From e3e57002e9713d99dd0d7c3f00a4da9c2ab97860 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 27 Aug 2021 17:00:47 +0200 Subject: [PATCH 1/6] Update TLS docs Co-authored-by: Morgan Tocker --- enable-tls-between-clients-and-servers.md | 89 +++++++++++------------ generate-self-signed-certificates.md | 3 + 2 files changed, 47 insertions(+), 45 deletions(-) diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index d39981f8ab49f..2ce567eb696d5 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -6,75 +6,47 @@ aliases: ['/docs/dev/enable-tls-between-clients-and-servers/','/docs/dev/how-to/ # Enable TLS between TiDB Clients and Servers -Non-encrypted connection between TiDB's server and client is used by default, which enables third parties that monitor channel traffic to know the data sent and received between the server and the client, including but not limited to query content, query results, and so on. If a channel is untrustworthy (such as if the client is connected to the TiDB server via a public network), then a non-encrypted connection is prone to information leakage. In this case, for security reasons, it is recommended to use an encrypted connection. +Non-encrypted connection between TiDB's server and clients is allowed by default, which enables third parties that monitor channel traffic to know the data sent and received between the server and the client, including but not limited to query content, query results, and so on. If a channel is untrustworthy (such as if the client is connected to the TiDB server via a public network), then a non-encrypted connection is prone to information leakage. In this case, for security reasons, it is recommended to require an encrypted connection. -The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL operation tools and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support it. TiDB supports the following versions: TLS 1.0, TLS 1.1, and TLS 1.2, TLS 1.3. +The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL Client, MySQL Shell and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support SSL. TiDB supports the following protocols: TLS 1.0, TLS 1.1, TLS 1.2 and TLS 1.3. -After using an encrypted connection, the connection has the following security properties: +When using an encrypted connection, the connection has the following security properties: -- Confidentiality: the traffic plaintext cannot be eavesdropped +- Confidentiality: the traffic plaintext is encrypted to avoid eavesdropping - Integrity: the traffic plaintext cannot be tampered -- Authentication: (optional) the client and the server can verify the identity of both parties to avoid man-in-the-middle attacks +- Authentication: (optional) the client can verify the identity of the server and the server can verify the identity of the client avoid man-in-the-middle attacks -The encrypted connections in TiDB are disabled by default. To use encrypted connections in the client, you must first configure the TiDB server and enable encrypted connections. In short, to use encrypted connections, both of the following conditions must be met: +To use connectecions secured with TLS you must first configure the TiDB server to enable TLS, then you need to configure the client application to use TLS. Most client applications enable TLS automatically when the server supports this. -+ Enable encrypted connections in the TiDB server. -+ The client specifies to use an encrypted connection. +Similar to MySQL with TiDB allows TLS and non-TLS connections on the same TCP port. For a TiDB server with TLS enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a unencrypted connection. There are two ways to require the use of secure connections: -Similar to MySQL, the encrypted connections in TiDB consist of single connections. The encrypted connection is optional by default. For a TiDB server with encrypted connections enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a generally unencrypted connection. If the encrypted connections are enforced as required, both of the following two ways are available: - -+ Configure the launch parameter `--require-secure-transport` to enable encrypted connections to the TiDB server for all users. -+ Specify `require ssl` when you create a user (`create user`), grant permissions (`grant`) or modify an existing user (`alter user`), which is to specify that specified users must use the encrypted connection to access TiDB. The following is an example of creating a user: ++ Configure the launch parameter `--require-secure-transport` to require secure connections to the TiDB server for all users. ++ Specify `REQUIRE SSL` when you create a user (`create user`), or modify an existing user (`alter user`), which is to specify that specified users must use the encrypted connection to access TiDB. The following is an example of creating a user: {{< copyable "sql" >}} ```sql - create user 'u1'@'%' require ssl; + CREATE USER 'u1'@'%' IDENTIFIED BY 'my_random_password' REQUIRE