Author:abhibeck...@gmail.com Date:2008-05-28 23:20:01

I'm not sure how much work SSL is, and I want to get a public release out as soon as possible.

I'm going to leave this ticket open with no deadline, I'll make sure we do this shortly after the first public release.

Author:espe...@gmail.com Date:2008-12-21 17:06:47

I have really no clue, but will it not work just to open a quiet ssh tunnel:

ssh -q -L:3307:localhost:3306 remotehost

http://macapper.com/2007/05/22/advanced-os-x-secure-tunneling-via-ssh/

Author:morgan.c...@gmail.com Date:2009-01-12 09:25:20

I have an alias that looks like this:
alias dblink="ssh -2 -f -c blowfish -N -C -p 30001 morgan@mydevserver.com -L 3307/127.0.0.1/3306"
so I just drop to terminal, type 'dblink', and then connect to my production server using port 3307 on my
localhost. It's pretty quick AND it acts as a little check so I can't connect to my production server by accident.

Author:rizw...@gmail.com Date:2009-01-12 11:43:09

I do that too for now, but we've got a MySQL server than can only be accessed via SSL
certs (for security reasons) and giving all the users local shell accounts for port
forwarding isn't permissible, so being able to access via SSL would still be quite
useful.

Author:avenja...@gmail.com Date:2009-05-14 07:24:33

Work on SSH Tunnels has begun. We have basic tunnels working, but code is still being finalised

Author:rowanb@gmail.com Date:2009-05-14 07:35:03

SSH tunnels are being covered by Issue #114 ; SSL support is slightly different, and is still on the cards as part of
the connection methods support/interface overhaul, but hasn't been started yet :)

I'll leave myself tagged as the owner though.

Author:rowanb@gmail.com Date:2009-05-28 03:20:44

SSH tunnels are now functional as of r790. I'm going to defer SSL connections until we have the new connection
pane in place though, as the interface currently won't support it nicely at all...

Author:mar...@gmail.com Date:2009-12-05 17:55:49

Would still be helpful to add the MySQL-over-SSL option as some servers (due to
security restrictions) don't permit SSH tunneling for individual users.

Author:arocki...@gmail.com Date:2010-07-19 09:23:39

Amazon RDS servers don't support SSH tunneling AFAIK, so this would be great.

Author:rowanb@gmail.com Date:2010-09-13 15:33:42

SSL support has been added in r2636, with options to specify key file, certificate file, and the CA cert. I don't actually have any access to servers with SSL enabled, so I've only tested this in servers set up for the purposes of testing; I'd appreciate feedback on whether it works in real-world situations :)

As always, nightlies are available from http://nightly.sequelpro.com/ , but we don't recommend their use with production data, just in case…

I'll mark this as "Implemented" for the time being, but as always we will continue to monitor responses.

Author:adam...@yipit.com Date:2011-06-20 13:36:19

I've tried this with a remote Amazon RDS instance and it works well. Get the CA cert here:

http://docs.amazonwebservices.com/AmazonRDS/latest/UserGuide/index.html?Concepts.DBInstance.html#Concepts.DBEngine.MySQL51.SSLSupport

Then attach it to the "CA Cert" field in the Sequel Pro connection dialog - ignoring the Key File and Certificate fields.

Author:goo...@windware.com Date:2011-06-25 03:44:06

I've looked in the recent nightly build and it seems to have the option to connect via SSL for standard and socket methods but not for SSH.

I have a MySQL server that only permits connection from a specific machine (for the sake of security) which I can SSH into, so it would be very useful to have option for using SSL for SSH tunneling method too but can this be applied too?

Is this resolved?

The website still links to this issue stating that:

SSL connections are not yet supported by Sequel Pro, but are planned. See Issue 27for details.

Any recommendations?

Is this resolved?

The website still links to this issue stating that:

SSL connections are not yet supported by Sequel Pro, but are planned. See Issue 27for details.

@kpcyrd the website is wrong. SP does support SSL.

Any recommendations?

I recommend using SSH tunnels if you can. If you can't, then I recommend testing to make sure you actually are connected with SSL using SHOW STATUS LIKE 'Ssl_cipher';

Also be aware that there are many ways to compromise SSL (see https://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS.2FSSL). I'm not sure how many of these apply to mysql, but some probably do.

@abhibeckert thanks for the quick reply.

Also be aware that there are many ways to compromise SSL (see https://en.wikipedia.org/wiki/Transport_Layer_Security#Attacks_against_TLS.2FSSL).

Thanks. Most of these are cross protocol attacks that might become exploitable for database drivers in applications that are exposed to attackers, but aren't that relevant for sequelpro. The server is mostly straight forward to secure, I'm more concerned about insecure usage of the client.

There's no (secure) way for a server to ensure a client is actually connecting over a secure channel. Some documentation on how to setup secure connections, configure authentication of the server and possibly very good UI in what is secure and what isn't inside sequelpro would help security a lot. :)

Some documentation on how to setup secure connections, configure authentication of the server and possibly very good UI in what is secure and what isn't inside sequelpro would help security a lot. :)

As I said, I recommend using SSH to log in. Then there's really nothing to document, sequel pro/ssh/mysql in their out-of-the-box configuration are all very secure (as long as your mac keychain password is strong and SSH is using a strong password or a public/private keypair)

We used to do that, but with the increasing trend towards containerization and databases as a service, the tls usecase became more and more relevant. :)

I recommend testing to make sure you actually are connected with SSL using SHOW STATUS LIKE 'Ssl_cipher';

@abhibeckert See #2499 - we are now enforcing TLS/SSL when the option is checked.

Five years later, I see the website is still redirecting people to this issue for SSL support. What's the deal?

We are using Teleport to proxy IAM auth to a database. After using the tsh tool to login, an eight hour SSL certificate is created, and tsh proxy db mysql1 generates a config like this:

Started DB proxy on 127.0.0.1:45365
To avoid port randomization, you can choose the listening port using the --port flag.

Use following credentials to connect to the mysql1 proxy:
  ca_file=/home/bgriffin/.tsh/keys/teleport.FQDN/cas/teleport.FQDN.pem
  cert_file=/home/bgriffin/.tsh/keys/teleport.FQDN/bgriffinte-db/teleport.FQDN/mysql1-x509.pem
  key_file=/home/bgriffin/.tsh/keys/teleport.FQDN/bgriffinte

Which works fine for command line mysql:

$ mysql --ssl-mode=VERIFY_IDENTITY --ssl-ca=$ca_file --ssl-cert=$cert_file --ssl-key=$key_file -h 127.0.0.1 -P 45365 -u iam-rouser
Welcome to the MySQL monitor.  Commands end with ; or \g.
[...]
mysql> show grants;
+-----------------------------------------------------------------------+
| Grants for iam-rouser@10.%                                            |
+-----------------------------------------------------------------------+
| GRANT SELECT, SHOW DATABASES, SHOW VIEW ON *.* TO 'iam-rouser'@'10.%' |
+-----------------------------------------------------------------------+
1 row in set (0.09 sec)

What is the equivalent in Sequel Pro? (I don't use Sequel Pro myself, but I'm getting support requests. Mysql Workbench is working.) There is no remote host available for "ssh log in [to]".