Blog

Dolt SSL Authentication

Tim Sehn
REFERENCE
2 min read

Dolt is the world's first and only version controlled SQL database. Dolt is fully MySQL-compatible. You connect to it with any MySQL client. Some MySQL clients require connection authentication using Transport Layer Security (TLS). TLS is often referred to as SSL (ie. Secure Sockets Layer) which is the protocol it replaced in the late 90s.

This article will explain how to start a Dolt SQL Server using TLS/SSL and connect to it wth a MySQL client using TLS.

config.yaml

Dolt supports a SQL Server configuration file in Yet Another Markup Language (YAML) format. You can call the file whatever you want but we often refer to it as config.yaml. A simple config.yaml file looks like this:

log_level: debug

behavior:
  read_only: false
  autocommit: true

user:
  name: root
  password: ""

listener:
  host: localhost
  port: 3307
  max_connections: 100
  read_timeout_millis: 28800000
  write_timeout_millis: 28800000

To support TLS authentication you add the following three fields, tls_key, tls_cert, and require_secure_transport, to the listener section.

listener:
  host: localhost
  port: 3307
  max_connections: 100
  read_timeout_millis: 28800000
  write_timeout_millis: 28800000
  tls_key: "/path/to/key.pem"
  tls_cert: "/path/to/cert.pem"
  require_secure_transport: true

Then, you start the server like so:

$ dolt sql-server --config=config.yaml

Connect

Now, let's make sure it works. Connect to the server using the root user.

$ mysql -h 127.0.0.1 -P 3307 -u root
WARNING: option --ssl-verify-server-cert is disabled, because of an insecure passwordless login.
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 8.0.33 Dolt

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

The MySQL status command gives you information about your connection.

MySQL [(none)]> status
--------------
mysql from 11.6.2-MariaDB, client 15.2 for osx10.20 (arm64) using  EditLine wrapper

Connection id:		1
Current database:	
Current user:		root@%
SSL:			Cipher in use is TLS_AES_128_GCM_SHA256, cert is UNKNOWN
Current pager:		stdout
Using outfile:		''
Using delimiter:	;
Server:			MySQL
Server version:		8.0.33 Dolt
Protocol version:	10
Connection:		127.0.0.1 via TCP/IP
Server characterset:	utf8mb4
Db     characterset:	utf8mb4
Client characterset:	utf8mb4
Conn.  characterset:	utf8mb4
TCP port:		3307
--------------

MySQL [(none)]>

Note, the SSL field. If you are connected via SSL this field will be populated.

Getting a Key and Cert

This is kind of complicated. You can use an online tool like Let's Encrypt to generate a signed key and certificate. You can self sign a key using Keychain on Mac. Depending on your needs, you'll want to generate the key and cert right for you. I am not an expert here. If I want to do this I always just ask Aaron.

That said, if you need a key and cert for testing Dolt, our Dolt repository contains both a signed and self-signed key and cert. Feel free to clone the repository from GitHub and use them for testing.

Key/Cert GitHub

Conclusion

Dolt supports TLS authentication. Just add a couple lines to your config.yaml and start a SQL Server. If you need a key and cert to test, the Dolt repository has some test ones. Questions? Stop by our Discord and hit us up.

SHARE

Blog
Dolt is open source
JOIN THE DATA EVOLUTION

Get started with Dolt

Or join our mailing list to get product updates.