SSL; ``` > **Note:** > > If the login user has configured using the [TiDB Certificate-Based Authentication for Login](/certificate-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB. -## Configure TiDB to use encrypted connections +## Configure TiDB Server to use secure connections -See the following descriptions about the related parameters to enable encrypted connections: +See the following desrciptions about the related parameters to enable secure connections: +- [`auto-tls`](/tidb-configuration-file.md#auto-tls): Enable automatic certificate generation - [`ssl-cert`](/tidb-configuration-file.md#ssl-cert): specifies the file path of the SSL certificate - [`ssl-key`](/tidb-configuration-file.md#ssl-key): specifies the private key that matches the certificate - [`ssl-ca`](/tidb-configuration-file.md#ssl-ca): (optional) specifies the file path of the trusted CA certificate -To enable encrypted connections in the TiDB server, you must specify both of the `ssl-cert` and `ssl-key` parameters in the configuration file when you start the TiDB server. You can also specify the `ssl-ca` parameter for client authentication (see [Enable authentication](#enable-authentication)). - -All the files specified by the parameters are in PEM (Privacy Enhanced Mail) format. Currently, TiDB does not support the import of a password-protected private key, so it is required to provide a private key file without a password. If the certificate or private key is invalid, the TiDB server starts as usual, but the client cannot connect to the TiDB server through an encrypted connection. - -The certificate or key is signed and generated using OpenSSL, or quickly generated using the `mysql_ssl_rsa_setup` tool in MySQL: - -```bash -mysql_ssl_rsa_setup --datadir=./certs -``` - -This command generates the following files in the `certs` directory: - -``` -certs -├── ca-key.pem -├── ca.pem -├── client-cert.pem -├── client-key.pem -├── private_key.pem -├── public_key.pem -├── server-cert.pem -└── server-key.pem -``` +`auto-tls` allows secure connections but does not provide client certificate validation. For certificate validation, and to control how certificates are generated, see the advice on configuring the `ssl-cert`, `ssl-key` and `ssl-ca` variables below. -The corresponding TiDB configuration file parameters are: +To enable secure connections with your own certificates in the TiDB server, you must specify both of the `ssl-cert` and `ssl-key` parameters in the configuration file when you start the TiDB server. You can also specify the `ssl-ca` parameter for client authentication (see [Enable authentication](#enable-authentication)). -```toml -[security] -ssl-cert = "certs/server-cert.pem" -ssl-key = "certs/server-key.pem" -``` +All the files specified by the parameters are in PEM (Privacy Enhanced Mail) format. Currently, TiDB does not support the import of a password-protected private key, so it is required to provide a private key file without a password. If the certificate or private key is invalid, the TiDB server starts as usual, but the client cannot connect to the TiDB server through an encrypted connection. If the certificate parameters are correct, TiDB outputs `secure connection is enabled` when started; otherwise, it outputs `secure connection is NOT ENABLED`. @@ -88,6 +60,11 @@ You can change the connection behavior of the client using the following `--ssl- - In the absence of the `--ssl-mode` parameter: The client attempts to use an encrypted connection, but the encrypted connection cannot be established if the server side does not support encrypted connections. Then the client uses an unencrypted connection. - `--ssl-mode=DISABLED`: The client uses an unencrypted connection. +MySQL 8.0 clients have two SSL modes in addtion to this: + +- `--ssl-mode=VERIFY_CA`: Validate the certificate from the server against the CA (requires `--ssl-ca`) +- `--ssl-mode=VERIFY_IDENTITY`: The same as `VERIFY_CA`, but also validating the hostname you are connecting to matches the certificate. + For more information, see [Client-Side Configuration for Encrypted Connections](https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html#using-encrypted-connections-client-side-configuration) in MySQL. ## Enable authentication @@ -147,6 +124,8 @@ SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256 The TLS versions, key exchange protocols and encryption algorithms supported by TiDB are determined by the official Golang libraries. +The crypto policy for your operating system and the client library you are using may also impact the list of supported protocols and ciphersuites. + ### Supported TLS versions - TLS 1.0 @@ -171,6 +150,8 @@ The TLS versions, key exchange protocols and encryption algorithms supported by - TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 - TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 - TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 +- TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 +- TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305\_SHA256 - TLS\_AES\_128\_GCM\_SHA256 - TLS\_AES\_256\_GCM\_SHA384 - TLS\_CHACHA20\_POLY1305\_SHA256 @@ -181,6 +162,24 @@ To replace the certificate, the key or CA, first replace the corresponding files The newly loaded certificate, key, and CA take effect on the connection that is established after the statement is successfully executed. The connection established before the statement execution is not affected. -### See also +## Montoring + +Since TiDB v5.2.0 the `Ssl_server_not_after` and `Ssl_server_not_before` status variables can be used to monitor the start and end dates of the validity of the certificate. + +```sql +SHOW GLOBAL STATUS LIKE 'Ssl\_server\_not\_%'; +``` + +``` ++-----------------------+--------------------------+ +| Variable_name | Value | ++-----------------------+--------------------------+ +| Ssl_server_not_after | Nov 28 06:42:32 2021 UTC | +| Ssl_server_not_before | Aug 30 06:42:32 2021 UTC | ++-----------------------+--------------------------+ +2 rows in set (0.0076 sec) +``` + +## See also - [Enable TLS Between TiDB Components](/enable-tls-between-components.md). diff --git a/generate-self-signed-certificates.md b/generate-self-signed-certificates.md index f19265356c0e3..dd42ab040203a 100644 --- a/generate-self-signed-certificates.md +++ b/generate-self-signed-certificates.md @@ -6,6 +6,9 @@ aliases: ['/docs/dev/generate-self-signed-certificates/','/docs/dev/how-to/secur # Generate Self-Signed Certificates +> **Note** +> To enable TLS between Clients and Servers setting `auto-tls` is sufficient. + This document provides an example of using `openssl` to generate a self-signed certificate. You can also generate certificates and keys that meet requirements according to your demands. Assume that the topology of the instance cluster is as follows: From 2fe3e3af1c65a08b256a642302487490216afd47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Mon, 18 Oct 2021 09:59:42 +0200 Subject: [PATCH 2/6] Apply suggestions from code review Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> Co-authored-by: Morgan Tocker --- enable-tls-between-clients-and-servers.md | 8 ++++---- generate-self-signed-certificates.md | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index 2ce567eb696d5..bb464fd5a8322 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -10,15 +10,15 @@ Non-encrypted connection between TiDB's server and clients is allowed by default The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL Client, MySQL Shell and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support SSL. TiDB supports the following protocols: TLS 1.0, TLS 1.1, TLS 1.2 and TLS 1.3. -When using an encrypted connection, the connection has the following security properties: +When an encrypted connection is used, the connection has the following security properties: - Confidentiality: the traffic plaintext is encrypted to avoid eavesdropping - Integrity: the traffic plaintext cannot be tampered -- Authentication: (optional) the client can verify the identity of the server and the server can verify the identity of the client avoid man-in-the-middle attacks +- Authentication: (optional) the client can verify the identity of the server and the server can verify the identity of the client to avoid man-in-the-middle attacks -To use connectecions secured with TLS you must first configure the TiDB server to enable TLS, then you need to configure the client application to use TLS. Most client applications enable TLS automatically when the server supports this. +To use connections secured with TLS you must first configure the TiDB server to enable TLS, then you need to configure the client application to use TLS. Most client libraries enable TLS automatically when the server has TLS support configured correctly. -Similar to MySQL with TiDB allows TLS and non-TLS connections on the same TCP port. For a TiDB server with TLS enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a unencrypted connection. There are two ways to require the use of secure connections: +Similar to MySQL, TiDB allows TLS and non-TLS connections on the same TCP port. For a TiDB server with TLS enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use an unencrypted connection. You can use the following ways to require the use of secure connections: + Configure the launch parameter `--require-secure-transport` to require secure connections to the TiDB server for all users. + Specify `REQUIRE SSL` when you create a user (`create user`), or modify an existing user (`alter user`), which is to specify that specified users must use the encrypted connection to access TiDB. The following is an example of creating a user: diff --git a/generate-self-signed-certificates.md b/generate-self-signed-certificates.md index dd42ab040203a..7309510b3c0c1 100644 --- a/generate-self-signed-certificates.md +++ b/generate-self-signed-certificates.md @@ -6,7 +6,8 @@ aliases: ['/docs/dev/generate-self-signed-certificates/','/docs/dev/how-to/secur # Generate Self-Signed Certificates -> **Note** +> **Note:** +> > To enable TLS between Clients and Servers setting `auto-tls` is sufficient. This document provides an example of using `openssl` to generate a self-signed certificate. You can also generate certificates and keys that meet requirements according to your demands. From 787224171758d516ddf14adc6ff5d76706b60b1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Mon, 18 Oct 2021 11:14:51 +0200 Subject: [PATCH 3/6] Apply suggestions from code review Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- enable-tls-between-clients-and-servers.md | 16 ++++++++-------- generate-self-signed-certificates.md | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index bb464fd5a8322..f3e168b54dae7 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -16,7 +16,7 @@ When an encrypted connection is used, the connection has the following security - Integrity: the traffic plaintext cannot be tampered - Authentication: (optional) the client can verify the identity of the server and the server can verify the identity of the client to avoid man-in-the-middle attacks -To use connections secured with TLS you must first configure the TiDB server to enable TLS, then you need to configure the client application to use TLS. Most client libraries enable TLS automatically when the server has TLS support configured correctly. +To use connections secured with TLS, you first need to configure the TiDB server to enable TLS. Then you need to configure the client application to use TLS. Most client libraries enable TLS automatically when the server has TLS support configured correctly. Similar to MySQL, TiDB allows TLS and non-TLS connections on the same TCP port. For a TiDB server with TLS enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use an unencrypted connection. You can use the following ways to require the use of secure connections: @@ -33,11 +33,11 @@ Similar to MySQL, TiDB allows TLS and non-TLS connections on the same TCP port. > > If the login user has configured using the [TiDB Certificate-Based Authentication for Login](/certificate-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB. -## Configure TiDB Server to use secure connections +## Configure TiDB server to use secure connections See the following desrciptions about the related parameters to enable secure connections: -- [`auto-tls`](/tidb-configuration-file.md#auto-tls): Enable automatic certificate generation +- [`auto-tls`](/tidb-configuration-file.md#auto-tls): enables automatic certificate generation - [`ssl-cert`](/tidb-configuration-file.md#ssl-cert): specifies the file path of the SSL certificate - [`ssl-key`](/tidb-configuration-file.md#ssl-key): specifies the private key that matches the certificate - [`ssl-ca`](/tidb-configuration-file.md#ssl-ca): (optional) specifies the file path of the trusted CA certificate @@ -60,10 +60,10 @@ You can change the connection behavior of the client using the following `--ssl- - In the absence of the `--ssl-mode` parameter: The client attempts to use an encrypted connection, but the encrypted connection cannot be established if the server side does not support encrypted connections. Then the client uses an unencrypted connection. - `--ssl-mode=DISABLED`: The client uses an unencrypted connection. -MySQL 8.0 clients have two SSL modes in addtion to this: +MySQL 8.0 clients have two SSL modes in addition to this parameter: -- `--ssl-mode=VERIFY_CA`: Validate the certificate from the server against the CA (requires `--ssl-ca`) -- `--ssl-mode=VERIFY_IDENTITY`: The same as `VERIFY_CA`, but also validating the hostname you are connecting to matches the certificate. +- `--ssl-mode=VERIFY_CA`: Validates the certificate from the server against the CA that requires `--ssl-ca`. +- `--ssl-mode=VERIFY_IDENTITY`: The same as `VERIFY_CA`, but also validating whether the hostname you are connecting to matches the certificate. For more information, see [Client-Side Configuration for Encrypted Connections](https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html#using-encrypted-connections-client-side-configuration) in MySQL. @@ -124,7 +124,7 @@ SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256 The TLS versions, key exchange protocols and encryption algorithms supported by TiDB are determined by the official Golang libraries. -The crypto policy for your operating system and the client library you are using may also impact the list of supported protocols and ciphersuites. +The crypto policy for your operating system and the client library you are using might also impact the list of supported protocols and cipher suites. ### Supported TLS versions @@ -164,7 +164,7 @@ The newly loaded certificate, key, and CA take effect on the connection that is ## Montoring -Since TiDB v5.2.0 the `Ssl_server_not_after` and `Ssl_server_not_before` status variables can be used to monitor the start and end dates of the validity of the certificate. +Since TiDB