You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: enable-tls-between-clients-and-servers.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,9 +21,7 @@ To use connections secured with TLS, you first need to configure the TiDB server
21
21
Similar to MySQL, TiDB allows TLS and non-TLS connections on the same TCP port. For a TiDB server with TLS enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use an unencrypted connection. You can use the following ways to require the use of secure connections:
22
22
23
23
+ Configure the system variable [`require_secure_transport`](/system-variables.md#require_secure_transport-new-in-v610) to require secure connections to the TiDB server for all users.
24
-
+ Specify `REQUIRE SSL` when you create a user (`create user`), or modify an existing user (`alter user`), which is to specify that specified users must use TLS connections to access TiDB. The following is an example of creating a user:
25
-
26
-
{{< copyable "sql" >}}
24
+
+ Specify `REQUIRE SSL` when you create a user (`CREATE USER`), or modify an existing user (`ALTER USER`), which is to specify that specified users must use TLS connections to access TiDB. The following is an example of creating a user:
27
25
28
26
```sql
29
27
CREATEUSER 'u1'@'%' IDENTIFIED BY 'my_random_password' REQUIRE SSL;
@@ -51,6 +49,10 @@ All the files specified by the parameters are in PEM (Privacy Enhanced Mail) for
51
49
52
50
If the certificate parameters are correct, TiDB outputs `mysql protocol server secure connection is enabled` to the logs on`"INFO"` level when started.
53
51
52
+
## Configure TiProxy to use TLS connections
53
+
54
+
To enable [TiProxy](/tiproxy/tiproxy-overview.md) to accept TLS connections, you can specify the [`sql-tls`](/tiproxy/tiproxy-configuration.md#sql-tls) configuration item in the TiProxy configuration file. For details on this setting and how to enable TLS for backend connections, see [TiProxy security](/tiproxy/tiproxy-overview.md#security).
55
+
54
56
## Configure the MySQL client to use TLS connections
55
57
56
58
The client of MySQL 5.7or later versions attempts to establish a TLS connection by default. If the server does not support TLS connections, it automatically returns to unencrypted connections. The client of MySQL earlier than version 5.7 uses the non-TLS connections by default.
@@ -90,7 +92,7 @@ If the `ssl-ca` parameter is not specified in the TiDB server or MySQL client, t
90
92
By default, the server-to-client authentication is optional. Even if the client does not present its certificate of identification during the TLS handshake, the TLS connection can be still established. You can also require the client to be authenticated by specifying `REQUIRE x509` when creating a user (`CREATE USER`), or modifying an existing user (`ALTER USER`). The following is an example of creating a user:
0 commit comments