You can enable the use of secure encrypted connections to your MySQL database.

Server Side Startup Configuration

On the server side you need to enable encryption by providing certificate and key files.

See more info in the MySQL docs:

5.6: https://dev.mysql.com/doc/refman/5.6/en/using-encrypted-connections.html

5.7: https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html

Note: Host name identity verification also does not work with certificates that specify the Common Name using wildcards because that name is compared verbatim to the server name.

Is SSL Enabled?

mysql> SHOW VARIABLES LIKE 'have_ssl';

If the value is YES, the server supports encrypted connections. If the value is DISABLED, the server is capable of supporting encrypted connections but was not started with the appropriate --ssl-xxx options to enable encrypted connections to be used.

Client Side Configuration

By default, MySQL client programs attempt to establish an encrypted connection if the server supports encrypted connections. You can also create a client certificate to allow the server to authenticate the clients with and provide a higher level of security compared with using just a SSL connection and password.

To force a client user to connect with a certificate - define the user with a GRANT statement that includes REQUIRE X509.

See more info in docs: https://dev.mysql.com/doc/refman/5.6/en/using-encrypted-connections.html#using-encrypted-connections-client-side-configuration

Is Connection Encrypted

mysql> SHOW SESSION STATUS LIKE 'Ssl_cipher';

If the result is not blank then the connection is using that encryption option.

Client config

You should be able to define the certificates the clients will use in the my.ini (my.cnf) option file in the [client] section. Make sure the option file you edit is in the list of paths the client will be reading. To determine whether a program reads option files, invoke it with the --help option (For more about option files see: https://dev.mysql.com/doc/refman/5.7/en/option-files.html )

[client]
ssl-cert="path to cert file"
ssl-key="path to key file"
ssl-ca="path to ca cert"

Configuring SSL with Connector/Net

Support for SSL client PFX certificates was added to the Connector/NET 6.2 release series. PFX is the native format of certificates on Microsoft Windows. More recently, support for SSL client PEM certificates was added in the Connector/NET 8.0.16 release.

https://dev.mysql.com/doc/connector-net/en/connector-net-tutorials-ssl-pfx.html

https://dev.mysql.com/doc/connector-net/en/connector-net-tutorials-ssl-pem.html

Defining Connection Strings for Flow

To setup the connection string there are are options for using a file-based certificate or a personal store-based certificate. Samples of these are documented: https://www.connectionstrings.com/mysql/

The MySQL docs are here:

To make it work with a connector 6.10 version you need to use a .pfx file (which can be generated from .pem files).

Tested Sample:

Creating SSL Certificates and Keys Using openssl

There is MySQL documentation on how to create certificates and key files here;

https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html

The OpenSSL app for Windows is available here: http://slproweb.com/products/Win32OpenSSL.html

These are the openssl commands I used to create my test files:

After generating the certificates, verify them:

You should see:

If you get an error something like: “error 18 at 0 depth lookup:self signed certificate“ then you need to regenerate the certs and when OpenSSL prompts you for the Common Name for each certificate, use different names. (https://stackoverflow.com/a/19738223/5749464 )

Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL.

Convert client .pem files to .pfx

Chameleon

MySQL Encrypted Connections