Skip to content

Update how-to-connect-tls-ssl.md (Typo "flexible server"→"Flexible Se… #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 26, 2024
Merged

Update how-to-connect-tls-ssl.md (Typo "flexible server"→"Flexible Se… #18

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4202fa8
Update how-to-connect-tls-ssl.md (Typo "flexible server"→"Flexible Se…
hyoshioka0128 Aug 30, 2024
94380da
Merge branch 'main' into patch-9
ShannonLeavitt Dec 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 25 additions & 24 deletions articles/mysql/flexible-server/how-to-connect-tls-ssl.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,41 +15,41 @@ ms.devlang: csharp

[!INCLUDE [applies-to-mysql-flexible-server](../includes/applies-to-mysql-flexible-server.md)]

Azure Database for MySQL flexible server supports connecting your client applications to the Azure Database for MySQL flexible server instance using Secure Sockets Layer (SSL) with Transport layer security(TLS) encryption. TLS is an industry standard protocol that ensures encrypted network connections between your database server and client applications, allowing you to adhere to compliance requirements.
Azure Database for MySQL Flexible Server supports connecting your client applications to the Azure Database for MySQL Flexible Server instance using Secure Sockets Layer (SSL) with Transport layer security(TLS) encryption. TLS is an industry standard protocol that ensures encrypted network connections between your database server and client applications, allowing you to adhere to compliance requirements.

Azure Database for MySQL flexible server supports encrypted connections using Transport Layer Security (TLS 1.2) by default and all incoming connections with TLS 1.0 and TLS 1.1 are denied by default. The encrypted connection enforcement or TLS version configuration on your flexible server can be changed as discussed in this article.
Azure Database for MySQL Flexible Server supports encrypted connections using Transport Layer Security (TLS 1.2) by default and all incoming connections with TLS 1.0 and TLS 1.1 are denied by default. The encrypted connection enforcement or TLS version configuration on your Flexible Server can be changed as discussed in this article.

Following are the different configurations of SSL and TLS settings you can have for your Azure Database for MySQL flexible server instance:
Following are the different configurations of SSL and TLS settings you can have for your Azure Database for MySQL Flexible Server instance:

> [!IMPORTANT]
> According to [Removal of Support for the TLS 1.0 and TLS 1.1 Protocols](https://dev.mysql.com/doc/refman/8.0/en/encrypted-connection-protocols-ciphers.html#encrypted-connection-deprecated-protocols), starting in early September 2024, new servers will no longer be permitted to use TLS 1.0 or 1.1, and existing servers will not be allowed to downgrade to these versions. Beginning mid-September 2024, we will initiate a mandatory upgrade of all servers currently using TLS 1.0 or 1.1 to TLS 1.2. This upgrade process is expected to be completed by the end of September 2024. We strongly recommend that customers ensure their applications are fully compatible with TLS 1.2 before the end of September.

| Scenario | Server parameter settings | Description |
| --- | --- | --- |
| Disable SSL enforcement | require_secure_transport = OFF | If your legacy application doesn't support encrypted connections to Azure Database for MySQL flexible server, you can disable enforcement of encrypted connections to your Azure Database for MySQL flexible server instance by setting require_secure_transport=OFF. |
| Enforce SSL with TLS version < 1.2 (Will be deprecated in September 2024) | require_secure_transport = ON and tls_version = TLS 1.0 or TLS 1.1 | If your legacy application supports encrypted connections but requires TLS version < 1.2, you can enable encrypted connections, but configure your Azure Database for MySQL flexible server instance to allow connections with the TLS version (1.0 or 1.1) supported by your application. Supported only with Azure Database for MySQL flexible server version v5.7 |
| Enforce SSL with TLS version = 1.2(Default configuration) | require_secure_transport = ON and tls_version = TLS 1.2 | This is the recommended and default configuration for Azure Database for MySQL flexible server. |
| Enforce SSL with TLS version = 1.3 | require_secure_transport = ON and tls_version = TLS 1.3 | This is useful and recommended for new applications development. Supported only with Azure Database for MySQL flexible server version v8.0 |
| Disable SSL enforcement | require_secure_transport = OFF | If your legacy application doesn't support encrypted connections to Azure Database for MySQL Flexible Server, you can disable enforcement of encrypted connections to your Azure Database for MySQL Flexible Server instance by setting require_secure_transport=OFF. |
| Enforce SSL with TLS version < 1.2 (Will be deprecated in September 2024)| require_secure_transport = ON and tls_version = TLS 1.0 or TLS 1.1 | If your legacy application supports encrypted connections but requires TLS version < 1.2, you can enable encrypted connections, but configure your Azure Database for MySQL Flexible Server instance to allow connections with the TLS version (1.0 or 1.1) supported by your application. Supported only with Azure Database for MySQL Flexible Server version v5.7 |
| Enforce SSL with TLS version = 1.2(Default configuration) | require_secure_transport = ON and tls_version = TLS 1.2 | This is the recommended and default configuration for Azure Database for MySQL Flexible Server. |
| Enforce SSL with TLS version = 1.3 | require_secure_transport = ON and tls_version = TLS 1.3 | This is useful and recommended for new applications development. Supported only with Azure Database for MySQL Flexible Server version v8.0 |

