Prior to MySQL 5.7 client communications with a MySQL instance were unencrypted by default. This plaintext capability allowed for various tools including pt-query-digest to analyze TCP/IP traffic. Starting with MySQL 5.7 SSL is enabled by default and will be used in client communications if SSL is detected on the server.
We can detect and confirm this easily with the
Default client connection traffic (5.6)
On a MySQL 5.6 server we monitor the default MySQL port traffic.
mysql56$ sudo ngrep -d eth1 -wi -P ' ' -W single -l port 3306 interface: eth1 (192.168.42.0/255.255.255.0) filter: ( port 3306 ) and ((ip || ip6) || (vlan && (ip || ip6))) ...
We connect to this server using TCP/IP.
host$ mysql -uexternal -p -h192.168.42.16 mysql56> select 'unencrypted';
We can observe the communication to and from the server (in this example 192.168.42.16) is …[Read more]