Accessing rds MySql db with SSL 443 instead of 3306

4
votes

I am trying to access my rds mySql db via 443 only instead of 3306.

After enabling the ssl option on workbench and entering the path to the mysql-ssl-ca-cert.pem I tried to disable tcp 3306 on my security group to insure it connects using 443 but it doesn't.

I can connect using the mysql command line below but yet again it fails once i disable tcp 443 on the security group mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com --ssl_ca=rds-ssl-ca-cert.pem

Amazon documentation states: The SSL support in Amazon RDS is strictly for encrypting the connection between your client and your DB instance; it should not be relied on for authenticating the server.

Does this mean that I can only ever authenticate to mysql db over 3306 and not 443, but the data will be encrypted in transit?

My issue is that my customer won't open 3306 outbound on their firewall but 443 is of course opened. Any help appreciated.

1
mysqlsslamazon-web-servicesmysql-workbenchrds

1 Answers

6
votes

You are confusing SSL and HTTPS. Port 443 is the default port for HTTPS connections. MySQL uses 3306 instead (and can use SSL over this port or any other to encrypt the connection). So, setting up SSL encryption for a MySQL connection doesn't affect the used port.

In order to use a different than the standard port you have to reconfigure the MySQL server, which you probably cannot do with an RDS instance.

It is possible to use tunneling to avoid the default port. In this scenario you have to open an SSH tunnel (MySQL Workbench can do that for you or you use an external program like putty on Windows or ssh on *nix like OSes). With that tunnel in place (which uses port 22 by default but can be configured for any other port if that matters for you) you can then forward access from a local port (here 3306, but can be any) to a remote port (can be any as well). This requires an SSH server on the remote end however.