Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If you use SSL/TLS for JDBC communication to your MySQL environment, some additional configuration is required (depending on your needs). To use SSL/TLS for encryption only and bypass verification of the MySQL server certificate

The MySQL configuration property sslMode can be used to control the SSL behavior for database connections.

By default, network connections are SSL encrypted; the sslMode property permits secure connections to be turned off or different levels of security to be selected.

The following sslMode values are allowed:

sslMode ValueDescription
"DISABLED"

Establish unencrypted connections.

"PREFERRED"Establish encrypted connections if the server enabled them, otherwise fall back to unencrypted connections. (Default value)
"REQUIRED"Establish secure connections if the server enabled them, fail otherwise.
"VERIFY_CA"Similar to REQUIRED; but additionally, verify the server TLS certificate against the configured Certificate Authority (CA) certificates.
"VERIFY_IDENTITY"Similar to VERIFY_CA; but additionally, verify that the server certificate matches the host to which the connection is attempted.


To change the default behavior of SSL (PREFERRED), add the following to the uc.properties configuration file where sslModeValue is one of the values listed above (DISABLED, PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY):

Panel
uc.db.url.append.properties=&sslMode=sslModeValue

This property replaced the deprecated legacy properties "useSSL", "requireSSL", and "verifyServerCertificate

...

To use SSL/TLS for encryption and verify the MySQL server certificate, add the following to the uc.properties configuration file AND import the MySQL server certificate CA into the Universal Controller Truststore:

...

", which are still accepted but translated into a value for "sslMode".

If "sslMode" is not explicitly set:

  • {"useSSL=false"} is translated to "sslMode=DISABLED".
  • {"useSSL=true", "requireSSL=false", "verifyServerCertificate=false"} is translated to "sslMode=PREFERRED".
  • {"useSSL=true", "requireSSL=true", "verifyServerCertificate=false"} is translated to "sslMode=REQUIRED".
  • {"useSSL=true" AND "verifyServerCertificate=true"} is translated to "sslMode=VERIFY_CA".
  • There is no equivalent legacy settings for "sslMode=VERIFY_IDENTITY".




Note
titleNote

For ALL server versions, the default setting of sslMode is "PREFERRED", and it is equivalent to the legacy settings of useSSL=true, requireSSL=false, and verifyServerCertificate=false, which are different from their default settings for Connector/J 8.0.12 and earlier in some situations.

Applications that continue to use the legacy properties and rely on their old default settings should be reviewed. 

You may need to enable connections with TLSv1.2 and higher versions using the enabledTLSProtocols connection property. To specify the enabledTLSProtocols property, add the following to the uc.properties configuration file:

...