To enable secure connections, your MySQL distribution must be built with SSL support, as described in Section 6.4.2, “Building MySQL with Support for Secure Connections”. In addition, the proper options must be used to specify the appropriate certificate and key files. For a complete list of options related to establishment of secure connections, see Section 6.4.5, “Command Options for Secure Connections”.
If you need to create the required SSL files, see Section 6.4.6, “Creating SSL Certificates and Keys Using openssl”.
To start the MySQL server so that it permits clients to connect securely, use options that identify the certificate and key files the server uses when establishing a secure connection:
--ssl-ca identifies the
Certificate Authority (CA) certificate.
--ssl-cert identifies the
server public key certificate. This can be sent to the client
and authenticated against the CA certificate that it has.
--ssl-key identifies the
server private key.
For example, start the server with these lines in the
my.cnf file, changing the file names as
necessary:
[mysqld] ssl-ca=ca.pem ssl-cert=server-cert.pem ssl-key=server-key.pem
Each option names a file in PEM format. If you have a MySQL source
distribution, you can test your setup using the demonstration
certificate and key files in its
mysql-test/std_data directory.
For client programs, options for secure connections are similar to
those used on the server side, but
--ssl-cert and
--ssl-key identify the client
public and private key:
--ssl-ca identifies the
Certificate Authority (CA) certificate. This option, if used,
must specify the same certificate used by the server.
--ssl-cert identifies the
client public key certificate.
--ssl-key identifies the
client private key.
To connect securely to a MySQL server that supports secure
connections, the options that a client must specify depend on the
encryption requirements of the MySQL account used by the client.
(See the discussion of the REQUIRE clause in
Section 13.7.1.3, “GRANT Syntax”.)
Suppose that you want to connect using an account that has no
special encryption requirements or was created using a
GRANT statement that includes the
REQUIRE SSL option. As a recommended set of
secure-connection options, start the server with at least
--ssl-cert and
--ssl-key, and invoke the client
with --ssl-ca. A client can
connect securely like this:
shell> mysql --ssl-ca=ca.pem
To require that a client certificate also be specified, create the
account using the REQUIRE X509 option. Then the
client must also specify the proper client key and certificate
files or the server will reject the connection:
shell>mysql --ssl-ca=ca.pem \--ssl-cert=client-cert.pem \--ssl-key=client-key.pem
To prevent use of encryption and override other
--ssl- options,
invoke the client program with
xxx--ssl=0 or a synonym
(--skip-ssl,
--disable-ssl):
shell> mysql --ssl=0
A client can determine whether the current connection with the
server uses encryption by checking the value of the
Ssl_cipher status variable. If
the value is empty, the connection is not encrypted. Otherwise,
the connection is encrypted and the value indicates the encryption
cipher. For example:
mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA |
+---------------+--------------------+
For the mysql client, an alternative is to use
the STATUS or \s command and
check the SSL line:
mysql> \s
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...
Or:
mysql> \s
...
SSL: Not in use
...
The C API enables application programs to use secure connections:
To establish a secure connection, use the
mysql_ssl_set() C API function
to set the appropriate certificate options before calling
mysql_real_connect(). See
Section 23.8.7.67, “mysql_ssl_set()”.
To determine whether encryption is in use after the connection
is established, use
mysql_get_ssl_cipher(). A
non-NULL return value indicates an
encrypted connection and names the cipher used for encryption.
A NULL return value indicates that
encryption is not being used. See
Section 23.8.7.33, “mysql_get_ssl_cipher()”.
Replication uses the C API, so secure connections can be used between master and slave servers. See Section 17.3.7, “Setting Up Replication to Use Secure Connections”.