Skip navigation links

User Comments

Posted by Sam Critchley on February 7 2014 5:10pm[Delete] [Edit]

Note that the "REQUIRE SSL" grant may not work if your client configuration has all three certificate lines enabled. In that case, you should only specify the certificate authority key:


If you want to require a client certificate then the account should have "REQUIRE X509" instead of "REQUIRE SSL" and your client config should look (roughly) like this:


You can show which cipher is in use in the client simply by typing "\s":

username@hostname [(none)]> \s
mysql Ver 14.14 Distrib 5.5.35, for debian-linux-gnu (x86_64) using readline 6.2

Connection id: 63
Current database:
Current user: localturn2@localturn2
SSL: Cipher in use is DHE-RSA-AES256-SHA

This is the same as detailed in the client documentation at:

Posted by Chaoran Xie on July 22 2014 7:49pm[Delete] [Edit]

One small tip, make sure you use full path for MASTER_SSL_CA when running CHANGE MASTER statement

so instead of something like
MASTER_SSL_CA = 'ca-cert.pem', MASTER_SSL_CAPATH = '/opt/newcerts/'

MASTER_SSL_CA = '/opt/newcerts/ca-cert.pem', MASTER_SSL_CAPATH = ''

Posted by Fred W on March 31 2015 5:32pm[Delete] [Edit]

Couple tips:
1. client cert is optional unless account used for replication requires X509.
2. When using CHANGE MASTER TO to config slave, parameter MASTER_SSL_CA and MASTER_SSL_CAPATH are resolved at slave side.