Documentation Home
MySQL Internals Manual
Download this Manual
EPUB - 0.8Mb


14.5 SSL

The MySQL Protocol also supports encryption and authentication via SSL. The encryption is transparent to the rest of the protocol and is applied after the data is compressed right before the data is written to the network layer.

The SSL suppport is announced in Initial Handshake Packet sent by the server via CLIENT_SSL and is enabled if the client returns the same capability.

For an unencrypted connection the server starts with its Initial Handshake Packet:

36 00 00 00 0a 35 2e 35    2e 32 2d 6d 32 00 52 00    6....5.5.2-m2.R.
00 00 22 3d 4e 50 29 75    39 56 00 ff ff 08 02 00    .."=NP)u9V......
00 00 00 00 00 00 00 00    00 00 00 00 00 29 64 40    .............)d@
52 5c 55 78 7a 7c 21 29    4b 00                      R\Uxz|!)K.

... and the client returns its Handshake Response Packet:

3a 00 00 01 05 a6 03 00    00 00 00 01 08 00 00 00    :...............
00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
00 00 00 00 72 6f 6f 74    00 14 14 63 6b 70 99 8a    ....root...ckp..
b6 9e 96 87 a2 30 9a 40    67 2b 83 38 85 4b          .....0.@g+.8.K

If client wants to do SSL and the server supports it, it would send a SSL Request Packet with the CLIENT_SSL capability enabled instead:

20 00 00 01 05 ae 03 00    00 00 00 01 08 00 00 00     ...............
00 00 00 00 00 00 00 00    00 00 00 00 00 00 00 00    ................
00 00 00 00                                           ....

The rest of the communication is switched to SSL:

16 03 01 00 5e 01 00 00    5a 03 01 4c a3 49 2e 7a    ....^...Z..L.I.z
b5 06 75 68 5c 30 36 73    f1 82 79 70 58 4c 64 bb    ..uh\06s..ypXLd.
47 7e 90 cd 9b 30 c5 66    65 da 35 00 00 2c 00 39    G~...0.fe.5..,.9
00 38 00 35 00 16 00 13    00 0a 00 33 00 32 00 2f    .8.5.......3.2./
00 9a 00 99 00 96 00 05    00 04 00 15 00 12 00 09    ................
00 14 00 11 00 08 00 06    00 03 02 01 00 00 04 00    ................
23 00 00                                              #..

The preceding packet is from SSL_connect() which does the SSL greeting and certificate exchange. Once the SSL tunnel is established, the normal communication continues starting with the client sending the Handshake Response Packet.


User Comments
Sign Up Login You must be logged in to post a comment.