I have a MySQL server. Technically, it's Amazon Aurora with MySQL compatibility and I am able to connect to it from multiple clients and then execute:
SELECT *
FROM performance_schema.session_status
WHERE VARIABLE_NAME IN ('Ssl_version','Ssl_cipher');
Each time I get the following response:
VARIABLE_NAME,VARIABLE_VALUE
'Ssl_cipher','ECDHE-ECDSA-AES128-GCM-SHA256'
'Ssl_version','TLSv1.2'
So the connection is encrypted, but I'm unclear how. As an example, from MySQL Workbench I have set "Use SSL" to "Require" in the connection properties, but I have not provided any of the following:
If I set Use SSL to "Require and Verify CA" or "Require and Verify Identity" then the connection fails, ostensibly because I've not provided the SSL files mentioned above. Without specifying any certificates in the connection string I'm also able to make encrypted connections from different client hosts (web server, Lambda functions, MySQL CLI, etc.) but I'm not clear on how these connections are being encrypted given that there's no certificate specified in the connection string. I'm not comfortable running something in production with it working, seemingly by accident, and hope someone can help solidify my understanding of what I'm observing.
Sending client certificate and key is not required by TLS.
A client certificate and corresponding key is only required, if the user was defined with REQUIRE X509, ISSUER or SUBJECT.
If you don't provide a CA, server certificate will be checked against the system CA, in case you have a self signed certificate the verification will fail.
If you need to use a trusted secure connection, there are only 2 ways for verification: Either the server certificate was signed by a trusted authority, or the client knows and checks the fingerprint of the certificate. Latter one is afaik only supported in MariaDB.