TLS Connections to Serverless Tier
Establishing a secure TLS connection between your client and your TiDB Cloud Serverless Tier cluster is one of the basic security practices for connecting to your databases. The server certificate for Serverless Tier is issued by an independent third-party certificate provider. You can easily connect to your Serverless Tier cluster without downloading a server-side digital certificate.
Prerequisites
- Log in to TiDB Cloud via Password Authentication or SSO Authentication.
- Create a TiDB Cloud Serverless Tier cluster.
Secure connection to a Serverless Tier cluster
In the TiDB Cloud console, you can get examples of different connection methods and connect to your Serverless Tier cluster as follows:
Navigate to the Clusters page of your project, and then click the name of your cluster to go to its overview page.
Click Connect in the upper-right corner. A dialog is displayed.
In the dialog, select your preferred connection method and operating system.
- Supported connection methods: MySQL CLI, MyCLI, JDBC, Python, Go, and Node.js.
- Supported operating systems: MacOS, Debian, CentOS/RedHat/Fedora, Alpine, OpenSUSE, and Windows.
If you have not set a password yet, click Create password to generate a random password for your Serverless Tier cluster. The password will be automatically embedded in the sample connection string for connecting to your cluster easily.
Connect to your cluster with the connection string.
The following examples show the connection strings in MySQL CLI, MyCLI, JDBC, Python, Go, and Node.js. To learn how to get the <CA_root_path> of your operating system, see Root certificate management.
- MySQL CLI
- MyCLI
- JDBC
- Python
- Go
- Node.js
MySQL CLI client attempts to establish a TLS connection by default. When you connect to TiDB Serverless Tier clusters, you should set ssl-mode and ssl-ca.
mysql --connect-timeout 15 -u <username> -h <host> -P 4000 --ssl-mode=VERIFY_IDENTITY --ssl-ca=<CA_root_path> -D test -p
- With
--ssl-mode=VERIFY_IDENTITY, MySQL CLI client forces to enable TLS and validate TiDB Serverless Tier clusters. - Use
--ssl-ca=<CA_root_path>to set the CA root path on your system.
MyCLI automatically enables TLS when using TLS related parameters. When you connect to TiDB Serverless Tier clusters, you need to set ssl-ca and ssl-verify-server-cert.
mycli -u <username> -h <host> -P 4000 -D test --ssl-ca=<CA_root_path> --ssl-verify-server-cert
- Use
--ssl-ca=<CA_root_path>to set the CA root path on your system. - With
--ssl-verify-server-certto validate TiDB Serverless Tier clusters.
MySQL Connector/J's TLS connection configurations are used here as an example.
jdbc:mysql://<host>:4000/test?user=<username>&password=<your_password>&sslMode=VERIFY_IDENTITY&enabledTLSProtocols=TLSv1.2,TLSv1.3
- Set
sslMode=VERIFY_IDENTITYto enable TLS and validate TiDB Serverless Tier clusters. JDBC trusts system CA root certificates by default, so you do not need to configure certificates. - Set
enabledTLSProtocols=TLSv1.2,TLSv1.3to restrict the versions of TLS protocol.
mysqlclient's TLS connection configurations are used here as an example.
host="<host>", user="<username>", password="<your_password>", port=4000, database="test", ssl_mode="VERIFY_IDENTITY", ssl={"ca": "<CA_root_path>"}
- Set
ssl_mode="VERIFY_IDENTITY"to enable TLS and validate TiDB Serverless Tier clusters. - Set
ssl={"ca": "<CA_root_path>"}to set the CA root path on your system.
