I need to enable SSL only for front-end connections. Sharing the configuration for better clarity.
±---------------------±------------------------------+
| variable_name | variable_value |
±---------------------±------------------------------+
| mysql-ssl_p2s_cipher | ECDHE-ECDSA-AES256-GCM-SHA384 |
±---------------------±------------------------------+
1 row in set (0.00 sec)
mysql/bin/mysql -uadmin -p -P6032 -h127.0.0.1 -e ‘\s’ | grep -P ‘SSL|Connection’
Connection id: 1441
SSL: Cipher in use is DHE-RSA-AES256-SHA
Connection: 127.0.0.1 via TCP/IP```
From this I could see only default cipher is used in front-end connections.
On explicitly mentioning --ssl --ssl-cipher=ECDHE-ECDSA-AES256-GCM-SHA384
Getting SSL connection error: Failed to set ciphers to use.
Able to connect only with default cipher.
1 Like
I verified this. You should open a bug report with ProxySQL github.
$ mysql -h app -usbuser -psbPass1234# -BN -e '\s' --ssl-cipher="ECDHE-ECDSA-AES256-GCM-SHA384" | grep -P 'SSL|Connection|Server'
mysql: [Warning] Using a password on the command line interface can be insecure.
mysql Ver 8.0.28-20 for Linux on x86_64 (Percona Server (GPL), Release 20, Revision fd4b5a776a6)
Connection id: 415
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Server version: 5.5.30 (ProxySQL)
Connection: app via TCP/IP
Server characterset: utf8mb4
# mysql -uadmin -padmin -h 127.0.0.1 -P 6032 -e "show variables like '%ssl%'"
mysql: [Warning] Using a password on the command line interface can be insecure.
+-------------------------------------+--------------------------------+
| Variable_name | Value |
+-------------------------------------+--------------------------------+
| mysql-have_ssl | true |
| mysql-session_idle_show_processlist | true |
| mysql-show_processlist_extended | 0 |
| mysql-ssl_p2s_ca | /etc/ssl/mysql/ca.pem |
| mysql-ssl_p2s_capath | |
| mysql-ssl_p2s_cert | /etc/ssl/mysql/client-cert.pem |
| mysql-ssl_p2s_key | /etc/ssl/mysql/client-key.pem |
| mysql-ssl_p2s_cipher | ECDHE-RSA-AES256-SHA |
| mysql-ssl_p2s_crl | |
| mysql-ssl_p2s_crlpath | |
+-------------------------------------+--------------------------------+
2 Likes