiple TLS versions are available. The TLS versions that are supported by ApsaraDB RDS for MySQL instances vary based on the major engine versions of the RDS instances.

Major engine version

TLSv1.0

TLSv1.1

TLSv1.2

TLSv1.3

8.0

Supported

Supported

Supported

Supported

(From the minor engine version of 20221231)

5.7

Supported

Supported

Supported

Unsupported

5.6

Supported

Supported

Supported

Unsupported

Note

TLSv1.0 and TLSv1.1 have been deprecated by the Internet Engineering Task Force (IETF) in 2021. To ensure data security, we recommend that you use TLSv1.2 or later. For more information, see RFC 8996.

ssl_cipher configuration

ApsaraDB RDS for MySQL uses OpenSSL for TLS to provide secure communication. OpenSSL is upgraded to OpenSSL 3.0 for RDS instances that run MySQL 5.7 and a minor engine version of 20230831 and RDS instances that run MySQL 8.0 and a minor engine version of 20230930. By default, OpenSSL 3.0 no longer supports communication over TLSv1.0 and TLSv1.1. For more information, see OpenSSL documentation.

To ensure data compatibility in ApsaraDB RDS for MySQL, the value of the ssl_cipher parameter is changed to "ALL:@SECLEVEL=0" to support TLSv1.0 and TLSv1.1.

If your workloads use only TLSv1.2 or later, we recommend that you set the ssl_cipher parameter to an empty string ("") in the ApsaraDB RDS console to ensure higher security.

Step 1: Enable the SSL encryption feature for an RDS instance

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Data Security.

  3. On the SSL tab of the page that appears, turn on the switch to the right of Disabled.

    Note

    If the SSL tab does not appear, you must check whether the RDS instance meets all requirements in Prerequisites.

  4. In the dialog box that appears, select the endpoint that you want to protect and click OK.

    You can encrypt the connections to the internal or public endpoint based on your business requirements. You can encrypt the connections only to one endpoint.

  5. The process to enable the SSL encryption feature requires approximately 1 minute to complete. You can refresh the page to view the status of the feature.

Step 2: Download the CA certificate

If you do not want to use the CA certificate, you can use the SSL encryption feature to encrypt the connections to the RDS instance. We recommend that you download and use the CA certificate. You can use the CA certificate to verify the server certificate that is received during an SSL handshake. This helps confirm the identity of the RDS instance and prevent man-in-the-middle attacks.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Data Security.

  3. On the SSL tab of the page that appears, click Download CA Certificate.

    The file that you downloaded is a package that contains the following files:

    • PEM file: suitable for most scenarios.

    • JKS file: suitable for Java applications. In most cases, the PEM-formatted CA certificate file must be imported to a truststore for conversion into a JKS file. You can use the JKS file in Java applications. The password of the file is apsaradb.

    • P7B file: suitable for a small number of Windows applications that require PKCS#7-formatted certificate files.

Step 3: Connect to the RDS instance from the database client

After you enable the SSL encryption feature, the type and settings of the client determine whether to encrypt the connections between the client and the RDS instance. For example, the connections from the client to the RDS instance may be encrypted by default. You can modify the settings or code of the client to enable connection encryption and verify the identity of the RDS instance.

Command-line tool

For clients that run MySQL 5.7.11 or later, you can add the --ssl-mode option to the connection command to configure the SSL encryption feature.

Note

For clients that run MySQL versions earlier than MySQL 5.7.11 and MariaDB clients, you can use options such as --ssl and --ssl-verify-server-cert to configure the SSL encryption feature. For more information, see official MariaDB and MySQL documentation.

  • If the --ssl-mode option is set to DISABLED, connections are not encrypted.

  • If the -- ssl-mode option is set to PREFERRED or if the option is not used, the system attempts to establish encrypted connections. If the attempt fails, unencrypted connections are established.

  • If the -- ssl-mode option is set to REQUIRED, only encrypted connections are allowed. If the connections cannot be encrypted, the connections fail to be established.

  • If the -- ssl-mode option is set to VERIFY_CA, only encrypted connections are allowed and the CA certificate on the on-premises device must be used to check whether the server certificate is valid.

