How to Verify Connections to the MySQL Server is Encryptd
Azure MySQL - Configure SSL
https://aws.amazon.com/blogs/aws/amazon-rds-support-for-ssl-connections/
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport
If you are using Azure MySQL , AWS MySQL or AWS Aurora its absolutely important to enforce the SSL. By default Azure and AWS Cloud Providers enable SSL and force the traffic to through SSL , which prevents men-in-the-middle attacks. These are some simple steps to verify is SSL is enabled.
Verify through mysql STATUS
Simple approach is to connect to mySQL and run status command.
If the encryption is enabled , you will notice SSL Cipher , otherwise you will see SSL not in use.
Encryption is enabled
References : Encryption is enabled
You will notice **SSL: Cipher in use is ECDHE-RSA-AES256-SHA384**
mysql> STATUS
--------------
mysql Ver 14.14 Distrib 5.7.21, for osx10.13 (x86_64) using EditLine wrapper
Connection id: 65246
Current database:
Current user:
SSL: Cipher in use is ECDHE-RSA-AES256-SHA384
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.6.39.0 MySQL Community Server (GPL)
Protocol version: 10
Connection: mysqlhost.mysql.database.azure.com via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 8 days 4 hours 16 min 11 sec
Threads: 15 Questions: 992386 Slow queries: 0 Opens: 2599 Flush tables: 1 Open tables: 493 Queries per second avg: 1.404
Encryption is not enabled
Connect to MySQL Server
$mysql -h 192.168.1.125 -u "root" -p
mysql> STATUS
--------------
mysql Ver 14.14 Distrib 5.7.21, for osx10.13 (x86_64) using EditLine wrapper
Connection id: 6008
Current database:
Current user: [email protected]
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.7.22-0ubuntu0.16.04.1 (Ubuntu)
Protocol version: 10
Connection: 192.168.1.125 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 7 days 5 hours 1 min 41 sec
Threads: 3 Questions: 63671 Slow queries: 0 Opens: 543 Flush tables: 1 Open tables: 307 Queries per second avg: 0.102
--------------
Verify through mysql Ssl_cipher Variable Status
SHOW STATUS LIKE 'Ssl_cipher';
If SSL Enabled, you will see the ssl_cipher value
# Variable_name, Value
'Ssl_cipher', 'AES256-SHA'
If SSL is not Enabled, you will see the ssl_cipher being empty
# Variable_name, Value
'Ssl_cipher', ''
SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher,
processlist_user AS user, processlist_host AS host
FROM performance_schema.status_by_thread AS sbt
JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id
JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id
WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher' ORDER BY tls_version;
# tls_version, cipher, user, host
'TLSv1', 'AES256-SHA', 'azure_superuser', '127.0.0.1'
'TLSv1', 'AES256-SHA', 'azure_superuser', '127.0.0.1'
'TLSv1', 'AES256-SHA', 'azure_superuser', '127.0.0.1'
'TLSv1', 'AES256-SHA', 'azure_superuser', '127.0.0.1'
Verify through Wireshark
If you have wireshare installed, you can track the packets over the wire and see the packets are flowing as encrypted. If SSL is not availae, you will see the clear text data being transferred over the wire.
Wire Shark Packet Capture of MySQL Data
Azure MySQL - Configure SSL
https://aws.amazon.com/blogs/aws/amazon-rds-support-for-ssl-connections/
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.SSLSupport