The following list describes options that are used for
specifying the use of SSL, certificate files, and key files.
These options are available beginning with MySQL 4.0. They can
be given on the command line or in an option file. These options
are not available unless MySQL has been built with SSL support.
See Section 5.6.6.2, “Using SSL Connections”. (There are also
--master-ssl*
options that can be used for
setting up a secure connection from a slave replication server
to a master server; see Section 14.8, “Replication and Binary Logging Options and Variables”.)
Table 5.6. SSL Option/Variable Summary
Name | Cmd-Line | Option file | System Var | Status Var | Var Scope | Dynamic |
---|---|---|---|---|---|---|
have_openssl | Yes | Global | No | |||
skip-ssl | Yes | Yes | ||||
ssl | Yes | Yes | ||||
ssl-ca | Yes | Yes | Global | No | ||
- Variable: ssl_ca | Yes | Global | No | |||
ssl-capath | Yes | Yes | Global | No | ||
- Variable: ssl_capath | Yes | Global | No | |||
ssl-cert | Yes | Yes | Global | No | ||
- Variable: ssl_cert | Yes | Global | No | |||
ssl-cipher | Yes | Yes | Global | No | ||
- Variable: ssl_cipher | Yes | Global | No | |||
ssl-key | Yes | Yes | Global | No | ||
- Variable: ssl_key | Yes | Global | No |
For the server, this option specifies that the server allows
SSL connections. For a client program, it allows the client
to connect to the server using SSL. This option is not
sufficient in itself to cause an SSL connection to be used.
You must also specify the
--ssl-ca
option, and
possibly the --ssl-cert
and
--ssl-key
options.
This option is more often used in its opposite form to
override any other SSL options and indicate that SSL should
not be used. To do this, specify the
option as
--skip-ssl
or --ssl=0
.
Note that use of --ssl
does
not require an SSL connection. For
example, if the server or client is compiled without SSL
support, a normal unencrypted connection is used.
The secure way to require use of an SSL connection is to
create an account on the server that includes a
REQUIRE SSL
clause in the
GRANT
statement. Then use
that account to connect to the server, where both the server
and the client have SSL support enabled.
The REQUIRE
clause allows other
SSL-related restrictions as well. The description of
REQUIRE
in Section 12.4.1.2, “GRANT
Syntax”,
provides additional detail about which SSL command options
may or must be specified by clients that connect using
accounts that are created using the various
REQUIRE
options.
The path to a file that contains a list of trusted SSL CAs.
The path to a directory that contains trusted SSL CA certificates in PEM format.
The name of the SSL certificate file to use for establishing a secure connection.
A list of allowable ciphers to use for SSL encryption. For
greatest portability, cipher_list
should be a list of one or more cipher names, separated by
colons. Examples:
--ssl-cipher=AES128-SHA --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA
This format is understood both by OpenSSL and yaSSL. OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at http://www.openssl.org/docs/apps/ciphers.html. However, this extended syntax will fail if used with a MySQL installation compiled against yaSSL (which may be the case for MySQL 5.0 and up).
If no cipher in the list is supported, SSL connections will not work.
The name of the SSL key file to use for establishing a secure connection.
User Comments
It's not obvious from the documentation how to use an encrypted connection, but authenticate using passwords. Specifying --ssl (beside REQUIRE SSL) won't work, you have to use --ssl-ca, but you can omit --ssl-key and --ssl-cert from the client options. You can use anything as CA, even --ssl-ca=/dev/null - at least MySQL 4.1.7 won't check the certificate, so beware, it's encrypted, but not secured!
The comment posted right below this one also serves for the server as well. Using all the appropriate options (--ssl, --ssl-ca,--ssl-key,--ssl-cert,--ssl-cipher) will still leave ssl disabled (have_openssl DISABLED). DO NOT USE --ssl when trying to start a server (at least with 5.0.40).
It seems that neither --ssl-ca nor --ssl-cert allows the server to send the complete CA chain during handshake. Unfortunately the server seems to handle just one CA which isn't sufficient for most scenarios (just have a look on https://www.sun.com for example, a certification hierarchy with more than 1 CA certificate is odinary today).
With a MySQL 4 client connecting to a MySQL 4 server, if the server isn't checking client-side certs, it was sufficient to do something like this to use SSL:
mysql -h hostname -u user -p --ssl-ca=/dev/null
This no longer works with a MySQL 5 client. It appears have to supply --ssl-cert and --ssl-key even when connecting to a MySQL 4 server that doesn't care about them.
Another commenter mentioned that `mysql --ssl` is not enough to get you connected to the mysqld over ssl. However, if you do:
mysql --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA
then it will connect over ssl without having to specify any key, ca-crt or other stuff that you may not care about if you just want to type your password over ssl.
Add your own comment.