All RDS instances come ready to accept SSL connections, right out of the box. However, the documentation they provide is not very complete, with respect to making a MySql client connection. You may find yourself faced with an error like the following:
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
I found I had to look around quite a bit and try a number of things until I hit connection gold. Here is the short version of how I did it:
- I download the root CA cert (as documented by Amazon) and placed it in a “certs” directory.
- I further grabbed the intermediate cert (using the region-specific link on the same page) and placed it in the same directory.
- Now I had
rds-ca-2015-us-east-1.pemin my certs directory. I next combined the files into one pem file,
rds-ca-2015-combined.pem, using a text editor (I used vi, but you could probably just ‘cat’ them together). Put the root cert last.
- Now I could issue the following command-line and successfully connect to the MySql instance:
mysql -h <db_endpoint_name> -u <user> -p --ssl-ca=/Path/to/combined/file/rds-ca-2015-combined.pem
(Note the fully-qualified filename. ‘~’ will not work here!)
Once connected, you might want to check that you’re actually using SSL. Issue this command in the MySql client:
mysql> show status like 'Ssl_cipher'; +---------------+------------+ | Variable_name | Value | +---------------+------------+ | Ssl_cipher | AES256-SHA | +---------------+------------+
The Value column would be blank if SSL isn’t enabled for the connection.