As per all previous releases, by default TurnKey MySQL (MariaDB) appliance listens on all interfaces via (default MySQL/MariaDB) port 3306.
However, since v16.0 there have been some changes...
SSL is now enabled and required for remote TCP connections to the MySQL/MariaDB server. If desired it can be disabled (and re-enabled) via the Confconsole plugin (Advanced >> System Settings >> MySQL remote SSL) and/or the 'turnkey-mysql-ssl' commandline tool.
Self-signed certificates, signed by a custom CA cert are all generated on firstboot and stored in '/etc/mysql/certificates'. To connect remotely via SSL, you will need to download the relevant files and configure your client to use these, or reconfigure it to your desires. The required files are:
/etc/mysql/certificates/ca.pem # The CA certifcate /etc/mysql/certificates/cert.pem # The certificate file /etc/mysql/certificates/cert.key # The key file
For example, to use the commandline MySQL/MariaDB client from another TurnKey instance, assuming that the files have been downloaded to the same local locations, the following lines are required in the MySQL/MariaDB client config ('/etc/mysql/mariadb.conf.d/50-client.cnf'):
ssl_ca = /etc/mysql/certificates/ca.pem ssl-cert = /etc/mysql/certificates/cert.pem ssl-key = /etc/mysql/certificates/cert.key
Note that the user who is launching the client must have read permission for these files.
Once configured, then connection should work as per usual remote MySQL/MariaDB connection. E.g.:
[email protected] ~# mysql -h remote-mysql.example.com -u remote -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 41 Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
Then to demonstrate that the connection is encrypted, you can use the '\s' command. I.e.:
MariaDB [(none)]> \s -------------- mysql Ver 15.1 Distrib 10.3.22-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2 Connection id: 41 Current database: Current user: [email protected] SSL: Cipher in use is DHE-RSA-AES256-SHA Current pager: less -X -R -F Using outfile: '' Using delimiter: ; Server: MariaDB Server version: 10.3.22-MariaDB-0+deb10u1 Debian 10 Protocol version: 10 Connection: 192.168.1.74 via TCP/IP Server characterset: utf8mb4 Db characterset: utf8mb4 Client characterset: utf8mb4 Conn. characterset: utf8mb4 TCP port: 3306 Uptime: 34 min 12 sec Threads: 7 Questions: 77 Slow queries: 0 Opens: 32 Flush tables: 1 Open tables: 26 Queries per second avg: 0.037 --------------
Note the ciper noted against "SSL:"! :)
If you do configure this appliance to connect via SSL in alternate way and would like to share your config (please do!), and/or have any questions please feel free to post in the TurnKey forums.