> [!NOTE]
> Changes to SSL Cipher on Azure Database for MySQL flexible server is not supported. FIPS cipher suites is enforced by default when tls_version is set to TLS version 1.2 . For TLS versions other than version 1.2, SSL Cipher is set to default settings which comes with MySQL community installation.
> Changes to SSL Cipher on Azure Database for MySQL Flexible Server is not supported. FIPS cipher suites is enforced by default when tls_version is set to TLS version 1.2 . For TLS versions other than version 1.2, SSL Cipher is set to default settings which comes with MySQL community installation.

In this article, you learn how to:

- Configure your Azure Database for MySQL flexible server instance
- Configure your Azure Database for MySQL Flexible Server instance
- With SSL disabled
- With SSL enforced with TLS version
- Connect to your Azure Database for MySQL flexible server instance using mysql command-line
- Connect to your Azure Database for MySQL Flexible Server instance using mysql command-line
- With encrypted connections disabled
- With encrypted connections enabled
- Verify encryption status for your connection
- Connect to your Azure Database for MySQL flexible server instance with encrypted connections using various application frameworks
- Connect to your Azure Database for MySQL Flexible Server instance with encrypted connections using various application frameworks

## Disable SSL enforcement on your Azure Database for MySQL flexible server instance
## Disable SSL enforcement on your Azure Database for MySQL Flexible Server instance

If your client application doesn't support encrypted connections, you need to disable encrypted connections enforcement on your Azure Database for MySQL flexible server instance. To disable encrypted connections enforcement, you need to set require_secure_transport server parameter to OFF as shown in the screenshot, and save the server parameter configuration for it to take effect. require_secure_transport is a **dynamic server parameter** which takes effect immediately and doesn't require server restart to take effect.
If your client application doesn't support encrypted connections, you need to disable encrypted connections enforcement on your Azure Database for MySQL Flexible Server instance. To disable encrypted connections enforcement, you need to set require_secure_transport server parameter to OFF as shown in the screenshot, and save the server parameter configuration for it to take effect. require_secure_transport is a **dynamic server parameter** which takes effect immediately and doesn't require server restart to take effect.

> :::image type="content" source="media/how-to-connect-tls-ssl/disable-ssl.png" alt-text="Screenshot showing how to disable SSL with Azure Database for MySQL flexible server." lightbox="media/how-to-connect-tls-ssl/disable-ssl.png":::
> :::image type="content" source="media/how-to-connect-tls-ssl/disable-ssl.png" alt-text="Screenshot showing how to disable SSL with Azure Database for MySQL Flexible Server." lightbox="media/how-to-connect-tls-ssl/disable-ssl.png":::

### Connect using mysql command-line client with SSL disabled

Expand All @@ -60,7 +60,7 @@ The following example shows how to connect to your server using the mysql comman
```

> [!IMPORTANT]
> Setting the require_secure_transport to OFF doesn't mean encrypted connections aren't supported on the server side. If you set require_secure_transport to OFF on the Azure Database for MySQL flexible server instance, but if the client connects with the encrypted connection, it still is accepted. The following connection using mysql client to an Azure Database for MySQL flexible server instance configured with require_secure_transport=OFF also works as shown below.
> Setting the require_secure_transport to OFF doesn't mean encrypted connections aren't supported on the server side. If you set require_secure_transport to OFF on the Azure Database for MySQL Flexible Server instance, but if the client connects with the encrypted connection, it still is accepted. The following connection using mysql client to an Azure Database for MySQL Flexible Server instance configured with require_secure_transport=OFF also works as shown below.

