Azure Database for MySQL 中的 SSL/TLS 连接SSL/TLS connectivity in Azure Database for MySQL

Azure Database for MySQL 支持使用安全套接字层 (SSL) 将数据库服务器连接到客户端应用程序。Azure Database for MySQL supports connecting your database server to client applications using Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 SSL 连接,可以加密服务器与应用程序之间的数据流,有助于防止“中间人”攻击。Enforcing SSL connections between your database server and your client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and your application.


将要查看的是 Azure Database for MySQL 的新服务。You are viewing the new service of Azure Database for MySQL. 若要查看经典 MySQL Database for Azure 的文档,请访问此页To view the documentation for classic MySQL Database for Azure, please visit this page.


更新 require_secure_transport 服务器参数值不会影响 MySQL 服务的行为。Updating the require_secure_transport server parameter value does not affect the MySQL service's behavior. 使用本文中概述的 SSL 和 TLS 增强功能来保护与数据库的连接。Use the SSL and TLS enforcement features outlined in this article to secure connections to your database.

SSL 默认设置SSL Default settings

默认情况下,应将数据库服务配置为需要 SSL 连接才可连接到 MySQL。By default, the database service should be configured to require SSL connections when connecting to MySQL. 建议尽量不要禁用 SSL 选项。We recommend to avoid disabling the SSL option whenever possible.

通过 Azure 门户和 CLI 预配新的 Azure Database for MySQL 服务器时,默认情况下会强制实施 SSL 连接。When provisioning a new Azure Database for MySQL server through the Azure portal and CLI, enforcement of SSL connections is enabled by default.

Azure 门户中显示了各种编程语言的连接字符串。Connection strings for various programming languages are shown in the Azure portal. 这些连接字符串包含连接到数据库所需的 SSL 参数。Those connection strings include the required SSL parameters to connect to your database. 在 Azure 门户中,选择服务器。In the Azure portal, select your server. 在“设置”标题下,选择“连接字符串” 。Under the Settings heading, select the Connection strings. SSL 参数因连接器而异,例如“ssl=true”、“sslmode=require”或“sslmode=required”,以及其他变体。The SSL parameter varies based on the connector, for example "ssl=true" or "sslmode=require" or "sslmode=required" and other variations.

在某些情况下,应用程序需要具备从受信任的证书颁发机构 (CA) 证书文件生成的本地证书文件才能实现安全连接。In some cases, applications require a local certificate file generated from a trusted Certificate Authority (CA) certificate file to connect securely. 目前,客户只能使用预定义的证书来连接位于 Azure 中国的 Azure Database For MySQL 服务器。Currently customers can only use the predefined certificate to connect to an Azure Database for MySQL server which is located at Azure China.

若要了解如何在开发应用程序期间启用或禁用 SSL 连接,请参阅如何配置 SSLTo learn how to enable or disable SSL connection when developing application, refer to How to configure SSL.

Azure Database for MySQL 中的 TLS 强制TLS enforcement in Azure Database for MySQL

对于使用传输层安全性 (TLS) 连接到数据库服务器的客户端,Azure Database for MySQL 支持加密。Azure Database for MySQL supports encryption for clients connecting to your database server using Transport Layer Security (TLS). TLS 是一种行业标准协议,可确保在数据库服务器与客户端应用程序之间实现安全的网络连接,使你能够满足合规性要求。TLS is an industry standard protocol that ensures secure network connections between your database server and client applications, allowing you to adhere to compliance requirements.

TLS 设置TLS settings

Azure Database for MySQL 提供了为客户端连接强制使用 TLS 版本的功能。Azure Database for MySQL provides the ability to enforce the TLS version for the client connections. 若要强制使用 TLS 版本,请使用“最低 TLS 版本”选项设置。To enforce the TLS version, use the Minimum TLS version option setting. 此选项设置允许以下值:The following values are allowed for this option setting:

最低 TLS 设置Minimum TLS setting 支持的客户端 TLS 版本Client TLS version supported
TLSEnforcementDisabled(默认值)TLSEnforcementDisabled (default) 不需要 TLSNo TLS required
TLS1_0TLS1_0 TLS 1.0、TLS 1.1、TLS 1.2 及更高版本TLS 1.0, TLS 1.1, TLS 1.2 and higher
TLS1_1TLS1_1 TLS 1.1、TLS 1.2 及更高版本TLS 1.1, TLS 1.2 and higher
TLS1_2TLS1_2 TLS 版本 1.2 及更高版本TLS version 1.2 and higher

例如,将此最低 TLS 设置版本的值设置为 TLS 1.0 意味着服务器将允许那些使用 TLS 1.0、1.1 和 1.2+ 的客户端进行连接。For example, setting the value of minimum TLS setting version to TLS 1.0 means your server will allow connections from clients using TLS 1.0, 1.1, and 1.2+. 也可将此选项设置为 1.2,这意味着仅允许那些使用 TLS 1.2+ 的客户端进行连接,将拒绝使用 TLS 1.0 和 TLS 1.1 进行的所有连接。Alternatively, setting this to 1.2 means that you only allow connections from clients using TLS 1.2+ and all connections with TLS 1.0 and TLS 1.1 will be rejected.


默认情况下,Azure Database for MySQL 不强制执行最低 TLS 版本要求(设置为 TLSEnforcementDisabled)。By default, Azure Database for MySQL does not enforce a minimum TLS version (the setting TLSEnforcementDisabled).

一旦强制实施最低 TLS 版本要求后,以后将无法禁用最低版本强制实施。Once you enforce a minimum TLS version, you cannot later disable minimum version enforcement.

服务器处于联机状态时,不需重启服务器即可设置最低 TLS 版本。The minimum TLS version setting doesnt require any restart of the server can be set while the server is online. 若要了解如何为 Azure Database for MySQL 设置 TLS 设置,请参阅 如何配置 TLS 设置To learn how to set the TLS setting for your Azure Database for MySQL, refer to How to configure TLS setting.

Azure Database for MySQL 单一服务器提供的密码支持Cipher support by Azure Database for MySQL Single server

根据 SSL/TLS 通信的要求,密码套件会被验证,只有受支持的密码套件才能与数据库服务器通信。As part of the SSL/TLS communication, the cipher suites are validated and only support cipher suits are allowed to communicate to the database serer. 密码套件验证在网关层中控制,而不是在节点本身上显式控制。The cipher suite validation is controlled in the gateway layer and not explicitly on the node itself. 如果密码套件与下面列出的某个套件不匹配,系统会拒绝传入的客户端连接。If the cipher suites doesn't match one of suites listed below, incoming client connections will be rejected.

支持的密码套件Cipher suite supported


后续步骤Next steps