Docs/Security & Operations

SSL/TLS Configuration

DBConvert Streams supports encrypted SSL/TLS connections to MySQL and PostgreSQL databases. SSL is configured per connection in the ssl object inside spec.database.

Connection SSL object

{
  "name": "pg-production",
  "type": "postgresql",
  "spec": {
    "database": {
      "host": "db.example.com",
      "port": 5432,
      "username": "app",
      "password": "secret",
      "database": "production"
    },
    "ssl": {
      "mode": "verify-full",
      "ca": "BASE64_ENCODED_CA_CERTIFICATE",
      "client_cert": "BASE64_ENCODED_CLIENT_CERTIFICATE",
      "client_key": "BASE64_ENCODED_CLIENT_KEY"
    }
  }
}

SSL fields

FieldTypeDescription
modestringSSL mode (see modes below)
castringCA certificate (base64-encoded PEM)
client_certstringClient certificate (base64-encoded PEM)
client_keystringClient private key (base64-encoded PEM)

Certificate values should be base64-encoded PEM content. To encode a certificate file:

base64 -w 0 < ca.pem

All three certificate fields are optional — which ones you need depends on the SSL mode and server requirements. The UI handles encoding automatically when you upload certificate files.

SSL modes

ModeEncryptionServer verificationHostname checkUse case
disabledNoNoNoDevelopment only
requireYesNoNoEncrypt without verification
verify-caYesYesNoVerify server certificate
verify-fullYesYesYesFull verification (recommended for production)

Examples

PostgreSQL with server verification

{
  "ssl": {
    "mode": "verify-ca",
    "ca": "BASE64_ENCODED_CA_CERTIFICATE"
  }
}

PostgreSQL with mutual TLS (mTLS)

When the server requires client certificate authentication:

{
  "ssl": {
    "mode": "verify-full",
    "ca": "BASE64_ENCODED_CA_CERTIFICATE",
    "client_cert": "BASE64_ENCODED_CLIENT_CERTIFICATE",
    "client_key": "BASE64_ENCODED_CLIENT_KEY"
  }
}

Encryption only (no certificate verification)

{
  "ssl": {
    "mode": "require"
  }
}

Using curl

# Encode your CA certificate
CA_CERT=$(base64 -w 0 < ca.pem)

curl -X POST "$API_URL/connections" \
  -H "X-API-Key: $API_KEY" \
  -H "X-Install-ID: $INSTALL_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "pg-ssl",
    "type": "postgresql",
    "spec": {
      "database": {
        "host": "db.example.com",
        "port": 5432,
        "username": "app",
        "password": "secret",
        "database": "production"
      },
      "ssl": {
        "mode": "verify-ca",
        "ca": "'"$CA_CERT"'"
      }
    }
  }'

Server-side setup

PostgreSQL

Enable SSL in postgresql.conf:

ssl = on
ssl_cert_file = 'server-cert.pem'
ssl_key_file = 'server-key.pem'
ssl_ca_file = 'root.crt'

Verify SSL is active:

SELECT ssl, version FROM pg_stat_ssl WHERE pid = pg_backend_pid();

MySQL

Enable SSL in my.cnf:

[mysqld]
require_secure_transport = ON
ssl-ca   = /path/to/ca.pem
ssl-cert = /path/to/server-cert.pem
ssl-key  = /path/to/server-key.pem

Verify SSL status:

SHOW VARIABLES LIKE '%ssl%';

Require SSL for a user:

ALTER USER 'dbconvert'@'%' REQUIRE SSL;

Managed database SSL

Most managed databases have SSL enabled by default. Download the CA certificate from your provider:

  • AWS RDS: Download the RDS CA bundle and use verify-ca or verify-full mode
  • Google Cloud SQL: Download the server CA from the Cloud SQL instance page
  • Azure Database: Download the CA certificate from the Azure portal
  • DigitalOcean: Download the CA certificate from the database cluster settings

Troubleshooting

Certificate verify failed

  • Check that the CA certificate matches the one used by the server
  • Verify the certificate has not expired: openssl x509 -in ca.pem -noout -dates
  • For verify-full, confirm the hostname in the certificate matches the connection host

SSL connection required

  • The server requires SSL but the connection has mode set to disable or omitted
  • Set mode to require or higher

Client certificate rejected

  • Verify client_cert and client_key form a valid pair: openssl x509 -in client.pem -noout -text
  • Confirm the client certificate is signed by a CA the server trusts