I want to make sure all client connections to Azure MySQL flexible server are encrypted. or I want to reject all unencrypted connections to MySQLDB. Turning on server parameter " require_secure_transport " is not helping. I am still able to connect to this DB instance on an unencrypted connection even with "sslmode" as "No" or "Require" without giving certificate. Please help me achieve this.

Hi, By default Azure Database for MySQL Flexible server enforces TLS for connections (require_secure_transport=ON). In your screenshot, you have Use SSL set to Require, and the popup message says that SSL is being used for the connection. To test if the server is rejecting non-SSL connections, please test with Use SSL: set to No. When you click Test connection button you should see popup similar to below: Please post screenshot of what you see when you have Use SSL: set to No Please click Accept Answer and upvote if the above was helpful. Thanks. -TP

How to make encrypted connections mandatory on Azure MySQL flexible server

Accepted answer

TP 79,061 Reputation points

2024-02-21T14:14:51.91+00:00

Hi,

By default Azure Database for MySQL Flexible server enforces TLS for connections (require_secure_transport=ON). In your screenshot, you have Use SSL set to Require, and the popup message says that SSL is being used for the connection.

To test if the server is rejecting non-SSL connections, please test with Use SSL: set to No. When you click Test connection button you should see popup similar to below:

Please post screenshot of what you see when you have Use SSL: set to No

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP
Please sign in to rate this answer.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Srikar Gondesi - UAS Database Administrator 85 Reputation points

2024-02-22T05:06:48.05+00:00

hello,

Yes, you are right. I am seeing the same error when I set the "Use SSL" to No.

But I cannot allow my application to connect to MySQL without certificate, right?
Is there a way to reject all the connections that comes with "Use SSL" as NULL or who doesn't provide a certificate in the connection string?

TP 79,061 Reputation points

2024-02-22T06:24:22.13+00:00

Your Azure Database for MySQL flexible server uses a certificate issued by trusted public authority. It is not using self-signed on server side. Please see below screenshots of actual (as captured via wireshark) certificate used when I did test connection to server:

From the second screenshot you can see the certificate is issued by DigiCert Global Root CA -- this same certificate is in Trusted Root Certification Authorities store on windows machine. This is same certificate you can manually download from Azure portal by clicking "Download SSL Certificate" button on Networking blade of your MySQL database server.

By default, clients must use TLS since require_secure_transport=ON is default setting.

The last piece of the puzzle is the client should verify that the server's certificate is issued by a trusted authority AND that the name on the certificate matches what the client is attempting to connect to. This is to prevent man-in-the-middle attack.

I don't know of a way to "force" clients to do this, assuming you don't have 100% control over client devices.

There are different MySQL clients available, and some of them will verify the server certificate is trusted by default, using standard technique available on the operating system they are running. Others require some configuration before it will verify server certificate. It appears MySQL Workbench will only do it if you set it to Require and Verify CA or Require and Verify Identity (best) and save Server CA on local path.

Srikar Gondesi - UAS Database Administrator 85 Reputation points

2024-02-22T11:18:19.0033333+00:00

Very Clear.
Thanks a lot for your Time and Support.
Please correct if my understanding is correct in below:

Azure MySQL gives encrypted connections even when the client don't present the certificate in the connection string.

I agree that we cannot force clients to use certificate.
But cant we restrict client connections from MySQL side who doesnt present a certificate in their connection strings?

TP 79,061 Reputation points

2024-02-22T11:41:07.48+00:00

To be clear, are you wanting to set up Mutual TLS? In that each user that connects must use a client certificate to authenticate to the server (issued by your Certificate Authority) and the server authenticates the client?

So far we've been discussing encryption, but your asking about putting certificate in connection string has me wondering if you want Mutual TLS.

Srikar Gondesi - UAS Database Administrator 85 Reputation points

2024-02-22T12:33:28.8833333+00:00

No, I am not asking about mutual TLS.

Generally, we keep the certificate(public key) on the client machine to connect with a DB which is configured with same certificate(with private key). I was wondering how the connections are getting accepted by MySQL even when I dont provide a certificate(public key) in the connection string.

Please correct me here, If I remove below certificate from my "Trusted Root Certification Authorities", then the connection to Azure MySQL without certificate in the connection string should fail right?

TP 79,061 Reputation points

2024-02-22T12:35:12.02+00:00

@Srikar Gondesi - UAS Database Administrator If your question is "Can we force client to use sslca= option in their connection string", then the answer is No, since that option is there so the client will verify the CA certificate, as I described in earlier comment.

If your question is, "Can we force client to use sslcert and sslkey options in their connection string" then the answer is, IF Azure MySQL Database flexible server supports Mutual TLS, then Yes, when creating users you could use REQUIRE SUBJECT etc. which would require the clients to connect with certificate.

I've not used Mutual TLS with Azure MySQL which is why I wrote IF in above paragraph. I know regular MySQL supports it, but unsure if Azure's MySQL service supports it.

TP 79,061 Reputation points

2024-02-22T12:50:08.23+00:00

I didn't see your earlier comment when I posted my last one.

Please correct me here, If I remove below certificate from my "Trusted Root Certification Authorities", then the connection to Azure MySQL without certificate in the connection string should fail right?

That's what I would expect, but earlier I tested that exact scenario and it went ahead with the connection when it was set to Require. This is how web browsers behave--you don't need to do anything special for them to make sure certificate is trusted when you visit https site. It could've been some sort of os caching that allowed it to succeed, since I've seen that type of thing with other apps unrelated to MySQL that verify certs.

If I trust the MySQL and workbench documentation, the client will only verify the CA and/or subject FQDN if you set it to equivalent of VerifyCA or VerifyFull. This is a client-side setting, which is why I say if you don't have administrative control over the client you can't force it to do the verification.

Srikar Gondesi - UAS Database Administrator 85 Reputation points

2024-02-22T12:56:22.0366667+00:00

understood, thanks a lot for your time and support.
Sign in to comment

Share via

How to make encrypted connections mandatory on Azure MySQL flexible server

0 additional answers