To enable SSL connections, your MySQL distribution must be built with SSL support, as described in Section 5.9.2, “Configuring MySQL for SSL”. In addition, the proper SSL-related options must be used to specify the appropriate certificate and key files. For a complete list of SSL options, see Section 5.9.4, “SSL Command Options”.
To start the MySQL server so that it permits clients to connect using SSL, use the options that identify the certificate and key files the server uses when establishing a secure connection:
--ssl-caidentifies the Certificate Authority (CA) certificate.--ssl-certidentifies the server public key certificate. This can be sent to the client and authenticated against the CA certificate that it has.--ssl-keyidentifies the server private key.
For example, start the server like this:
shell>mysqld --ssl-ca=ca-cert.pem\--ssl-cert=server-cert.pem\--ssl-key=server-key.pem
Each option names a file in PEM format. For instructions on
generating the required SSL certificate and key files, see
Section 5.9.5, “Setting Up SSL Certificates and Keys for MySQL”. If you have a MySQL source
distribution, you can also test your setup using the
demonstration certificate and key files in the
mysql-test/std_data directory of the
distribution.
Similar options are used on the client side, although in this
case, --ssl-cert and
--ssl-key identify the client
public and private key. Note that the Certificate Authority
certificate, if specified, must be the same as used by the
server.
To establish a secure connection to a MySQL server with SSL
support, the options that a client must specify depend on the
SSL requirements of the MySQL account used by the client. (See
the discussion of the REQUIRE clause in
GRANT Syntax.)
Suppose that you want to connect using an account that has no
special SSL requirements or was created using a
GRANT statement that includes the
REQUIRE SSL option. As a recommended set of
SSL options, start the server with at least
--ssl-cert and
--ssl-key, and invoke the client
with --ssl-ca. A client can
connect securely like this:
shell> mysql --ssl-ca=ca-cert.pem
To require that a client certificate also be specified, create
the account using the REQUIRE X509 option.
Then the client must also specify the proper client key and
certificate files or the server will reject the connection:
shell>mysql --ssl-ca=ca-cert.pem\--ssl-cert=client-cert.pem\--ssl-key=client-key.pem
A client can determine whether the current connection with the
server uses SSL by checking the value of the
Ssl_cipher status variable.
The value of Ssl_cipher is
nonempty if SSL is used, and empty otherwise. For example:
mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA |
+---------------+--------------------+
For the mysql client, an alternative is to
use the STATUS or \s
command and check the SSL line:
mysql> \s
...
SSL: Not in use
...
Or:
mysql> \s
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...
The C API enables application programs to use SSL:
To establish a secure connection, use the
mysql_ssl_set()C API function to set the appropriate certificate options before callingmysql_real_connect(). Seemysql_ssl_set().To determine whether SSL is in use after the connection is established, use
mysql_get_ssl_cipher(). A non-NULLreturn value indicates a secure connection and names the SSL cipher used for encryption. ANULLreturn value indicates that SSL is not being used. Seemysql_get_ssl_cipher().
Replication uses the C API, so secure connections can be used between master and slave servers. See Setting Up Replication Using SSL.
User Comments
Add your own comment.