  • If the -- ssl-mode option is set to VERIFY_IDENTITY, only encrypted connections are allowed, and the CA certificate on the on-premises device must be used to check whether the server certificate is valid and whether the hostname or IP address of the server certificate matches the hostname or IP address of the actual connection.

Example 1: The system attempts to establish encrypted connections. If the attempt fails, unencrypted connections are established.

mysql -h {Endpoint of the RDS instance} -u {Account of the RDS instance} -p --ssl-mode=PREFERRED

Example 2: Encrypted connections are required, and the validity of the server certificate must be verified.

mysql -h {Endpoint of the RDS instance} -u {Account of the RDS instance} -p --ssl-mode=VERIFY_CA --ssl-ca={Path to the CA certificate}/ApsaraDB-CA-Chain.pem
Note
  • You must configure the Endpoint of the RDS instance, Account of the RDS instance, and Path to the CA certificate parameters based on your business requirements.

  • For more information about the --ssl-mode option, see MySQL documentation.

MySQL Workbench

  1. Start MySQL Workbench and choose Database > Manage Connections.

  2. Enter the username and password of the account and the endpoint that are used to connect to the RDS instance.

  3. On the SSL tab, configure the Use SSL parameter, set the SSL CA File parameter to the downloaded PEM-formatted CA certificate, and then click Test Connection or OK.

    For more information about the options of the Use SSL parameter, see the description of the --ssl-mode option in the "Command-line tool" section of this topic.

DMS

When you register the RDS instance with Data Management (DMS), you can configure the Enable SSL parameter. For more information, see Register an Alibaba Cloud database instance.

You can also right-click an instance, select Edit, and then configure the Enable SSL parameter in the Advanced Information section.

Application code

Java

MySQL Connector/J (mysql-connector-java) is the official JDBC driver for MySQL. In this example, mysql-connector-java 8.0.19 is used as the dependency.

<dependency>
    <groupId>mysql</groupId>
    <artifactId>mysql-connector-java</artifactId>
    <version>8.0.19</version>
</dependency>
Note

The following code provides an example on how to use the sslMode property to specify the SSL mode. The sslMode property is supported from mysql-connector-java 8.0.13. If you use an earlier version, you must use the useSSL, requireSSL, and verifyServerCertificate properties. For more information, see MySQL documentation.

Sample code:

package com.aliyun.sample;

import com.mysql.cj.jdbc.MysqlDataSource;
import java.sql.Connection;
import java.sql.SQLException;

public class Sample {

    public static void main(String[] args) {

        Connection conn = null;
        MysqlDataSource mysqlDS=null;

        try{
            mysqlDS = new MysqlDataSource();
            //You can specify the sslMode property based on your business requirements. For more information about the options for this property, see the description in the "Command-line tool" section of this topic. 
            mysqlDS.setSslMode("VERIFY_IDENTITY");
          
            //The truststore is used to store the CA certificate. In this example, the truststore type is set to JKS. 
            mysqlDS.setTrustCertificateKeyStoreType("JKS");
            //You must replace the content following file:/ with the actual path to your ApsaraDB-CA-Chain.jks file. 
            mysqlDS.setTrustCertificateKeyStoreUrl("file:/D:\\ApsaraDB-CA-Chain\\ApsaraDB-CA-Chain.jks");
            //The password of the downloaded JKS file is fixed as apsaradb. 
            mysqlDS.setTrustCertificateKeyStorePassword("apsaradb");
          
            //The endpoint of your RDS instance.
            mysqlDS.setServerName("rm-xxxxxx.mysql.rds.aliyuncs.com");
            //The port number of your RDS instance.
            mysqlDS.setPort(3306);
            //The username of the account that is used to connect to your RDS instance.
            mysqlDS.setUser("xxxxxx");
            //The password of the account that is used to connect to your RDS instance.
            mysqlDS.setPassword("xxxxxx");
            //The name of the database that you want to connect on your RDS instance.
            mysqlDS.setDatabaseName("xxxxxx");

            conn = mysqlDS.getConnection();

        }catch(Exception e){
            e.printStackTrace();
        } finally {
            try {
                if (conn != null)
                    conn.close();
            } catch (SQLException e) {
                e.printStackTrace();
            }
        }
    }

