From cd4065aae3250ba9a354bb1cd90f09c9abde8eb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Fri, 27 Aug 2021 17:00:47 +0200 Subject: [PATCH 1/6] Update TLS docs Co-authored-by: Morgan Tocker --- enable-tls-between-clients-and-servers.md | 89 +++++++++++------------ generate-self-signed-certificates.md | 3 + 2 files changed, 47 insertions(+), 45 deletions(-) diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index ab7a8b92fa890..a003731e6a368 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -5,75 +5,47 @@ summary: Use the encrypted connection to ensure data security. # Enable TLS between TiDB Clients and Servers -Non-encrypted connection between TiDB's server and client is used by default, which enables third parties that monitor channel traffic to know the data sent and received between the server and the client, including but not limited to query content, query results, and so on. If a channel is untrustworthy (such as if the client is connected to the TiDB server via a public network), then a non-encrypted connection is prone to information leakage. In this case, for security reasons, it is recommended to use an encrypted connection. +Non-encrypted connection between TiDB's server and clients is allowed by default, which enables third parties that monitor channel traffic to know the data sent and received between the server and the client, including but not limited to query content, query results, and so on. If a channel is untrustworthy (such as if the client is connected to the TiDB server via a public network), then a non-encrypted connection is prone to information leakage. In this case, for security reasons, it is recommended to require an encrypted connection. -The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL operation tools and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support it. TiDB supports the following versions: TLS 1.0, TLS 1.1, and TLS 1.2, TLS 1.3. +The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL Client, MySQL Shell and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support SSL. TiDB supports the following protocols: TLS 1.0, TLS 1.1, TLS 1.2 and TLS 1.3. -After using an encrypted connection, the connection has the following security properties: +When using an encrypted connection, the connection has the following security properties: -- Confidentiality: the traffic plaintext cannot be eavesdropped +- Confidentiality: the traffic plaintext is encrypted to avoid eavesdropping - Integrity: the traffic plaintext cannot be tampered -- Authentication: (optional) the client and the server can verify the identity of both parties to avoid man-in-the-middle attacks +- Authentication: (optional) the client can verify the identity of the server and the server can verify the identity of the client avoid man-in-the-middle attacks -The encrypted connections in TiDB are disabled by default. To use encrypted connections in the client, you must first configure the TiDB server and enable encrypted connections. In short, to use encrypted connections, both of the following conditions must be met: +To use connectecions secured with TLS you must first configure the TiDB server to enable TLS, then you need to configure the client application to use TLS. Most client applications enable TLS automatically when the server supports this. -+ Enable encrypted connections in the TiDB server. -+ The client specifies to use an encrypted connection. +Similar to MySQL with TiDB allows TLS and non-TLS connections on the same TCP port. For a TiDB server with TLS enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a unencrypted connection. There are two ways to require the use of secure connections: -Similar to MySQL, the encrypted connections in TiDB consist of single connections. The encrypted connection is optional by default. For a TiDB server with encrypted connections enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a generally unencrypted connection. If the encrypted connections are enforced as required, both of the following two ways are available: - -+ Configure the launch parameter `--require-secure-transport` to enable encrypted connections to the TiDB server for all users. -+ Specify `require ssl` when you create a user (`create user`), grant permissions (`grant`) or modify an existing user (`alter user`), which is to specify that specified users must use the encrypted connection to access TiDB. The following is an example of creating a user: ++ Configure the launch parameter `--require-secure-transport` to require secure connections to the TiDB server for all users. ++ Specify `REQUIRE SSL` when you create a user (`create user`), or modify an existing user (`alter user`), which is to specify that specified users must use the encrypted connection to access TiDB. The following is an example of creating a user: {{< copyable "sql" >}} ```sql - create user 'u1'@'%' require ssl; + CREATE USER 'u1'@'%' IDENTIFIED BY 'my_random_password' REQUIRE SSL; ``` > **Note:** > > If the login user