Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.Original topic: tidb 如何开启have_openssl、have_ssl、ssl_cipher
|
username: RAIN
【TiDB Usage Environment】Production Environment
【TiDB Version】6.1.4
【Encountered Problem: Problem Phenomenon and Impact】
Security agency detection requires enabling have_openssl, have_ssl, ssl_cipher, otherwise, there are three high-risk vulnerabilities. Please help…
To enable SSL in TiDB, modify the enable_tls system parameter to true. These two variables should not be changed; they are read-only variables made for MySQL compatibility.
After modifying the corresponding parameters with tiup cluster edit-config <cluster-name>, reload the cluster to take effect.
If this is not enabled, it is considered a medium-risk vulnerability that can be fixed or not. Which security assessment are you referring to that considers it high-risk?
The link to the image you provided is broken or inaccessible. Please provide the text you need translated.
Enabling this means that the client connecting to the database and all internal components of the database need to use encrypted connections, which is quite troublesome.
It’s not about changing the database parameters, it’s about changing the node configuration.
After making this change, it cannot be saved. What should I do?
Check out my article:
Column - The Trials and Tribulations of Enabling Encrypted Communication TLS in TiDB Production Clusters - Opening Chapter | TiDB Community
After enabling it, some tools are affected. Follow the instructions in this article:
Column - The Trials and Tribulations of Enabling Encrypted Communication TLS in TiDB Production Clusters - Tools Chapter | TiDB Community
According to your documentation, TLS has already been enabled, but when logging into the database, these two values are still in the off state.
This is the 6.1 documentation. Normally, it should be enabled. How about finding an opportunity to restart and check?
I haven’t checked this parameter separately. If restarting the cluster doesn’t work, then it seems we can only explain that TiDB’s parameters are just compatible with MySQL but actually ineffective. 
Has it been resolved? You need to add the ssl-ca, ssl-cert, and ssl-key configurations in the db configuration file, change the user connection method to SSL, and then log in.
Based on the documentation description, it should be read-only and requires server settings. It is not supported to set it in the cluster.
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: 
|
username: