To enable SSL connections, your MySQL distribution must be built with SSL support, as described in Section 5.6.2, “Building MySQL with SSL Support”. In addition, the proper SSL-related options must be used to specify the appropriate certificate and key files. For a complete list of SSL options, see Section 5.6.4, “SSL Command Options”.
If you need to create the required SSL files, see Section 5.7, “Creating SSL Certificates and Keys Using openssl”.
To start the MySQL server so that it permits clients to connect using SSL, use options that identify the certificate and key files the server uses when establishing a secure connection:
For example, start the server with these lines in the
my.cnf file, changing the file names as
[mysqld] ssl-ca=ca.pem ssl-cert=server-cert.pem ssl-key=server-key.pem
Each option names a file in PEM format. If you have a MySQL
source distribution, you can also test your setup using the
demonstration certificate and key files in its
To establish a secure connection to a MySQL server with SSL
support, the options that a client must specify depend on the
SSL requirements of the MySQL account used by the client. (See
the discussion of the
REQUIRE clause in
Suppose that you want to connect using an account that has no
special SSL requirements or was created using a
GRANT statement that includes the
REQUIRE SSL option. As a recommended set of
SSL options, start the server with at least
--ssl-key, and invoke the client
--ssl-ca. A client can
connect securely like this:
To require that a client certificate also be specified, create
the account using the
REQUIRE X509 option.
Then the client must also specify the proper client key and
certificate files or the server will reject the connection:
mysql --ssl-ca=ca.pem \
A client can determine whether the current connection with the
server uses SSL by checking the value of the
Ssl_cipher status variable.
The value is nonempty if SSL is used, and empty otherwise. For
SHOW STATUS LIKE 'Ssl_cipher';+---------------+--------------------+ | Variable_name | Value | +---------------+--------------------+ | Ssl_cipher | DHE-RSA-AES256-SHA | +---------------+--------------------+
For the mysql client, an alternative is to
command and check the
\s... SSL: Cipher in use is DHE-RSA-AES256-SHA ...
\s... SSL: Not in use ...
The C API enables application programs to use SSL:
To determine whether SSL is in use after the connection is
NULL return value indicates a secure
connection and names the SSL cipher used for encryption. A
NULL return value indicates that SSL is
not being used. See mysql_get_ssl_cipher().
Replication uses the C API, so secure connections can be used between master and slave servers. See Setting Up Replication Using SSL.