has configured using the [TiDB Certificate-Based Authentication for Login](/certificate-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB. -## Configure TiDB to use encrypted connections +## Configure TiDB Server to use secure connections -See the following descriptions about the related parameters to enable encrypted connections: +See the following desrciptions about the related parameters to enable secure connections: +- [`auto-tls`](/tidb-configuration-file.md#auto-tls): Enable automatic certificate generation - [`ssl-cert`](/tidb-configuration-file.md#ssl-cert): specifies the file path of the SSL certificate - [`ssl-key`](/tidb-configuration-file.md#ssl-key): specifies the private key that matches the certificate - [`ssl-ca`](/tidb-configuration-file.md#ssl-ca): (optional) specifies the file path of the trusted CA certificate -To enable encrypted connections in the TiDB server, you must specify both of the `ssl-cert` and `ssl-key` parameters in the configuration file when you start the TiDB server. You can also specify the `ssl-ca` parameter for client authentication (see [Enable authentication](#enable-authentication)). - -All the files specified by the parameters are in PEM (Privacy Enhanced Mail) format. Currently, TiDB does not support the import of a password-protected private key, so it is required to provide a private key file without a password. If the certificate or private key is invalid, the TiDB server starts as usual, but the client cannot connect to the TiDB server through an encrypted connection. - -The certificate or key is signed and generated using OpenSSL, or quickly generated using the `mysql_ssl_rsa_setup` tool in MySQL: - -```bash -mysql_ssl_rsa_setup --datadir=./certs -``` - -This command generates the following files in the `certs` directory: - -``` -certs -├── ca-key.pem -├── ca.pem -├── client-cert.pem -├── client-key.pem -├── private_key.pem -├── public_key.pem -├── server-cert.pem -└── server-key.pem -``` +`auto-tls` allows secure connections but does not provide client certificate validation. For certificate validation, and to control how certificates are generated, see the advice on configuring the `ssl-cert`, `ssl-key` and `ssl-ca` variables below. -The corresponding TiDB configuration file parameters are: +To enable secure connections with your own certificates in the TiDB server, you must specify both of the `ssl-cert` and `ssl-key` parameters in the configuration file when you start the TiDB server. You can also specify the `ssl-ca` parameter for client authentication (see [Enable authentication](#enable-authentication)). -```toml -[security] -ssl-cert = "certs/server-cert.pem" -ssl-key = "certs/server-key.pem" -``` +All the files specified by the parameters are in PEM (Privacy Enhanced Mail) format. Currently, TiDB does not support the import of a password-protected private key, so it is required to provide a private key file without a password. If the certificate or private key is invalid, the TiDB server starts as usual, but the client cannot connect to the TiDB server through an encrypted connection. If the certificate parameters are correct, TiDB outputs `secure connection is enabled` when started; otherwise, it outputs `secure connection is NOT ENABLED`. @@ -87,6 +59,11 @@ You can change the connection behavior of the client using the following `--ssl- - In the absence of the `--ssl-mode` parameter: The client attempts to use an encrypted connection, but the encrypted connection cannot be established if the server side does not support encrypted connections. Then the client uses an unencrypted connection. - `--ssl-mode=DISABLED`: The client uses an unencrypted connection. +MySQL 8.0 clients have two SSL modes in addtion to this: + +- `--ssl-mode=VERIFY_CA`: Validate the certificate from the server against the CA (requires `--ssl-ca`) +- `--ssl-mode=VERIFY_IDENTITY`: The same as `VERIFY_CA`, but also validating the hostname you are connecting to matches the certificate. + For more information, see [Client-Side Configuration for Encrypted Connections](https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html#using-encrypted-connections-client-side-configuration) in MySQL. ## Enable authentication @@ -146,6 +123,8 @@ SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256 The TLS versions, key exchange protocols and encryption algorithms supported by TiDB are determined by the official Golang libraries. +The crypto policy for your operating system and the client library you are using may also impact the list of supported protocols and ciphersuites. + ### Supported TLS versions - TLS 1.0 @@ -170,6 +149,8 @@ The TLS versions, key exchange protocols and encryption algorithms supported by - TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 - TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 - TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 +- TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 +- TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305\_SHA256 - TLS\_AES\_128\_GCM\_SHA256 - TLS\_AES\_256\_GCM\_SHA384 - TLS\_CHACHA20\_POLY1305\_SHA256 @@ -180,6 +161,24 @@ To replace the certificate, the key or CA, first replace the corresponding files The newly loaded certificate, key, and CA take effect on the connection that is established after the statement is successfully executed. The connection established before the statement execution is not affected. -### See also +## Montoring + +Since TiDB v5.2.0 the `Ssl_server_not_after` and `Ssl_server_not_before` status variables can be used to monitor the start and end dates of the validity of the certificate. + +```sql +SHOW GLOBAL STATUS LIKE 'Ssl\_server\_not\_%'; +``` + +``` ++-----------------------+--------------------------+ +| Variable_name | Value | ++-----------------------+--------------------------+ +| Ssl_server_not_after | Nov 28 06:42:32 2021 UTC | +| Ssl_server_not_before | Aug 30 06:42:32 2021 UTC | ++-----------------------+--------------------------+ +2 rows in set (0.0076 sec) +``` + +## See also - [Enable TLS Between TiDB Components](/enable-tls-between-components.md). diff --git a/generate-self-signed-certificates.md b/generate-self-signed-certificates.md index 3bdce5c277fe9..4cb6a3aa6c22a 100644 --- a/generate-self-signed-certificates.md +++ b/generate-self-signed-certificates.md @@ -5,6 +5,9 @@ summary: Use `openssl` to generate self-signed certificates. # Generate Self-Signed Certificates +> **Note** +> To enable TLS between Clients and Servers setting `auto-tls` is sufficient. + This document provides an example of using `openssl` to generate a self-signed certificate. You can also generate certificates and keys that meet requirements according to your demands. Assume that the topology of the instance cluster is as follows: From 5262ecda86add9f7f06102d549830c5f4589cc88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Mon, 18 Oct 2021 09:59:42 +0200 Subject: [PATCH 2/6] Apply suggestions from code review Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> Co-authored-by: Morgan Tocker --- enable-tls-between-clients-and-servers.md | 8 ++++---- generate-self-signed-certificates.md | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index a003731e6a368..fe87ee75ad0d1 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -9,15 +9,15 @@ Non-encrypted connection between TiDB's server and clients is allowed by default The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL Client, MySQL Shell and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support SSL. TiDB supports the following protocols: TLS 1.0, TLS 1.1, TLS 1.2 and TLS 1.3. -When using an encrypted connection, the connection has the following security properties: +When an encrypted connection is used, the connection has the following security properties: - Confidentiality: the traffic plaintext is encrypted to avoid eavesdropping - Integrity: the traffic plaintext cannot be tampered -- Authentication: (optional) the client can verify the identity of the server and the server can verify the identity of the client avoid man-in-the-middle attacks +- Authentication: (optional) the client can verify the identity of the server and the server can verify the identity of the client to avoid man-in-the-middle attacks -To use connectecions secured with TLS you must first configure the TiDB server to enable TLS, then you need to configure the client application to use TLS. Most client applications enable TLS automatically when the server supports this. +To use connections secured with TLS you must first configure the TiDB server to enable TLS, then you need to configure the client application to use TLS. Most client libraries enable TLS automatically when the server has TLS support configured correctly. -Similar to MySQL with TiDB allows TLS and non-TLS connections on the same TCP port. For a TiDB server with TLS enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a unencrypted connection. There are two ways to require the use of secure connections: +Similar to MySQL, TiDB allows TLS and non-TLS connections on the same TCP port. For a TiDB server with TLS enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use an unencrypted connection. You can use the following ways to require the use of secure connections: + Configure the launch parameter `--require-secure-transport` to require secure connections to the TiDB server for all users. + Specify `REQUIRE SSL` when you create a user (`create user`), or modify an existing user (`alter user`), which is to specify that specified users must use the encrypted connection to access TiDB. The following is an example of creating a user: diff --git a/generate-self-signed-certificates.md b/generate-self-signed-certificates.md index 4cb6a3aa6c22a..f9c36a6246fbd 100644 --- a/generate-self-signed-certificates.md +++ b/generate-self-signed-certificates.md @@ -5,7 +5,8 @@ summary: Use `openssl` to generate self-signed certificates. # Generate Self-Signed Certificates -> **Note** +> **Note:** +> > To enable TLS between Clients