openclaw/skills/tidb-sql/references/tidb-cloud-ssl.md

1.8 KiB

title
TiDB Cloud SSL Verification (Connection Gotchas)

TiDB Cloud SSL Verification (Connection Gotchas)

When connecting to TiDB Cloud over the MySQL protocol, enable TLS and enforce:

  • server certificate verification
  • server identity (hostname) verification

If SSL verification is missing or misconfigured, you might see connection failures even before you can run SQL.

Detect TiDB Cloud gateway hosts

If the host matches this pattern (Python regex):

r"gateway\\d{2}\\.(.+)\\.(prod|dev|staging)\\.(shared\\.)?(aws|alicloud)\\.tidbcloud\\.com"

assume TiDB Cloud requirements apply.

Common client settings

MySQL CLI:

mysql ... --ssl-mode=VERIFY_IDENTITY

MariaDB CLI:

mariadb ... --ssl-verify-server-cert

Node.js (mysql2):

ssl: {
  minVersion: 'TLSv1.2',
  rejectUnauthorized: true,
},

Prisma (connection string query param):

sslaccept=strict

Go (database/sql + go-sql-driver/mysql):

Register a TLS config and reference it via tls= in the DSN:

mysql.RegisterTLSConfig("tidb", &tls.Config{
  MinVersion: tls.VersionTLS12,
  ServerName: "gateway01.ap-southeast-1.prod.aws.tidbcloud.com",
})

db, err := sql.Open(
  "mysql",
  "USER:PASSWORD@tcp(gateway01.ap-southeast-1.prod.aws.tidbcloud.com:4000)/DB?tls=tidb",
)

Rails (ActiveRecord + mysql2, database.yml URL):

development:
  adapter: mysql2
  url: mysql2://USER:PASSWORD@gateway01.ap-southeast-1.prod.aws.tidbcloud.com:4000/DB?ssl_mode=verify_identity

MySQL Connector/J (JDBC URL params):

sslMode=VERIFY_IDENTITY

DSN / URL query parameters (generic)

If you are building a connection string and can only toggle via query parameters, append:

ssl_verify_cert=true&ssl_verify_identity=true

Use this especially when the host matches the gateway pattern above.