SSL Overview and DBLE SSL Configuration Guide

SSL Protocol Overview

Transmitting data in clear text over a network makes it easy for eavesdropping and theft, posing serious security risks for personal and corporate information. To address this, SSL (Secure Sockets Layer) was introduced by Netscape in 1996 as a protocol operating between the application and transport layers. SSL not only encrypts data but also provides authentication and message integrity, greatly improving Internet security.

MySQL has long supported SSL, and the following article focuses on applying SSL to the DBLE database middleware.

DBLE SSL Section

Overview

When DBLE mounts MySQL as a backend, it can communicate directly with clients. To protect this communication, DBLE adopts SSL similar to MySQL.

The upcoming DBLE release will support SSL for the client‑to‑DBLE connection (the DBLE‑to‑MySQL link is not yet encrypted). DBLE 3.22.01.1 already supports SSL.

Usage Instructions

DBLE’s SSL configuration is similar to MySQL but has differences. SSL requires certificates and keys; DBLE uses self‑signed certificates just like MySQL.

Certificate Generation

OpenSSL is used to create the certificates.

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

Create server key and certificate:

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Create client key and certificate (similar to server):

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

Verify certificates:

openssl verify -CAfile ca.pem server-cert.pem client-cert.pem

MySQL also provides mysql_ssl_rsa_setup to generate similar certificates, which can be reused for DBLE after conversion.

Certificate Type Conversion

DBLE is Java‑based, so PEM/CRT files must be converted to PKCS12/JKS formats using keytool .

keytool -import -noprompt -file ca.pem -keystore truststore.jks -storepass 123456

openssl pkcs12 -export -in server-cert.pem -inkey server-key.pem -out serverkeystore.p12 -passout pass:123456
keytool -importkeystore -srckeystore serverkeystore.p12 -srcstoretype PKCS12 -destkeystore serverkeystore.jks -srcstorepass 123456 -deststorepass 123456

openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out clientkeystore.p12 -passout pass:123456
keytool -importkeystore -srckeystore clientkeystore.p12 -srcstoretype PKCS12 -destkeystore clientkeystore.jks -srcstorepass 123456 -deststorepass 123456

Resulting key files:

Certificate

Description

ca.pem

Self‑signed CA certificate; used to verify trust of other certificates.

server‑cert.pem, server‑key.pem

Server certificate and private key; for non‑Java clients.

client‑cert.pem, client‑key.pem

Client certificate and private key; for non‑Java clients.

truststore.jks

JKS keystore containing the CA certificate; used by Java.

serverkeystore.jks

JKS keystore with server certificate and key; used by Java.

clientkeystore.jks

JKS keystore with client certificate and key; used by Java.

Server‑Side DBLE Configuration

Enable SSL on the DBLE server by setting the supportSSL flag to true and providing the keystore paths in bootstrap.cnf :

-DsupportSSL=true
-DserverCertificateKeyStoreUrl=${path}/serverkeystore.jks
-DserverCertificateKeyStorePwd=123456
-DtrustCertificateKeyStoreUrl=${path}/truststore.jks
-DtrustCertificateKeyStorePwd=123456

Restart DBLE after configuration. SSL metadata can be queried from the dble_information database.

Client Connection Configuration

MySQL client and JDBC support several SSL modes. Two common configurations are shown:

Mode

Connection Parameters

DISABLED

MySQL client:

mysql -uroot -proot --ssl-mode=DISABLED

JDBC:

jdbc:mysql://ip:port/schema?useSSL=false

PREFERRED

MySQL client:

mysql -uroot -proot --ssl-mode=PREFERRED

JDBC:

jdbc:mysql://ip:port/schema?requireSSL=false&useSSL=true&verifyServerCertificate=…

REQUIRED

MySQL client:

mysql -uroot -proot --ssl-mode=REQUIRED

JDBC:

jdbc:mysql://ip:port/schema?requireSSL=true&useSSL=true&verifyServerCertificate=…

VERIFY_CA

One‑way authentication (client verifies server). Example:

MySQL client:

mysql -uroot -proot --ssl-mode=VERIFY_CA --ssl-ca='${CA_CERT}'

JDBC:

jdbc:mysql://ip:port/schema?requireSSL=true&useSSL=true&verifyServerCertificate=true&trustCertificateKeyStoreUrl=file:${CA_JKS}&trustCertificateKeyStorePassword=…

VERIFY_IDENTITIY adds host verification and is not recommended with self‑signed certificates.

Experiments

Disabled Mode

Using Wireshark, the author captured traffic of an unencrypted DBLE connection via JDBC. The captured packets reveal login credentials, SQL statements, and result data in plain text.

Required Mode

After enabling SSL (mode REQUIRED) and adjusting the JDBC URL to ?useSSL=true&requireSSL=true&verifyServerCertificate=false , the captured traffic shows a TLS handshake followed by encrypted payloads that cannot be read without the server’s private key.

Summary

SSL provides strong confidentiality but introduces handshake overhead, which can affect short‑lived connections. For applications using connection pools or long‑lived connections, the performance impact is acceptable, whereas latency‑sensitive or non‑critical data workloads may prefer to avoid SSL. DBLE does not enforce SSL like MySQL’s require_secure_transport ; users can choose whether to enable SSL per connection.