Cipher used in front-end connection

[preethi subbu]

Hi,

I have enabled ssl in front-end connections. I would like to know the actual cipher used in jdbc call. How to cross check it ? Checking something similar to status or /s command in mysql client.

Connection details :

jdbc:mysql://localhost:6033/mysql?useSSL=true&requireSSL=true&allowPublicKeyRetrieval=true&verifyServerCertificate=false&enabledTLSProtocols=TLSv1.2&tlsCiphersuites=ECDHE-RSA-AES128-GCM-SHA256

 

Any leads would be really helpful.

[René Cannaò]

Hi,

You have mostly 2 options: check this information from the client itself, or from ProxySQL's Admin.

From the client side, you can run the following query: PROXYSQL INTERNAL SESSION

It returns a JSON output with a lot of internal information, including cipher. Here is an example:

mysql> PROXYSQL INTERNAL SESSION\G
*************************** 1. row ***************************
session_info: {
    "address": "0xffff8a504000",
    "age_ms": 8017,
    "autocommit": true,
    "autocommit_on_hostgroup": -1,
    "client": {
        "DSS": 6,
        "client_addr": {
            "address": "127.0.0.1",
            "port": 37734
        },  
        "encrypted": true,
        "proxy_addr": {
            "address": "0.0.0.0",
            "port": 6033
        },  
        "ssl_cipher": "TLS_AES_256_GCM_SHA384",
        "stream": {
            "bytes_recv": 219,
            "bytes_sent": 2649,
            "pkts_recv": 5,
            "pkts_sent": 7
        },
        "switching_auth_type": 0,
        "userinfo": {

From ProxySQL's Admin , you can enable extended info and query stats_mysql_processlist.

For example:

Admin> SET mysql-show_processlist_extended=2; LOAD MYSQL VARIABLES TO RUNTIME;
Query OK, 1 row affected (0.00 sec)

Query OK, 0 rows affected (0.00 sec)

Admin> SELECT SessionID, cli_host, cli_port, JSON_EXTRACT(extended_info,'$.client.ssl_cipher') FROM stats_mysql_processlist;
+-----------+-----------+----------+---------------------------------------------------+
| SessionID | cli_host  | cli_port | JSON_EXTRACT(extended_info,'$.client.ssl_cipher') |
+-----------+-----------+----------+---------------------------------------------------+
| 3         | 127.0.0.1 | 37734    | TLS_AES_256_GCM_SHA384                            |
+-----------+-----------+----------+---------------------------------------------------+
1 row in set (0.00 sec)

Note: when mysql-show_processlist_extended is not 0 , stats_mysql_processlist.extended_info provides A LOT of information in JSON format and you can query/filter them using JSON_EXTRACT .

Thanks,

René

--
You received this message because you are subscribed to the Google Groups "proxysql" group.
To unsubscribe from this group and stop receiving emails from it, send an email to proxysql+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/proxysql/aecf104f-2983-40e7-81bb-ff2ebf69e797n%40googlegroups.com.

[preethi subbu]

Thank you. Does proxysql has any support to restrict TLSV1 ? I'm looking for something similar to 'tls_version' in mysql.

The front-end connection in my test set-up uses cipher based on mysql client configuration.