How to check whether a MySQL connection is SSL encrypted?

Asked 17/1, 2013 at 23:17 Answered 18/5, 2023 at 5:35

I'm using MySQL .NET connector from MySQL official site. I'm trying to make a safe SSL connection from my C# program to a Mysql db. Mysql server allows to connect with SSL. have_ssl variable is set to yes and ca-cert, server-cert and server-key are specified.

Permissions for the user are:

'GRANT USAGE ON *.* TO \'logowanie\'@\'%\' IDENTIFIED BY PASSWORD \'*...\' REQUIRE SSL'
'GRANT SELECT ON `db`.`table1` TO \'logowanie\'@\'%\''

So I assume, that this user cannot login without SSL? Am I right?

My connection string in C# program looks like that:

"server=127.0.0.1;uid=logowanie;pwd=log1;database=ewidencja;SslMode=Required";

See that this connection string doesn't have any paths to certificate files! It only has "SSLMode=Required" option. Is it possible to make SSL encrypted connection without any other SSL options?

And the user is able to login and make some select command on table1. So I assume this connection is SSL encrypted? How can I check whether this connection is SSL encrypted to be 100% sure?

Diode answered 17/1, 2013 at 23:17 Comment(7)

Try this Stackoverflow link looks like something that you are looking for.. #5881003 – Odelle 17/1, 2013 at 23:25

Ok, But it doesn't solve my problem. I want to know if my connection instance provides ssl encryption with only one option: "SslMode=Required"? Is that even possible, or if this connection is still without SSL? HOW TO CHECK THAT? – Jongjongleur 17/1, 2013 at 23:32

can't you check or add the following in your connection string Encrypt=True;TrustServerCertificate=True" – Odelle 17/1, 2013 at 23:41

You must be a little fuzzy on the meaning of the word "required". – Resign 17/1, 2013 at 23:42

check this link MSDN msdn.microsoft.com/en-us/library/ms189067%28v=sql.105%29.aspx – Odelle 17/1, 2013 at 23:43

As u can see, I have SslMode=Required in my conn string. Also, I checked it with Encrpt=True and it worked. But - does it mean for sure that connection is encrypted? i didn't even specified paths to client cert and key! – Jongjongleur 17/1, 2013 at 23:55

What else would 'SslMode=Required' mean? – Supercharge 18/1, 2013 at 22:53

Posting my answer from https://mcmap.net/q/1922846/-check-if-mysqlconnection-is-using-ssl:

You can execute this SQL statement from inside the MySqlConnection: SHOW SESSION STATUS LIKE 'Ssl_cipher', and it will show you whether the connection is encrypted.

Example code:

var connection = new MySqlConnection(ConfigurationManager.AppSettings["Test"]);
connection.Open();
var command = new MySqlCommand("SHOW SESSION STATUS LIKE \'Ssl_cipher\'", connection);
MySqlDataReader reader = command.ExecuteReader();
while (reader.Read())
{
    Console.WriteLine($"{reader.GetString(0)}: {reader.GetString(1)}");
}

Rie answered 6/10, 2017 at 22:0 Comment(3)

This is a good answer. The Ssl_cipher gives the cipher algorithm in use for the connection or an empty string if SSL is not used, as stated in: dev.mysql.com/doc/refman/5.7/en/… I suggest you to change the "GetString(0)" for "GetString(1)", as the value of Ssl_cipher is given in the second column. – Frederique 16/4, 2018 at 17:33

@CarlosPérezChávez Done. Thanks for the suggestion. – Rie 17/4, 2018 at 7:56

I checked this way and double checked it with wireshark... surprise: ssl_cipher value is the same with or without encryption. this seems to be decided by the server, the real change is SslMode. – Conklin 17/6 at 18:51

How can I check whether this connection is SSL encrypted to be 100% sure?

Install Wireshark, capture the traffic and you'll be 100% sure whether it's encrypted or not.

Edmead answered 18/1, 2013 at 7:30 Comment(0)

Openssl https://www.openssl.org/ ships with a tool called "s_client" that can be used to test SSL servers. This is available for *nix, cygwin, and Win32.

Sample Usage

$ openssl s_client -connect servername:port -CAfile /path/to/ca.pem -debug -showcerts

There are a myriad of options such as -pause, -state, etc. which you may find useful for tracking SSL through its setup and teardown.

Security

Use Wireshark as Miljen has pointed out.

Here are some tips for wireshark

Collect the traffic using Wireshark
Verify that the contents of the packets look like random noise (random bytes).
This output should be sufficient to check that you have turned on SSL.

If you're looking to test whether your SSL code works properly, you could also check whether you can interoperate with other SSL implementations.

Did you hardcode the public key of the server properly, or properly check the server cert to make sure it corresponds to your server and not some imposter? Did you enable client authentication? Did you set the list of acceptable ciphersuites in a reasonable way? Did you use TLS 1.2? Are you aware that TLS only secures the communication channel, but you still need to make sure that the endpoints are secure, e.g., from various malicious attacks?

That might get you started for testing here are some tips

For testing see https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29

This link contains great stuff there, but it is by no means exhaustive. These tests are geared for HTTPS, but they should work for any SSL implementation since it is analyzing the SSL protocol, not the application-level protocol on top.

Cabstand answered 30/11, 2015 at 13:27 Comment(0)

On a CLI, you can run this command to check if the data is encrypted or not.

sudo tcpdump -l -i eth0 -w - src or dst port 3306 | strings

Corley answered 18/5, 2023 at 5:35 Comment(0)

Recommended topics

Hot tags