TLS Connections to TiDB Serverless

Establishing a secure TLS connection between your client and your TiDB Serverless cluster is one of the basic security practices for connecting to your databases. The server certificate for TiDB Serverless is issued by an independent third-party certificate provider. You can easily connect to your TiDB Serverless cluster without downloading a server-side digital certificate.

Prerequisites

Log in to TiDB Cloud viaPassword AuthenticationorSSO Authentication.
Create a TiDB Serverless cluster.

TLS connection to a TiDB Serverless cluster

In theTiDB Cloud console, you can get examples of different connection methods and connect to your TiDB Serverless cluster as follows:

Navigate to theClusterspage of your project, and then click the name of your cluster to go to its overview page.
ClickConnectin the upper-right corner. A dialog is displayed.
In the dialog, keep the default setting of the endpoint type asPublic, and select your preferred connection method and operating system.
- Supported connection methods: MySQL CLI, MyCLI, JDBC, Python, Go, and Node.js.
- Supported operating systems: MacOS, Debian, CentOS/RedHat/Fedora, Alpine, OpenSUSE, and Windows.
If you have not set a password yet, clickCreate passwordto generate a random password for your TiDB Serverless cluster. The password will be automatically embedded in the sample connection string for connecting to your cluster easily.
Note
- The random password consists of 16 characters, including uppercase and lowercase letters, numbers, and special characters.
- After you close this dialog, the generated password will not show again, so you need to save the password in a secure location. If you forget it, you can clickReset passwordin this dialog to reset it.
- The TiDB Serverless cluster can be accessed through the internet. If you need to use the password elsewhere, it is recommended that you reset it to ensure database security.
Connect to your cluster with the connection string.

Note

When you connect to a TiDB Serverless cluster, you must include the prefix for your cluster in the user name and wrap the name with quotation marks. For more information, seeUser name prefix.

The following examples show the connection strings in MySQL CLI, MyCLI, JDBC, Python, Go, and Node.js. To learn how to get theof your operating system, seeRoot certificate management.

MySQL CLI
MyCLI
JDBC
Python
Go
Node.js

MySQL CLI client attempts to establish a TLS connection by default. When you connect to TiDB Serverless clusters, you should setssl-modeandssl-ca.


               
                mysql——connect-timeout 15 - u <用户名> - h <主机>-P 4000 --ssl-mode=VERIFY_IDENTITY --ssl-ca= -Dtest-p

With--ssl-mode=VERIFY_IDENTITY, MySQL CLI client forces to enable TLS and validate TiDB Serverless clusters.
Use--ssl-ca=to set the CA root path on your system.

MyCLIautomatically enables TLS when using TLS related parameters. When you connect to TiDB Serverless clusters, you need to setssl-caandssl-verify-server-cert.


               
                mycli -u  -h  -P 4000 -Dtest--ssl-ca= --ssl-verify-server-cert

Use--ssl-ca=to set the CA root path on your system.
With--ssl-verify-server-certto validate TiDB Serverless clusters.

MySQL Connector/J's TLS connection configurations are used here as an example.


               
                jdbc:mysql://
                 :4000/test?user=
                  &password=
                   &sslMode=VERIFY_IDENTITY&enabledTLSProtocols=TLSv1.2,TLSv1.3

SetsslMode=VERIFY_IDENTITYto enable TLS and validate TiDB Serverless clusters. JDBC trusts system CA root certificates by default, so you do not need to configure certificates.
SetenabledTLSProtocols=TLSv1.2,TLSv1.3to restrict the versions of TLS protocol.

mysqlclient's TLS connection configurations are used here as an example.


               
                host="
                 ", user="
                  ", password="
                   ", port=4000, database="test", ssl_mode="VERIFY_IDENTITY", ssl={"ca": "
                    "}

Setssl_mode="VERIFY_IDENTITY"to enable TLS and validate TiDB Serverless clusters.
Setssl={"ca": ""}to set the CA root path on your system.

Go-MySQL-Driver's TLS connection configurations are used here as an example.