```bash
mysql.exe -h mydemoserver.mysql.database.azure.com -u myadmin -p --ssl-mode=REQUIRED
Expand Down Expand Up @@ -88,13 +88,13 @@ mysql> show global variables like '%require_secure_transport%';
| 1 row in set (0.02 sec) |
```

In summary, require_secure_transport=OFF setting relaxes the enforcement of encrypted connections on Azure Database for MySQL flexible server and allows unencrypted connections to the server from client in addition to the encrypted connections.
In summary, require_secure_transport=OFF setting relaxes the enforcement of encrypted connections on Azure Database for MySQL Flexible Server and allows unencrypted connections to the server from client in addition to the encrypted connections.

## Enforce SSL with TLS version

To set TLS versions on your Azure Database for MySQL flexible server instance, you need to set *tls_version- server parameter. The default setting for TLS protocol is TLS 1.2. If your application supports connections to MySQL server with SSL, but require any protocol other than TLS 1.2, you require to set the TLS versions in [server parameter](how-to-configure-server-parameters-portal.md). *tls_version- is a **static server parameter** which requires a server restart for the parameter to take effect. Following are the Supported protocols for the available versions of Azure Database for MySQL flexible server.
To set TLS versions on your Azure Database for MySQL Flexible Server instance, you need to set *tls_version- server parameter. The default setting for TLS protocol is TLS 1.2. If your application supports connections to MySQL server with SSL, but require any protocol other than TLS 1.2, you require to set the TLS versions in [server parameter](how-to-configure-server-parameters-portal.md). *tls_version- is a **static server parameter** which requires a server restart for the parameter to take effect. Following are the Supported protocols for the available versions of Azure Database for MySQL Flexible Server.

| Azure Database for MySQL flexible server version | Supported Values of tls_version | Default Setting |
| Azure Database for MySQL Flexible Server version | Supported Values of tls_version | Default Setting |
| --- | --- | --- |
| MySQL 5.7 | TLS 1.0, TLS 1.1(Will be deprecated in September 2024) TLS 1.2 | TLS 1.2 |
| MySQL 8.0 | TLS 1.2, TLS 1.3 | TLS 1.2 |
Expand All @@ -112,9 +112,9 @@ To use encrypted connections with your client applications,you need to download

Save the certificate file to your preferred location. For example, this tutorial uses `c:\ssl` or `\var\www\html\bin` on your local environment or the client environment where your application is hosted. This allows applications to connect securely to the database over SSL.

If you created your Azure Database for MySQL flexible server instance with *Private access (VNet Integration)*, you need to connect to your server from a resource within the same VNet as your server. You can create a virtual machine and add it to the VNet created with your Azure Database for MySQL flexible server instance.
If you created your Azure Database for MySQL Flexible Server instance with *Private access (VNet Integration)*, you need to connect to your server from a resource within the same VNet as your server. You can create a virtual machine and add it to the VNet created with your Azure Database for MySQL Flexible Server instance.

If you created your Azure Database for MySQL flexible server instance with *Public access (allowed IP addresses)*, you can add your local IP address to the list of firewall rules on your server.
If you created your Azure Database for MySQL Flexible Server instance with *Public access (allowed IP addresses)*, you can add your local IP address to the list of firewall rules on your server.

You can choose either [mysql.exe](https://dev.mysql.com/doc/refman/8.0/en/mysql.html) or [Use MySQL Workbench with Azure Database for MySQL - Flexible Server](connect-workbench.md)--> to connect to the server from your local environment.

Expand Down Expand Up @@ -167,11 +167,11 @@ JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id
WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher' ORDER BY tls_version;
```

## Connect to your Azure Database for MySQL flexible server instance with encrypted connections using various application frameworks
## Connect to your Azure Database for MySQL Flexible Server instance with encrypted connections using various application frameworks

Connection strings that are pre-defined in the "Connection Strings" page available for your server in the Azure portal include the required parameters for common languages to connect to your database server using TLS/SSL. The TLS/SSL parameter varies based on the connector. For example, "useSSL=true", "sslmode=required", or "ssl_verify_cert=true" and other variations.

To establish an encrypted connection to your Azure Database for MySQL flexible server instance over TLS/SSL from your application, refer to the following code samples:
To establish an encrypted connection to your Azure Database for MySQL Flexible Server instance over TLS/SSL from your application, refer to the following code samples:

### WordPress

Expand Down Expand Up @@ -378,5 +378,6 @@ conn.connect(function(err) {
- [Use MySQL Workbench with Azure Database for MySQL - Flexible Server](connect-workbench.md)
- [Use PHP with Azure Database for MySQL - Flexible Server](connect-php.md)
- [Create and manage virtual networks for Azure Database for MySQL - Flexible Server using the Azure CLI](how-to-manage-virtual-network-cli.md)
- [networking in Azure Database for MySQL flexible server](concepts-networking.md)
- [Azure Database for MySQL flexible server firewall rules](./concepts-networking-public.md#public-access-allowed-ip-addresses)
- [networking in Azure Database for MySQL - Flexible Server](concepts-networking.md)
- [Azure Database for MySQL - Flexible Server firewall rules](./concepts-networking-public.md#public-access-allowed-ip-addresses)