Documentation Home
MySQL 5.7 Reference Manual
Related Documentation
MySQL 5.7 Release Notes
Download this Manual
PDF (US Ltr) - 35.4Mb
PDF (A4) - 35.4Mb
PDF (RPM) - 34.5Mb
EPUB - 8.7Mb
HTML Download (TGZ) - 8.5Mb
HTML Download (Zip) - 8.5Mb
HTML Download (RPM) - 7.3Mb
Eclipse Doc Plugin (TGZ) - 9.3Mb
Eclipse Doc Plugin (Zip) - 11.4Mb
Man Pages (TGZ) - 200.3Kb
Man Pages (Zip) - 305.6Kb
Info (Gzip) - 3.3Mb
Info (Zip) - 3.3Mb
Excerpts from this Manual
MySQL Backup and Recovery
MySQL Globalization
MySQL Information Schema
MySQL Installation Guide
MySQL and Linux/Unix
MySQL and OS X
MySQL Partitioning
MySQL Performance Schema
MySQL Replication
Using the MySQL Yum Repository
MySQL Restrictions and Limitations
Security in MySQL
MySQL and Solaris
Building MySQL from Source
Starting and Stopping MySQL
MySQL Tutorial
MySQL and Windows
MySQL 5.7 Reference Manual  /  ...  /  Command Options for Secure Connections

7.4.5 Command Options for Secure Connections

This section describes options that specify whether to use secure connections and the names of certificate and key files. These options can be given on the command line or in an option file. For examples of suggested use and how to check whether a connection is secure, see Section 7.4.4, “Configuring MySQL to Use Secure Connections”.

Table 7.8 Secure-Connection Option Summary

FormatDescriptionIntroduced
--skip-sslDo not use secure connection 
--sslEnable secure connection 
--ssl-caPath of file that contains list of trusted SSL CAs 
--ssl-capathPath of directory that contains trusted SSL CA certificates in PEM format 
--ssl-certPath of file that contains X509 certificate in PEM format 
--ssl-cipherList of permitted ciphers to use for connection encryption 
--ssl-crlPath of file that contains certificate revocation lists 
--ssl-crlpathPath of directory that contains certificate revocation list files 
--ssl-keyPath of file that contains X509 key in PEM format 
--ssl-modeSecurity state of connection to server5.7.11
--ssl-verify-server-certVerify server certificate Common Name value against host name used when connecting to server 
--tls-versionProtocols permitted for secure connections5.7.10

  • --ssl

    This option has different effects on the server and client sides.

    Note

    The client-side --ssl option is deprecated as of MySQL 5.7.11 and is removed in MySQL 8.0. For client programs, it is preferable to use --ssl-mode instead:

    The server-side --ssl option is not deprecated.

    For the MySQL server, this option specifies that the server permits but does not require secure connections. The option is enabled on the server side by default as of MySQL 5.7.5, and disabled before 5.7.5. Also as of MySQL 5.7.5, MySQL servers compiled using OpenSSL can generate missing certificate and key files automatically at startup. See Section 7.4.6.1, “Creating SSL and RSA Certificates and Keys using MySQL”.

    The server performs certificate and key file autodiscovery as of MySQL 5.7.5 (for servers compiled using OpenSSL) or 5.7.6 (for servers compiled using yaSSL). If --ssl is enabled (possibly along with --ssl-cipher) and other --ssl-xxx options are not given to configure secure connections explicitly, the server attempts to enable support for secure connections automatically at startup:

    • If the server discovers valid certificate and key files named ca.pem, server-cert.pem, and server-key.pem in the data directory, it enables support for secure connections by clients. (The files need not have been autogenerated; what matters is that they have the indicated names and are valid.)

    • If the server does not find valid certificate and key files in the data directory, it continues executing but does not enable secure connections.

    For MySQL client programs, the --ssl option is used as follows:

    • As of MySQL 5.7.7, client programs attempt to establish a secure connection by default whenever the server supports secure connections:

      • In the absence of an --ssl option, the client falls back to an unencrypted connection if a secure connection cannot be established.

      • To require a secure connection and fail if one cannot be established, invoke the client with --ssl or a synonym (--ssl=1, --enable-ssl).

      • To use an unencrypted connection, invoke the client with --ssl=0 or a synonym (--skip-ssl, --disable-ssl).

    • From MySQL 5.7.3 to 5.7.6, --ssl is prescriptive (not advisory as before MySQL 5.7.3): With --ssl, connection attempts fail if a secure connection cannot be established.

