2

I am testing Amazon RDS MySQL and I want to connect to MySQL instance using SSL. It works pretty well, but there is something that is not clear to me: reading the FAQs (https://aws.amazon.com/rds/faqs/):

SSL support within Amazon RDS is for encrypting the connection between your application and your DB Instance; it should not be relied on for authenticating the DB Instance itself.

it seems that once the connection is established, data is encrypted during communication but the authentication part is not; so: are MySQL passwords sent in clear?

Improve this question

1 Answer 1

Reset to default
5

If you look at the MySQL Internals Documentation, you can see that the protocol initialises SSL/TLS after the initial handshake packet, but before the authentication step:

 

MySQL Protocol

The two paths shown from the first state are based on whether SSL/TLS is enabled or not. As such, if SSL/TLS is enabled, the authentication occurs after the secure channel is created, and the credentials are not sent in plaintext.

The key thing about the wording of the documentation you quoted is that it says "should not be relied on for authenticating the DB Instance itself", and not "authenticating to the DB instance itself". I suspect the point they're making is that, since each DB instance has an auto-generated certificate, you shouldn't rely upon this for verifying that you're speaking to the database instance you requested.

Improve this answer
2
  • Excellent, thanks. Establishing an SSL connection after having sent the password in clear would have been a non-sense. You are probably right about the wording meaning in the RDS documentation, it appeared quite confusing to me, though. Commented May 10, 2016 at 13:03
  • 1
    @Eugenio I agree that it is confusing; they're relying upon you making the correct inference in order to make security decisions. Hardly ideal. Commented May 10, 2016 at 13:04

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.