and Servers setting `auto-tls` is sufficient. This document provides an example of using `openssl` to generate a self-signed certificate. You can also generate certificates and keys that meet requirements according to your demands. From 4f8281768fab458c721727fce291de2675b35305 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Mon, 18 Oct 2021 11:14:51 +0200 Subject: [PATCH 3/6] Apply suggestions from code review Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- enable-tls-between-clients-and-servers.md | 16 ++++++++-------- generate-self-signed-certificates.md | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index fe87ee75ad0d1..90f3e2fd6c829 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -15,7 +15,7 @@ When an encrypted connection is used, the connection has the following security - Integrity: the traffic plaintext cannot be tampered - Authentication: (optional) the client can verify the identity of the server and the server can verify the identity of the client to avoid man-in-the-middle attacks -To use connections secured with TLS you must first configure the TiDB server to enable TLS, then you need to configure the client application to use TLS. Most client libraries enable TLS automatically when the server has TLS support configured correctly. +To use connections secured with TLS, you first need to configure the TiDB server to enable TLS. Then you need to configure the client application to use TLS. Most client libraries enable TLS automatically when the server has TLS support configured correctly. Similar to MySQL, TiDB allows TLS and non-TLS connections on the same TCP port. For a TiDB server with TLS enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use an unencrypted connection. You can use the following ways to require the use of secure connections: @@ -32,11 +32,11 @@ Similar to MySQL, TiDB allows TLS and non-TLS connections on the same TCP port. > > If the login user has configured using the [TiDB Certificate-Based Authentication for Login](/certificate-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB. -## Configure TiDB Server to use secure connections +## Configure TiDB server to use secure connections See the following desrciptions about the related parameters to enable secure connections: -- [`auto-tls`](/tidb-configuration-file.md#auto-tls): Enable automatic certificate generation +- [`auto-tls`](/tidb-configuration-file.md#auto-tls): enables automatic certificate generation - [`ssl-cert`](/tidb-configuration-file.md#ssl-cert): specifies the file path of the SSL certificate - [`ssl-key`](/tidb-configuration-file.md#ssl-key): specifies the private key that matches the certificate - [`ssl-ca`](/tidb-configuration-file.md#ssl-ca): (optional) specifies the file path of the trusted CA certificate @@ -59,10 +59,10 @@ You can change the connection behavior of the client using the following `--ssl- - In the absence of the `--ssl-mode` parameter: The client attempts to use an encrypted connection, but the encrypted connection cannot be established if the server side does not support encrypted connections. Then the client uses an unencrypted connection. - `--ssl-mode=DISABLED`: The client uses an unencrypted connection. -MySQL 8.0 clients have two SSL modes in addtion to this: +MySQL 8.0 clients have two SSL modes in addition to this parameter: -- `--ssl-mode=VERIFY_CA`: Validate the certificate from the server against the CA (requires `--ssl-ca`) -- `--ssl-mode=VERIFY_IDENTITY`: The same as `VERIFY_CA`, but also validating the hostname you are connecting to matches the certificate. +- `--ssl-mode=VERIFY_CA`: Validates the certificate from the server against the CA that requires `--ssl-ca`. +- `--ssl-mode=VERIFY_IDENTITY`: The same as `VERIFY_CA`, but also validating whether the hostname you are connecting to matches the certificate. For more information, see [Client-Side Configuration for Encrypted Connections](https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html#using-encrypted-connections-client-side-configuration) in MySQL. @@ -123,7 +123,7 @@ SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256 The TLS versions, key exchange protocols and encryption algorithms supported by TiDB are determined by the official Golang libraries. -The crypto policy for your operating system and the client library you are using may also impact the list of supported protocols and ciphersuites. +The crypto policy for your operating system and the client library you are using might also impact the list of supported protocols and cipher suites. ### Supported TLS versions @@ -163,7 +163,7 @@ The newly loaded certificate, key, and CA take effect on the connection that is ## Montoring -Since TiDB v5.2.0 the `Ssl_server_not_after` and `Ssl_server_not_before` status variables can be used to monitor the start and end dates of the validity of the certificate. +Since TiDB v5.2.0, you can use the `Ssl_server_not_after` and `Ssl_server_not_before` status variables to monitor the start and end dates of the validity