In my previous blogs I told you to enable SSL/TLS and configure it to check the CA. So I followed my advice and did all that. Great!
--ssl-mode setting was used a few times as a
solution. And it has a setting we didn't use yet:
VERIFY_IDENTITY. In older MySQL versions you can use
--ssl-verify-server-cert. Both turn on hostname
Get any certificate which is trusted by the configured CA, this can for example be a certificate from a development machine. And use that with a man-in-the-middle proxy.
Then the client:
- Checks if SSL is uses (
- Verify if the certificate is signed by a trusted CA
Both checks succeed. But the certificate might be for testhost01.example.com and the database server might be prod-websitedb-123.example.com. …[Read more]