This section describes options that specify whether to use secure connections and the names of certificate and key files. These options can be given on the command line or in an option file. They are not available unless MySQL has been built with SSL support. See Section 6.4.2, “Building MySQL with Support for Secure Connections”. For examples of suggested use and how to check whether a connection is secure, see Section 6.4.4, “Configuring MySQL to Use Secure Connections”.
Table 6.8 Secure-Connection Option Summary
| Format | Description | Introduced |
|---|---|---|
| --skip-ssl | Do not use secure connection | |
| --ssl | Enable secure connection | |
| --ssl-ca | Path of file that contains list of trusted SSL CAs | |
| --ssl-capath | Path of directory that contains trusted SSL CA certificates in PEM format | |
| --ssl-cert | Path of file that contains X509 certificate in PEM format | |
| --ssl-cipher | List of permitted ciphers to use for connection encryption | |
| --ssl-key | Path of file that contains X509 key in PEM format | |
| --ssl-mode | Security state of connection to server | 5.5.49 |
| --ssl-verify-server-cert | Verify server certificate Common Name value against host name used when connecting to server |
For the MySQL server, this option specifies that the server permits but does not require secure connections.
For MySQL client programs, this option permits but does not require the client to connect to the server using encryption. Therefore, this option is not sufficient in itself to cause a secure connection to be used. For example, if you specify this option for a client program but the server has not been configured to support secure connections, the client falls back to an unencrypted connection.
As a recommended set of options to enable secure connections,
use at least --ssl-cert and
--ssl-key on the server side
and --ssl-ca on the client
side. See Section 6.4.4, “Configuring MySQL to Use Secure Connections”.
--ssl may be implied by other
--ssl- options,
as indicated in the descriptions for those options.
xxx
The --ssl option in negated
form overrides other
--ssl- options
and indicates that encryption should not
be used. To do this, specify the option as
xxx--ssl=0 or a synonym
(--skip-ssl,
--disable-ssl).
For example, you might have options specified in the
[client] group of your option file to use
secure connections by default when you invoke MySQL client
programs. To use an unencrypted connection instead, invoke the
client program with
--ssl=0 on the
command line to override the options in the option file.
To require use of secure connections by a MySQL account, use a
GRANT statement for the account
that includes at least a REQUIRE SSL
clause. Connections for the account will be rejected unless
MySQL supports secure connections and the server and client
have been started with the proper secure-connection options.
The REQUIRE clause permits other
encryption-related options, which can be used to enforce
stricter requirements than REQUIRE SSL. For
additional details about which command options may or must be
specified by clients that connect using accounts configured
using the various REQUIRE options, see the
description of REQUIRE in
Section 13.7.1.3, “GRANT Syntax”.
The path to a file in PEM format that contains a list of
trusted SSL certificate authorities. This option implies
--ssl.
If you use encryption when establishing a client connection,
to tell the client not to authenticate the server certificate,
specify neither --ssl-ca nor
--ssl-capath. The server still
verifies the client according to any applicable requirements
established for the client account, and it still uses any
--ssl-ca or
--ssl-capath option values
specified at server startup.
The path to a directory that contains trusted SSL certificate
authority certificates in PEM format. This option implies
--ssl.
If you use encryption when establishing a client connection,
to tell the client not to authenticate the server certificate,
specify neither --ssl-ca nor
--ssl-capath. The server still
verifies the client according to any applicable requirements
established for the client account, and it still uses any
--ssl-ca or
--ssl-capath option values
specified at server startup.
MySQL distributions compiled using OpenSSL support the
--ssl-capath option (see
Section 6.4.1, “OpenSSL Versus yaSSL”). Distributions
compiled using yaSSL do not because yaSSL does not look in any
directory and does not follow a chained certificate tree.
yaSSL requires that all components of the CA certificate tree
be contained within a single CA certificate tree and that each
certificate in the file has a unique SubjectName value. To
work around this yaSSL limitation, concatenate the individual
certificate files comprising the certificate tree into a new
file and specify that file as the value of the
--ssl-ca option.
The name of the SSL certificate file in PEM format to use for
establishing a secure connection. This option implies
--ssl.
A list of permissible ciphers to use for connection
encryption. If no cipher in the list is supported, encrypted
connections will not work. This option implies
--ssl.
For greatest portability,
cipher_list should be a list of one
or more cipher names, separated by colons. This format is
understood both by OpenSSL and yaSSL. Examples:
--ssl-cipher=AES128-SHA --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA
OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at http://www.openssl.org/docs/apps/ciphers.html. yaSSL does not, so attempts to use that extended syntax fail for a MySQL distribution compiled using yaSSL.
For information about which encryption ciphers MySQL supports, see Section 6.4.3, “Secure Connection Protocols and Ciphers”.
The name of the SSL key file in PEM format to use for
establishing a secure connection. This option implies
--ssl.
If the MySQL distribution was compiled using OpenSSL and the key file is protected by a passphrase, the program prompts the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key. If the MySQL distribution was built using yaSSL and the key file is protected by a passphrase, an error occurs.
This option is available only for client programs, not the server. It specifies the security state of the connection to the server:
If this option is not specified, the default value is
DISABLED (establish an unencrypted
connection) This is like the
--ssl=0 option or its
synonyms
(--skip-ssl,
--disable-ssl).
If this option is specified, the only permitted value is
REQUIRED (establish a secure connection
if the server supports secure connections). The connection
attempt fails if a secure connection cannot be
established.
The --ssl-mode option was
added in MySQL 5.5.49.
In MySQL 5.7 and higher, the C client library provides
native support for requiring encrypted connections (call the
mysql_options() C API
function, passing the MYSQL_OPT_SSL_MODE
option with a value of
SSL_MODE_REQUIRED). In MySQL
5.5, the client library provides no such
support because doing so would break binary compatibility
with previous library versions within the series. Clients
that require encrypted connections must implement the logic
themselves.
To require encrypted connections in MySQL 5.5,
the standard MySQL client programs use this technique: If
--ssl-mode=REQUIRED was
specified, the client program turns on SSL, connects to the
server, and checks whether the resulting connection is
encrypted. If not, the client exits with an error.
Third-party applications that must be able to require
encrypted connections can use the same technique. For
details, see Section 23.8.7.67, “mysql_ssl_set()”.
This option is available only for client programs, not the server. It causes the client to check the server's Common Name value in the certificate that the server sends to the client. The client verifies that name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. Verification is disabled by default.