Check your ssl version today

You probably have seen the warning letter from AWS since last December. If you work in a sensitive environment (HealthIT for example) and need to access the database securely, usually the connection to the database would use TLS/SSL and database admins would lock it down to require ssl connections.

Who doesn’t have to worry?

If your node-mysql2 package version is over 2.0.0, you have the latest CA certs in there.

If you don’t need to use SSL connections, this is rarely the case for production databases and public connections. Production databases should be only connected inside private networks and SSL connections should be enforced.

How do I check?

ssh or docker exec -it /bin/sh or kubectl exec -it /bin/sh your way into the instance that hosts the code.

or or your way into the instance that hosts the code. head /app/node_modules/mysql2/lib/constants/ssl_profiles.js

If you see the following, you are good:

'use strict'; // Certificate for Amazon RDS (Updated for 2019)

//

// https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html#aurora-serverless.tls // https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html // https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.html#aurora-serverless.tls exports['Amazon RDS'] = {

ca: [

'-----BEGIN CERTIFICATE-----

' +

'MIID9DCCAtygAwIBAgIBQjANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMCVVMx

' +

'EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIjAgBgNVBAoM

' +

How Do I fix and validate this?

Double check your package.json, make sure mysql2 is at version 2.1.0 or above.

Double check your configuration (with sequelize or typeorm), look for this in the config.

production: {

username: process.env.DB_USERNAME,

password: process.env.DB_PASSWORD,

database: process.env.DB_NAME,

host: process.env.DB_HOST,

port: process.env.DB_PORT,

dialect: 'mysql',

logging: false,

dialectOptions: {

ssl: 'Amazon RDS',

multipleStatements: true,

},

pool: {

max: 20,

},

},

If you don’t see [Certificate for Amazon RDS (Updated for 2019)], and after February or March, your production application works anyway…

It could be that you are not actually using SSL connections to your production database! Be very worried if that connection is over the public internet.

Need More Info?

Team Zero Labs can help. Shoot us a line at info@teamzerolabs.com