    • Before MySQL 5.7.3, --ssl is advisory: --ssl permits but does not require the client to connect to the server using encryption. Therefore, this option is not sufficient in itself to cause a secure connection to be used. For example, if you specify this option for a client program but the server has not been configured to support secure connections, the client falls back to an unencrypted connection.

    If other --ssl-xxx options are given in the absence of --ssl, the client attempts to connect securely. If the server is configured to support secure connections, the connection attempt fails if a secure connection cannot be established. If the server is not configured for secure connections, the client falls back to an unencrypted connection.

    As a recommended set of options to enable secure connections, use at least --ssl-cert and --ssl-key on the server side and --ssl-ca on the client side. See Section 7.4.4, “Configuring MySQL to Use Secure Connections”.

    --ssl is implied by other --ssl-xxx options, as indicated in the descriptions for those options.

    The --ssl option in negated form overrides other --ssl-xxx options and indicates that encryption should not be used. To do this, specify the option as --ssl=0 or a synonym (--skip-ssl, --disable-ssl). For example, you might have options specified in the [client] group of your option file to use secure connections by default when you invoke MySQL client programs. To use an unencrypted connection instead, invoke the client program with --ssl=0 on the command line to override the options in the option file.

    To require use of secure connections by a MySQL account, use CREATE USER to create the account with at least a REQUIRE SSL clause, or use ALTER USER for an existing account to add a REQUIRE clause. Connections for the account will be rejected unless MySQL supports secure connections and the server and client have been started with the proper secure-connection options.

    The REQUIRE clause permits other encryption-related options, which can be used to enforce stricter requirements than REQUIRE SSL. For additional details about which command options may or must be specified by clients that connect using accounts configured using the various REQUIRE options, see the description of REQUIRE in Section 14.7.1.2, “CREATE USER Syntax”.

  • --ssl-ca=file_name

    The path to a file in PEM format that contains a list of trusted SSL certificate authorities. This option implies --ssl when used on the server side, and on the client side before MySQL 5.7.3.

    If you use encryption when establishing a client connection, to tell the client not to authenticate the server certificate, specify neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any --ssl-ca or --ssl-capath option values specified at server startup.

  • --ssl-capath=dir_name

    The path to a directory that contains trusted SSL certificate authority certificates in PEM format. This option implies --ssl when used on the server side, and on the client side before MySQL 5.7.3.

    If you use encryption when establishing a client connection, to tell the client not to authenticate the server certificate, specify neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any --ssl-ca or --ssl-capath option values specified at server startup.

    MySQL distributions compiled using OpenSSL support the --ssl-capath option (see Section 7.4.1, “OpenSSL Versus yaSSL”). Distributions compiled using yaSSL do not because yaSSL does not look in any directory and does not follow a chained certificate tree. yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file and specify that file as the value of the --ssl-ca option.

  • --ssl-cert=file_name

    The name of the SSL certificate file in PEM format to use for establishing a secure connection. This option implies --ssl when used on the server side, and on the client side before MySQL 5.7.3.

  • --ssl-cipher=cipher_list

    A list of permissible ciphers to use for connection encryption. If no cipher in the list is supported, encrypted connections will not work. This option implies --ssl when used on the server side, and on the client side before MySQL 5.7.3.

    For greatest portability, cipher_list should be a list of one or more cipher names, separated by colons. This format is understood both by OpenSSL and yaSSL. Examples: 

    --ssl-cipher=AES128-SHA
--ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA

    OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at http://www.openssl.org/docs/apps/ciphers.html. yaSSL does not, so attempts to use that extended syntax fail for a MySQL distribution compiled using yaSSL.

    For information about which encryption ciphers MySQL supports, see Section 7.4.3, “Secure Connection Protocols and Ciphers”.

  • --ssl-crl=file_name

    The path to a file containing certificate revocation lists in PEM format. This option implies --ssl when used on the server side, and on the client side before MySQL 5.7.3.

    If neither --ssl-crl nor --ssl-crlpath is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.

    MySQL distributions compiled using OpenSSL support the --ssl-crl option (see Section 7.4.1, “OpenSSL Versus yaSSL”). Distributions compiled using yaSSL do not because revocation lists do not work with yaSSL.

  • --ssl-crlpath=dir_name

    The path to a directory that contains files containing certificate revocation lists in PEM format. This option implies --ssl when used on the server side, and on the client side before MySQL 5.7.3.

    If neither --ssl-crl nor --ssl-crlpath is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.