Go-MySQL-Driver's TLS connection configurations are used here as an example.
mysql.RegisterTLSConfig("tidb", &tls.Config{
MinVersion: tls.VersionTLS12,
ServerName: "<host>",
})
db, err := sql.Open("mysql", "<usename>:<your_password>@tcp(<host>:4000)/test?tls=tidb")
- Register
tls.Configin connection to enable TLS and validate TiDB Serverless Tier clusters. Go-MySQL-Driver uses system CA root certificates by default, so you do not need to configure certificates. - Set
MinVersion: tls.VersionTLS12to restrict the versions of TLS protocol. - Set
ServerName: "<host>"to verify TiDB Serverless Tier's hostname. - If you do not want to register a new TLS configuration, you can just set
tls=truein the connection string.
Mysql2's TLS connection configurations are used here as an example.
host: '<host>', port: 4000,user: '<username>', password: '<your_password>', database: 'test', ssl: {minVersion: 'TLSv1.2', rejectUnauthorized: true}
- Set
ssl: {minVersion: 'TLSv1.2'}to restrict the versions of TLS protocol. - Set
ssl: {rejectUnauthorized: true}to validate TiDB Serverless Tier clusters. Mysql2 uses system CA root certificates by default, so you do not need to configure certificates.
Root certificate management
Root certificate issuance and validity
TiDB Serverless Tier uses certificates from Let's Encrypt as a Certificate Authority (CA) for TLS connection between clients and TiDB Serverless Tier clusters. Once the Serverless Tier certificate expires, it will be automatically rotated without affecting the normal operations of your cluster and the established TLS secure connection.
If the client uses the system's root CA stores by default, such as Java and Go, you can easily connect securely to TiDB Serverless Tier clusters without specifying the path of CA roots. If you still want to get a CA certificate for a TiDB Serverless Tier cluster, you can download and use the Mozilla CA Certificate bundle instead of a single CA certificate.
However, some drivers and ORMs do not use the system root CA stores. In those cases, you need to configure the CA root path of the drivers or ORMs to your system root CA stores. For example, when you use mysqlclient to connect a TiDB Serverless Tier cluster in Python on macOS, you need to set ca: /etc/ssl/cert.pem in the ssl argument.
If you are using a GUI client, such as DBeaver, which does not accept a certificate file with multiple certificates inside, you must download the ISRG Root X1 certificate.
Root certificate default path
In different operating systems, the default storage paths of the root certificate are as follows:
MacOS
/etc/ssl/cert.pem
Debian / Ubuntu / Arch
/etc/ssl/certs/ca-certificates.crt
RedHat / Fedora / CentOS / Mageia
/etc/pki/tls/certs/ca-bundle.crt
Alpine
/etc/ssl/cert.pem
OpenSUSE
/etc/ssl/ca-bundle.pem
Windows
Windows does not offer a specific path to the CA root. Instead, it uses the registry to store certificates. For this reason, to specify the CA root path on Windows, take the following steps:
- Download the Mozilla CA Certificate bundle and save it in a path you prefer, such as
<path_to_mozilla_ca_cert_bundle>. - Use the path (
<path_to_mozilla_ca_cert_bundle>) as your CA root path when you connect to a Serverless Tier cluster.
FAQs
Which TLS versions are supported to connect to my TiDB Cloud Serverless Tier cluster?
For security reasons, TiDB Cloud Serverless Tier only supports TLS 1.2 and TLS 1.3, and does not support TLS 1.0 and TLS 1.1 versions. See IETF Deprecating TLS 1.0 and TLS 1.1 for details.
Is two-way TLS authentication between my connection client and TiDB Cloud Serverless Tier supported?
No.
TiDB Cloud Serverless Tier only supports one-way TLS authentication, which means your client uses the public key to verify the signature of your TiDB Cloud cluster certificate's private key while the cluster does not validate the client.
Does TiDB Serverless Tier have to configure TLS to establish a secure connection?
Yes.
TiDB Cloud Serverless Tier only allows TLS connections and prohibits non-SSL/TLS connections. The reason is that SSL/TLS is one of the most basic security measures for you to reduce the risk of data exposure to the internet when you connect to the Serverless Tier cluster through the internet.