Skip navigation links

User Comments

Posted by Sam Critchley on February 7 2014 5:10pm[Delete] [Edit]

Note that the "REQUIRE SSL" grant may not work if your client configuration has all three certificate lines enabled. In that case, you should only specify the certificate authority key:

ssl-ca=cacert.pem

If you want to require a client certificate then the account should have "REQUIRE X509" instead of "REQUIRE SSL" and your client config should look (roughly) like this:

ssl-ca=cacert.pem
ssl-cert=client-cert.pem
ssl-key=client-key.pem

You can show which cipher is in use in the client simply by typing "\s":

username@hostname [(none)]> \s
--------------
mysql Ver 14.14 Distrib 5.5.35, for debian-linux-gnu (x86_64) using readline 6.2

Connection id: 63
Current database:
Current user: localturn2@localturn2
SSL: Cipher in use is DHE-RSA-AES256-SHA

This is the same as detailed in the client documentation at:

https://dev.mysql.com/doc/refman/5.5/en/using-ssl-connections.html

Posted by Chaoran Xie on July 22 2014 7:49pm[Delete] [Edit]

One small tip, make sure you use full path for MASTER_SSL_CA when running CHANGE MASTER statement

so instead of something like
MASTER_SSL_CA = 'ca-cert.pem', MASTER_SSL_CAPATH = '/opt/newcerts/'

use
MASTER_SSL_CA = '/opt/newcerts/ca-cert.pem', MASTER_SSL_CAPATH = ''