    MySQL distributions compiled using OpenSSL support the --ssl-crlpath option (see Section 7.4.1, “OpenSSL Versus yaSSL”). Distributions compiled using yaSSL do not because revocation lists do not work with yaSSL.

  • --ssl-key=file_name

    The name of the SSL key file in PEM format to use for establishing a secure connection. This option implies --ssl when used on the server side, and on the client side before MySQL 5.7.3.

    If the key file is protected by a passphrase, the program prompts the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key.

    For better security, use a certificate with an RSA key size of of 2048 bits or more.

  • --ssl-mode=mode

    This option is available only for client programs, not the server. It specifies the security state of the connection to the server. The following option values are permitted:

    • PREFERRED: Establish a secure (encrypted) connection if the server supports secure connections. Fall back to an unencrypted connection otherwise. This is the default if --ssl-mode is not specified.

    • DISABLED: Establish an unencrypted connection. This is like the legacy --ssl=0 option or its synonyms (--skip-ssl, --disable-ssl).

    • REQUIRED: Establish a secure connection if the server supports secure connections. The connection attempt fails if a secure connection cannot be established.

    • VERIFY_CA: Like REQUIRED, but additionally verify the server TLS certificate against the configured Certificate Authority (CA) certificates. The connection attempt fails if no valid matching CA certificates are found.

    • VERIFY_IDENTITY: Like VERIFY_CA, but additionally verify that the server certificate matches the host to which the connection is attempted. This is like the legacy --ssl-verify-server-cert option.

    Use of the --ssl-ca or --ssl-capath option implies --ssl-mode=VERIFY_CA, if --ssl-mode is not explicitly set otherwise.

    If --ssl-mode is explicit, use of a value other than VERIFY_CA or VERIFY_IDENTITY with an explicit --ssl-ca or --ssl-capath option produces a warning that no verification of the server certificate will be done, despite CA certificate options being specified.

    The --ssl-mode option was added in MySQL 5.7.11.

    To require use of secure connections by a MySQL account, use CREATE USER to create the account with at least a REQUIRE SSL clause, or use ALTER USER for an existing account to add a REQUIRE clause. Connections for the account will be rejected unless MySQL supports secure connections and the server and client have been started with the proper secure-connection options.

    The REQUIRE clause permits other encryption-related options, which can be used to enforce stricter requirements than REQUIRE SSL. For additional details about which command options may or must be specified by clients that connect using accounts configured using the various REQUIRE options, see the description of REQUIRE in Section 14.7.1.2, “CREATE USER Syntax”.

  • --ssl-verify-server-cert

    Note

    This option is deprecated as of MySQL 5.7.11 and is removed in MySQL 8.0. It is preferable to use --ssl-mode=VERIFY_IDENTITY instead.

    This option is available only for client programs, not the server. It causes the client to check the server's Common Name value in the certificate that the server sends to the client. The client verifies that name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. Verification is disabled by default.

  • --tls-version=protocol_list

    For client programs, the protocols permitted by the client for encrypted connections. The value is a comma-separated list containing one or more protocol names. The protocols that can be named for this option depend on the SSL library used to compile MySQL. For details, see Section 7.4.3, “Secure Connection Protocols and Ciphers”.

    This option was added in MySQL 5.7.10.

    On the server side, the tls_version system variable can be used instead.


PREV   HOME   UP   NEXT
Related Documentation
MySQL 5.7 Release Notes
Download this Manual
PDF (US Ltr) - 35.4Mb
PDF (A4) - 35.4Mb
PDF (RPM) - 34.5Mb
EPUB - 8.7Mb
HTML Download (TGZ) - 8.5Mb
HTML Download (Zip) - 8.5Mb
HTML Download (RPM) - 7.3Mb
Eclipse Doc Plugin (TGZ) - 9.3Mb
Eclipse Doc Plugin (Zip) - 11.4Mb
Man Pages (TGZ) - 200.3Kb
Man Pages (Zip) - 305.6Kb
Info (Gzip) - 3.3Mb
Info (Zip) - 3.3Mb
Excerpts from this Manual
MySQL Backup and Recovery
MySQL Globalization
MySQL Information Schema
MySQL Installation Guide
MySQL and Linux/Unix
MySQL and OS X
MySQL Partitioning
MySQL Performance Schema
MySQL Replication
Using the MySQL Yum Repository
MySQL Restrictions and Limitations
Security in MySQL
MySQL and Solaris
Building MySQL from Source
Starting and Stopping MySQL
MySQL Tutorial
MySQL and Windows
User Comments
Sign Up Login You must be logged in to post a comment.