               
                mysql.RegisterTLSConfig("tidb", &tls.Config{ MinVersion: tls.VersionTLS12, ServerName: "
                 ", }) db, err := sql.Open("mysql", "
                  :
                   @tcp(
                    :4000)/test?tls=tidb")

Registertls.Configin connection to enable TLS and validate TiDB Serverless clusters. Go-MySQL-Driver uses system CA root certificates by default, so you do not need to configure certificates.
SetMinVersion: tls.VersionTLS12to restrict the versions of TLS protocol.
SetServerName: ""to verify TiDB Serverless's hostname.
If you do not want to register a new TLS configuration, you can just settls=truein the connection string.

Mysql2's TLS connection configurations are used here as an example.


               
                host: '
                 ', port: 4000,user: '
                  ', password: '
                   ', database: 'test', ssl: {minVersion: 'TLSv1.2', rejectUnauthorized: true}

Setssl: {minVersion: 'TLSv1.2'}to restrict the versions of TLS protocol.
Setssl: {rejectUnauthorized: true}to validate TiDB Serverless clusters. Mysql2 uses system CA root certificates by default, so you do not need to configure certificates.

Root certificate management

Root certificate issuance and validity

TiDB Serverless uses certificates fromLet's Encryptas a Certificate Authority (CA) for TLS connection between clients and TiDB Serverless clusters. Once the TiDB Serverless certificate expires, it will be automatically rotated without affecting the normal operations of your cluster and the established TLS secure connection.

Note

TiDB Serverless does not provide a CA root certificate download, because we don't guarantee that the same CA will be used to issue a certificate in the future, which will cause the CA root certificate to change.

If the client uses the system's root CA stores by default, such as Java and Go, you can easily connect securely to TiDB Serverless clusters without specifying the path of CA roots. If you still want to get a CA certificate for a TiDB Serverless cluster, you can download and use theMozilla CA Certificate bundleinstead of a single CA certificate.

However, some drivers and ORMs do not use the system root CA stores. In those cases, you need to configure the CA root path of the drivers or ORMs to your system root CA stores. For example, when you usemysqlclientto connect a TiDB Serverless cluster in Python on macOS, you need to setca: /etc/ssl/cert.pemin thesslargument.

If you are using a GUI client, such as DBeaver, which does not accept a certificate file with multiple certificates inside, you must download theISRG Root X1certificate.

Root certificate default path

In different operating systems, the default storage paths of the root certificate are as follows：

MacOS


              
               /etc/ssl/cert.pem

Debian / Ubuntu / Arch


              
               /etc/ssl/certs/ca-certificates.crt

RedHat / Fedora / CentOS / Mageia


              
               /etc/pki/tls/certs/ca-bundle.crt

Alpine


              
               /etc/ssl/cert.pem

OpenSUSE


              
               /etc/ssl/ca-bundle.pem

Windows

Windows does not offer a specific path to the CA root. Instead, it uses theregistryto store certificates. For this reason, to specify the CA root path on Windows, take the following steps:

Download theMozilla CA Certificate bundleand save it in a path you prefer, such as.
Use the path () as your CA root path when you connect to a TiDB Serverless cluster.

FAQs

Which TLS versions are supported to connect to my TiDB Serverless cluster?

出于安全原因,TiDB Serverless只支持s TLS 1.2 and TLS 1.3, and does not support TLS 1.0 and TLS 1.1 versions. See IETFDeprecating TLS 1.0 and TLS 1.1for details.

Is two-way TLS authentication between my connection client and TiDB Serverless supported?

No.

TiDB Serverless only supports one-way TLS authentication, which means your client uses the public key to verify the signature of your TiDB Cloud cluster certificate's private key while the cluster does not validate the client.

Does TiDB Serverless have to configure TLS to establish a secure connection?

For standard connection, TiDB Serverless only allows TLS connections and prohibits non-SSL/TLS connections. The reason is that SSL/TLS is one of the most basic security measures for you to reduce the risk of data exposure to the internet when you connect to the TiDB Serverless cluster through the internet.

For private endpoint connection, because it supports highly secure and one-way access to the TiDB Cloud service and does not expose your data to the public internet, configuring TLS is optional.

Download PDF Request docs changes Ask questions on Discord

Playground

New

One-stop & interactive experience of TiDB's capabilities WITHOUT registration.