A user is using MySQL to connect to Amazon Aurora MySQL DB Cluster.
How should the user configure the connection parameters so that the client connection is protected against man-in-the-middle attack?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Option A is incorrect because -ssl_mode=require parameter ensures that the connection is encrypted.
However, it does not perform verification of the certificate to ensure that the server is trusted.
Option B is CORRECT because -ssl_mode=verify-full ensures that the client connection is encrypted and performs validation of the certificate to ensure that the server is trusted.
Option C is incorrect because these parameters are used in the connection string to a SQL Server database.
Option D is incorrect because these parameters are used when connecting to an Oracle database.
Reference:
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.html#AuroraPostgreSQL.Security.SSL https://www.postgresql.org/docs/9.1/libpq-ssl.htmlTo protect the client connection against man-in-the-middle attacks, the user should configure SSL/TLS encryption. This can be achieved by specifying appropriate connection parameters while connecting to the Amazon Aurora MySQL DB cluster.
Option A: --ssl-ca=/home/myuser/rds-combined-ca-bundle.pem --ssl-mode=require This option specifies the path to the SSL/TLS CA bundle file and sets the SSL mode to "require", which means that the server must present a valid SSL/TLS certificate. This is a good configuration option to ensure secure communication between the client and server.
Option B: --ssl-ca=/home/myuser/rds-combined-ca-bundle.pem --ssl-mode=verify-full This option is similar to Option A, but it sets the SSL mode to "verify-full", which means that the server's SSL/TLS certificate is not only verified for existence but also checked against the hostname specified in the connection string. This is a more secure configuration option but may require additional configuration of the server-side SSL/TLS certificate.
Option C: encrypt=true;trustServerCertificate=true This option enables SSL/TLS encryption but disables certificate validation. While this option provides encryption, it does not protect against man-in-the-middle attacks as an attacker can still intercept the traffic and present a fake SSL/TLS certificate.
Option D: Set ssl_server_dn_match property to true This option is not applicable in this scenario as it refers to a configuration option in Microsoft SQL Server rather than Amazon Aurora MySQL DB cluster.
Therefore, Option B is the most secure option to protect against man-in-the-middle attacks while connecting to Amazon Aurora MySQL DB Cluster, as it verifies the server's SSL/TLS certificate against the hostname specified in the connection string.