v5.2.0, you can use the `Ssl_server_not_after` and `Ssl_server_not_before` status variables to monitor the start and end dates of the validity of the certificate. ```sql SHOW GLOBAL STATUS LIKE 'Ssl\_server\_not\_%'; diff --git a/generate-self-signed-certificates.md b/generate-self-signed-certificates.md index 7309510b3c0c1..b286c5ee01d0e 100644 --- a/generate-self-signed-certificates.md +++ b/generate-self-signed-certificates.md @@ -8,7 +8,7 @@ aliases: ['/docs/dev/generate-self-signed-certificates/','/docs/dev/how-to/secur > **Note:** > -> To enable TLS between Clients and Servers setting `auto-tls` is sufficient. +> To enable TLS between clients and servers, you only need to set `auto-tls`. This document provides an example of using `openssl` to generate a self-signed certificate. You can also generate certificates and keys that meet requirements according to your demands. From e3aad9e2cf90770134f990a1e1a7f327548c4c4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Tue, 19 Oct 2021 13:42:04 +0200 Subject: [PATCH 4/6] update basted on review --- enable-tls-between-clients-and-servers.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index f3e168b54dae7..ed5772bdeeb89 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -37,7 +37,7 @@ Similar to MySQL, TiDB allows TLS and non-TLS connections on the same TCP port. See the following desrciptions about the related parameters to enable secure connections: -- [`auto-tls`](/tidb-configuration-file.md#auto-tls): enables automatic certificate generation +- [`auto-tls`](/tidb-configuration-file.md#auto-tls): enables automatic certificate generation (Since v5.2.0) - [`ssl-cert`](/tidb-configuration-file.md#ssl-cert): specifies the file path of the SSL certificate - [`ssl-key`](/tidb-configuration-file.md#ssl-key): specifies the private key that matches the certificate - [`ssl-ca`](/tidb-configuration-file.md#ssl-ca): (optional) specifies the file path of the trusted CA certificate @@ -50,6 +50,8 @@ All the files specified by the parameters are in PEM (Privacy Enhanced Mail) for If the certificate parameters are correct, TiDB outputs `secure connection is enabled` when started; otherwise, it outputs `secure connection is NOT ENABLED`. +For TiDB versions older than v5.2.0 you can use `mysql_ssl_rsa_setup --datadir=./certs` to generate certficates. The `mysql_ssal_rsa_setup` tool is part of MySQL Server. + ## Configure the MySQL client to use encrypted connections The client of MySQL 5.7 or later versions attempts to establish an encrypted connection by default. If the server does not support encrypted connections, it automatically returns to unencrypted connections. The client of MySQL earlier than version 5.7 uses the unencrypted connection by default. From da9e545335945c57e3992d1a34834ff4f107c9db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Tue, 19 Oct 2021 14:12:15 +0200 Subject: [PATCH 5/6] Update enable-tls-between-clients-and-servers.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- enable-tls-between-clients-and-servers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index ed5772bdeeb89..34d53b559df25 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -37,7 +37,7 @@ Similar to MySQL, TiDB allows TLS and non-TLS connections on the same TCP port. See the following desrciptions about the related parameters to enable secure connections: -- [`auto-tls`](/tidb-configuration-file.md#auto-tls): enables automatic certificate generation (Since v5.2.0) +- [`auto-tls`](/tidb-configuration-file.md#auto-tls): enables automatic certificate generation (since v5.2.0) - [`ssl-cert`](/tidb-configuration-file.md#ssl-cert): specifies the file path of the SSL certificate - [`ssl-key`](/tidb-configuration-file.md#ssl-key): specifies the private key that matches the certificate - [`ssl-ca`](/tidb-configuration-file.md#ssl-ca): (optional) specifies the file path of the trusted CA certificate From 28aeb2ab7e9bdca296c7bcd061abd413ac292db2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Tue, 19 Oct 2021 14:12:24 +0200 Subject: [PATCH 6/6] Update enable-tls-between-clients-and-servers.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- enable-tls-between-clients-and-servers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index 34d53b559df25..c1d3278274cca 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -50,7 +50,7 @@ All the files specified by the parameters are in PEM (Privacy Enhanced Mail) for If the certificate parameters are correct, TiDB outputs `secure connection is enabled` when started; otherwise, it outputs `secure connection is NOT ENABLED`. -For TiDB versions older than v5.2.0 you can use `mysql_ssl_rsa_setup --datadir=./certs` to generate certficates. The `mysql_ssal_rsa_setup` tool is part of MySQL Server. +For TiDB versions earlier than v5.2.0, you can use `mysql_ssl_rsa_setup --datadir=./certs` to generate certficates. The `mysql_ssal_rsa_setup` tool is a part of MySQL Server. ## Configure the MySQL client to use encrypted connections