Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@alastori

alastori/ODBC TLS and MDS.md

Last active October 6, 2021 04:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save alastori/9a7474d3be96de7a8b2eee0cd2838966 to your computer and use it in GitHub Desktop.
Save alastori/9a7474d3be96de7a8b2eee0cd2838966 to your computer and use it in GitHub Desktop.
Download ZIP
MySQL Connector/ODBC SSL connections with MySQL Database Service
Raw
ODBC TLS and MDS.md

ODBC TLS and MDS

Testing encrypted connections using MySQL Connector/ODBC with MySQL Database Service.

Install MySQL Connector/ODBC 8.0.26 on Oracle Linux 7.8

$ sudo cat /etc/os-release | grep NAME
NAME="Oracle Linux Server"
PRETTY_NAME="Oracle Linux Server 7.8"
CPE_NAME="cpe:/o:oracle:linux:7:8:server"

$ sudo yum install https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm
...

$ sudo yum install mysql-connector-odbc-8.0.26
...
Installed:
  mysql-connector-odbc.x86_64 0:8.0.26-1.el7                                    

Dependency Installed:
  libtool-ltdl.x86_64 0:2.4.2-22.el7_3    unixODBC.x86_64 0:2.3.1-14.0.1.el7   

Complete!

Create user in MDS that requires SSL (TLS) and restricted privileges to access only tstdb schema

$ mysqlsh admin@10.0.1.247 --sql
...

mysql> 
CREATE USER 
    'sslusr'@'%' 
    IDENTIFIED BY 'P@ssw0rd'
    REQUIRE SSL;
CREATE DATABASE
    ssldb;   
GRANT ALL PRIVILEGES 
    ON ssldb.* 
    TO 'sslusr'@'%';

mysql> SELECT user, host, ssl_type, plugin FROM mysql.user where user = "sslusr";
+--------+------+----------+-----------------------+
| user   | host | ssl_type | plugin                |
+--------+------+----------+-----------------------+
| sslusr | %    | ANY      | caching_sha2_password |
+--------+------+----------+-----------------------+

Configuring ODBC Data Source Name (DSN)

[opc@vm-alastori4 ~]$ sudo vi /etc/odbc.ini

[MyDSN]
Description = MySQL database
Driver = MySQL ODBC 8.0 Unicode Driver
Server = 10.0.1.247
User = sslusr
Password = P@ssw0rd
Port = 3306
Database = ssldb

Try to connect using ODBC

$ isql --version
unixODBC 2.3.1

$ isql MyDSN -v
+---------------------------------------+
| Connected!                            |
|                                       |
| sql-statement                         |
| help [tablename]                      |
| quit                                  |
|                                       |
+---------------------------------------+

SQL> SHOW SESSION STATUS LIKE 'Ssl_cipher' 
+---------------+-----------------------------+
| Variable_name | Value                       |
+---------------+-----------------------------+
| Ssl_cipher    | ECDHE-RSA-AES128-GCM-SHA256 |
+---------------+-----------------------------+
SQLRowCount returns 1
1 rows fetched
SQL>

Note: To determine whether the current connection with the server uses encryption, check the session value of the Ssl_cipher status variable. If the value is empty, the connection is not encrypted. Otherwise, the connection is encrypted and the value indicates the encryption cipher. See the MySQL reference manual.

Try to connect NOT using ODBC

$ sudo vi /etc/odbc.ini

[NoSslDsn]
Description = MySQL database without SSL
Driver = MySQL ODBC 8.0 Unicode Driver
Server = 10.0.1.247
User = sslusr
Password = P@ssw0rd
Port = 3306
Database = ssldb
SSLMODE = DISABLED

$ isql NoSslDsn -v
[S1000][unixODBC][MySQL][ODBC 8.0(w) Driver]Access denied for user 'sslusr'@'10.0.0.4' (using password: YES)
[ISQL]ERROR: Could not SQLConnect

This is correct. MySQL Server should enforce SSL for user sslusr since it was created with REQUIRE SSL.

Disabling SSL for user sslusr:

mysqlsh admin@10.0.1.247 --sql

mysql> ALTER USER 
    'sslusr'@'%' 
    IDENTIFIED WITH mysql_native_password 
    BY 'P@ssw0rd'
    REQUIRE NONE;

mysql> SELECT user, host, ssl_type, plugin FROM mysql.user where user = "sslusr";
+--------+------+----------+-----------------------+
| user   | host | ssl_type | plugin                |
+--------+------+----------+-----------------------+
| sslusr | %    |          | mysql_native_password |
+--------+------+----------+-----------------------+

$ isql NoSslDsn -v
+---------------------------------------+
| Connected!                            |
|                                       |
| sql-statement                         |
| help [tablename]                      |
| quit                                  |
|                                       |
+---------------------------------------+

SQL> SHOW SESSION STATUS LIKE 'Ssl_cipher' 
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| Ssl_cipher    |       |
+---------------+-------+
1 rows fetched
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment