Protecting Client Connection against Man-in-the-Middle Attack

Answer: D.

Option A is incorrect because -ssl_mode parameter is used for client connection to MySQL databases using MySQL client.

Option B is incorrect because-ssl_mode parameter is used for client connection to MySQL databases using MySQL client.

Option C is incorrect because if the trustServerCertificate property is set to true, the client will skip validation of the server TLS certificate.

Option D is CORRECT because setting the trustServerCertificate property to false ensures that the client will validate the TLS certificate and confirm that the server is the correct server to connect to.

Option D is incorrect because these parameters are used when connecting to an Oracle database.

Reference:

When a user connects to a SQL Server on Amazon RDS, the connection parameters must be configured correctly to protect the client connection against man-in-the-middle (MITM) attacks. The MITM attack is a type of cyberattack where an attacker intercepts the communication between the client and the server, and they can eavesdrop, steal data, or modify the information transmitted between the two endpoints.

To configure the connection parameters for secure communication, we have to use Secure Socket Layer (SSL) encryption. Amazon RDS uses SSL encryption to secure connections between the RDS database instance and its clients.

Among the given options, two possible answers are:

Option A: --ssl-ca=/home/myuser/rds-combined-ca-bundle.pem --ssl-mode=require Option B: --ssl-ca=/home/myuser/rds-combined-ca-bundle.pem --ssl-mode=verify-full

Both options use the --ssl-ca parameter, which is used to specify the path and name of the SSL CA certificate file that must be used to verify the server's SSL certificate. The rds-combined-ca-bundle.pem file contains the root and intermediate SSL certificates used by Amazon RDS, and it is available for download from the AWS Documentation.

Option A uses the --ssl-mode=require parameter, which enforces the use of SSL encryption for the connection. The --ssl-mode parameter controls the strictness level of SSL certificate verification performed on the server's SSL certificate. The require mode requires that the SSL certificate presented by the server is valid and issued by a trusted CA.

Option B uses the --ssl-mode=verify-full parameter, which enforces strict SSL certificate verification, including verifying the server's hostname against the SSL certificate's common name (CN) or subject alternative name (SAN) field. This option provides additional protection against MITM attacks, as it ensures that the SSL certificate presented by the server is valid and issued to the correct host.

Option C: encrypt=true;trustServerCertificate=true uses Microsoft's SQL Server JDBC driver specific properties. It enables SSL encryption and trusts any SSL certificate presented by the server, including self-signed certificates. Trusting any certificate makes the connection vulnerable to MITM attacks, so it is not recommended to use this option.

Option D: encrypt=true;trustServerCertificate=false uses Microsoft's SQL Server JDBC driver specific properties, which enable SSL encryption and do not trust any SSL certificate presented by the server, including self-signed certificates. This option is more secure than Option C, but it may cause connection failures if the SSL certificate is not issued by a trusted CA.

Option E: Set ssl_server_dn_match property to true does not provide any details on how to configure the connection parameters. Therefore, it is not a valid option.

In summary, options A and B are valid answers to configure the connection parameters for a secure client connection to a SQL Server on Amazon RDS, where Option B is more secure than Option A as it performs strict SSL certificate verification, including hostname verification.