}

Python

# Run the pip install pymysql command to install PyMySQL.


import pymysql

try:
    conn = pymysql.connect(host='******.mysql.rds.aliyuncs.com',user='*****',passwd='******',db='*****',ssl=True,
            ssl_ca='/path/to/path/ApsaraDB-CA-Chain.pem')
    cursor = conn.cursor()
    cursor.execute('select version()')
    data = cursor.fetchone()
    print('Database version:', data[0])
    cursor.close()
except pymysql.Error as e:
    print(e)

Related operations

Update a server certificate

The server certificate of an RDS instance is valid for one year. If you do not update the server certificate after the certificate expires, the client that uses encrypted connections cannot connect to the RDS instance. If the server certificate is about to expire, Alibaba Cloud notifies you by

email or internal message and automatically updates the certificate within a specific period of time. You can view the internal messages on the Event Center page. You can specify the time to update the server certificate in the Schedule Event dialog box. For more information, see Manage scheduled events. You can also perform the following operations to manually update a server certificate.

Note

After the server certificate is automatically updated, the client that uses encrypted connections can connect to the database without the need to download or configure the CA certificate again.

Important

If you update a certificate for an RDS instance that runs MySQL 8.0, the instance does not restart. If you update a certificate for an RDS instance that runs MySQL 5.6 or MySQL 5.7, the instance restarts.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Data Security.

  3. On the page that appears, click the SSL tab. Then, click Update Validity.

View the details about connection encryption

  • View the cipher suite that is used by the current session. If the return value is not empty, the current connection is encrypted.

    SHOW STATUS LIKE 'Ssl_cipher';
  • View the SSL or TLS version that is used by the current session.

    SHOW STATUS LIKE 'Ssl_version';
  • If you use a MySQL command-line tool, you can run the \s command to check whether the current connection is encrypted. If the current connection is encrypted, the SSL value in the command output indicates the cipher suite that is used by the current connection.

Forcefully use encrypted connections

Configure your server to use only encrypted connections

This operation is not supported.

Configure your client to use only encrypted connections

In this example, a command-line tool is used. In the connection command, set the SSL mode to REQUIRED, VERIFY_CA, or VERIFY_IDENTITY to use only encrypted connections. If the connections cannot be encrypted, the connections fail to be established.

Configure specific users to use only encrypted connections

In this example, the testuser user is configured to use only encrypted connections.

ALTER USER 'testuser'@'%' REQUIRE SSL;

View the content of the CA certificate

Run the following command to view the content of the CA certificate:

openssl x509 -in {Path to the CA certificate}/ApsaraDB-CA-Chain.pem -text

Disable the SSL encryption feature

Important

If you disable the SSL encryption feature, your RDS instance restarts. In this case, the system triggers a primary/secondary switchover to reduce the impacts on your workloads. We recommend that you disable the SSL encryption feature during off-peak hours.

    1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
    2. In the left-side navigation pane, click Data Security.

    3. On the page that appears, click the SSL tab.

    4. Turn off SSL Encryption. In the message that appears, click OK.

    FAQ

    Features

    • How do I implement mutual authentication that verifies the identities of the server and client?

      In ApsaraDB RDS for MySQL, the client identity cannot be verified during an SSL handshake. You can use whitelists and account management to implement access control.

    • How do I configure SSL encryption for the read/write splitting endpoint?

      For more information, see Configure SSL encryption for a dedicated proxy endpoint.

    Troubleshooting

    The "Javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints" error message is reported for connections from a Java application.

    If you do not modify the JDK security configuration items in JDK 7 or JDK 8, this error message or other similar errors are reported.

    To resolve this issue, use the following JDK security configurations in the jre/lib/security/Java.security file on the host on which your application is deployed:

    jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
    jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

    The "javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)" error message is reported for connections from a Java application.

    If MySQL Connector/J 8.0.18 or earlier is used to connect to an RDS instance that runs MySQL 5.6 or MySQL 5.7, TLS 1.2 or later is disabled due to compatibility reasons. To resolve this issue, you can use one of the following methods:

    • Use MySQL Connector/J 8.0.19 or later.

    • Upgrade the major engine version of the RDS instance to MySQL 8.0.

    • Specify the TLS version in the code. For example, set enabledTLSProtocols or tlsVersions to TLSv1.2.

    Related operations