of the certificate. ```sql SHOW GLOBAL STATUS LIKE 'Ssl\_server\_not\_%'; diff --git a/generate-self-signed-certificates.md b/generate-self-signed-certificates.md index f9c36a6246fbd..f66809dd01a80 100644 --- a/generate-self-signed-certificates.md +++ b/generate-self-signed-certificates.md @@ -7,7 +7,7 @@ summary: Use `openssl` to generate self-signed certificates. > **Note:** > -> To enable TLS between Clients and Servers setting `auto-tls` is sufficient. +> To enable TLS between clients and servers, you only need to set `auto-tls`. This document provides an example of using `openssl` to generate a self-signed certificate. You can also generate certificates and keys that meet requirements according to your demands. From b59a20c5c4ce400906258d3ac8925d66432aabae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Tue, 19 Oct 2021 13:42:04 +0200 Subject: [PATCH 4/6] update basted on review --- enable-tls-between-clients-and-servers.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index 90f3e2fd6c829..272e890ed9482 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -36,7 +36,7 @@ Similar to MySQL, TiDB allows TLS and non-TLS connections on the same TCP port. See the following desrciptions about the related parameters to enable secure connections: -- [`auto-tls`](/tidb-configuration-file.md#auto-tls): enables automatic certificate generation +- [`auto-tls`](/tidb-configuration-file.md#auto-tls): enables automatic certificate generation (Since v5.2.0) - [`ssl-cert`](/tidb-configuration-file.md#ssl-cert): specifies the file path of the SSL certificate - [`ssl-key`](/tidb-configuration-file.md#ssl-key): specifies the private key that matches the certificate - [`ssl-ca`](/tidb-configuration-file.md#ssl-ca): (optional) specifies the file path of the trusted CA certificate @@ -49,6 +49,8 @@ All the files specified by the parameters are in PEM (Privacy Enhanced Mail) for If the certificate parameters are correct, TiDB outputs `secure connection is enabled` when started; otherwise, it outputs `secure connection is NOT ENABLED`. +For TiDB versions older than v5.2.0 you can use `mysql_ssl_rsa_setup --datadir=./certs` to generate certficates. The `mysql_ssal_rsa_setup` tool is part of MySQL Server. + ## Configure the MySQL client to use encrypted connections The client of MySQL 5.7 or later versions attempts to establish an encrypted connection by default. If the server does not support encrypted connections, it automatically returns to unencrypted connections. The client of MySQL earlier than version 5.7 uses the unencrypted connection by default. From a087c3e5d969bffc57b4e780d6feaff2ba95cd20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Tue, 19 Oct 2021 14:12:15 +0200 Subject: [PATCH 5/6] Update enable-tls-between-clients-and-servers.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- enable-tls-between-clients-and-servers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index 272e890ed9482..5a654b127eb73 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -36,7 +36,7 @@ Similar to MySQL, TiDB allows TLS and non-TLS connections on the same TCP port. See the following desrciptions about the related parameters to enable secure connections: -- [`auto-tls`](/tidb-configuration-file.md#auto-tls): enables automatic certificate generation (Since v5.2.0) +- [`auto-tls`](/tidb-configuration-file.md#auto-tls): enables automatic certificate generation (since v5.2.0) - [`ssl-cert`](/tidb-configuration-file.md#ssl-cert): specifies the file path of the SSL certificate - [`ssl-key`](/tidb-configuration-file.md#ssl-key): specifies the private key that matches the certificate - [`ssl-ca`](/tidb-configuration-file.md#ssl-ca): (optional) specifies the file path of the trusted CA certificate From a24f017f7046134920bea1d319ed3cbc712890e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20van=20Eeden?= Date: Tue, 19 Oct 2021 14:12:24 +0200 Subject: [PATCH 6/6] Update enable-tls-between-clients-and-servers.md Co-authored-by: TomShawn <41534398+TomShawn@users.noreply.github.com> --- enable-tls-between-clients-and-servers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enable-tls-between-clients-and-servers.md b/enable-tls-between-clients-and-servers.md index 5a654b127eb73..fd3dec537ad1c 100644 --- a/enable-tls-between-clients-and-servers.md +++ b/enable-tls-between-clients-and-servers.md @@ -49,7 +49,7 @@ All the files specified by the parameters are in PEM (Privacy Enhanced Mail) for If the certificate parameters are correct, TiDB outputs `secure connection is enabled` when started; otherwise, it outputs `secure connection is NOT ENABLED`. -For TiDB versions older than v5.2.0 you can use `mysql_ssl_rsa_setup --datadir=./certs` to generate certficates. The `mysql_ssal_rsa_setup` tool is part of MySQL Server. +For TiDB versions earlier than v5.2.0, you can use `mysql_ssl_rsa_setup --datadir=./certs` to generate certficates. The `mysql_ssal_rsa_setup` tool is a part of MySQL Server. ## Configure the MySQL client to use encrypted connections