This section describes options that are used to specify whether
to use SSL and the names of SSL certificate and key files. These
options can be given on the command line or in an option file.
They are not available unless MySQL has been built with SSL
support. See Section 6.3.6.2, “Configuring MySQL for SSL”. (There are
also --master-ssl* options that can be used for
setting up a secure connection from a slave replication server
to a master server; see Section 16.1.2, “Replication and Binary Logging Options and Variables”.)
Table 6.8. SSL Option/Variable Summary
| Name | Cmd-Line | Option file | System Var | Status Var | Var Scope | Dynamic |
|---|---|---|---|---|---|---|
| have_openssl | Yes | Global | No | |||
| have_ssl | Yes | Global | No | |||
| skip-ssl | Yes | Yes | ||||
| ssl | Yes | Yes | ||||
| ssl-ca | Yes | Yes | Global | No | ||
| - Variable: ssl_ca | Yes | Global | No | |||
| ssl-capath | Yes | Yes | Global | No | ||
| - Variable: ssl_capath | Yes | Global | No | |||
| ssl-cert | Yes | Yes | Global | No | ||
| - Variable: ssl_cert | Yes | Global | No | |||
| ssl-cipher | Yes | Yes | Global | No | ||
| - Variable: ssl_cipher | Yes | Global | No | |||
| ssl-key | Yes | Yes | Global | No | ||
| - Variable: ssl_key | Yes | Global | No |
For the server, this option specifies that the server permits SSL connections. For a client program, it permits the client to connect to the server using SSL, but this option is not sufficient in itself to cause an SSL connection to be used. As a recommended set of options to enable SSL connections, use at least
--ssl-certand--ssl-keyon the server side and--ssl-caon the client side.--sslis implied by other--ssl-options as indicated in the descriptions for those options. For this reason,xxx--sslis not usually specified explicitly. It is more often used explicitly in its opposite form to override other SSL options and indicate that SSL should not be used. To do this, specify the option as--skip-sslor--ssl=0. For example, you might have SSL options specified in the[client]group of your option file to use SSL connections by default when you invoke MySQL client programs. To use an unencrypted connection instead, invoke the client program with--skip-sslon the command line to override the options in the option file.Use of
--ssldoes not require an SSL connection to be used, it only permits it. For example, if you specify this option for a client program but the server has not been configured to permit SSL connections, an unencrypted connection is used.The secure way to require use of an SSL connection is to create a MySQL account that includes at least a
REQUIRE SSLclause in theGRANTstatement. In this case, connections for that account will be rejected unless MySQL supports SSL connections and the server and client have been started with the proper SSL options.The
REQUIREclause permits other SSL-related restrictions as well. These can be used for stricter requirements thanREQUIRE SSL. The description ofREQUIREin Section 13.7.1.3, “GRANTSyntax”, provides additional detail about which SSL command options may or must be specified by clients that connect using accounts that are created using the variousREQUIREoptions.The path to a file in PEM format that contains a list of trusted SSL certificate authorities. This option implies
--ssl.As of MySQL 5.0.40, if you use SSL when establishing a client connection, you can tell the client not to authenticate the server certificate by specifying neither
--ssl-canor--ssl-capath. The server still verifies the client according to any applicable requirements established usingGRANTstatements for the client, and it still uses any--ssl-ca/--ssl-capathvalues that were passed to server at startup.The path to a directory that contains trusted SSL certificate authority certificates in PEM format. This option implies
--ssl.As of MySQL 5.0.40, if you use SSL when establishing a client connection, you can tell the client not to authenticate the server certificate by specifying neither
--ssl-canor--ssl-capath. The server still verifies the client according to any applicable requirements established usingGRANTstatements for the client, and it still uses any--ssl-ca/--ssl-capathvalues that were passed to server at startup.MySQL distributions built with OpenSSL support the
--ssl-capathoption. Distributions built with yaSSL do not because yaSSL does not look in any directory and does not follow a chained certificate tree. yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file. Then specify the new file as the value of the--ssl-capathoption.The name of the SSL certificate file in PEM format to use for establishing a secure connection. This option implies
--ssl.A list of permissible ciphers to use for SSL encryption. If no cipher in the list is supported, SSL connections will not work. This option implies
--ssl.For greatest portability,
cipher_listshould be a list of one or more cipher names, separated by colons. This format is understood both by OpenSSL and yaSSL. Examples:--ssl-cipher=AES128-SHA --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA
OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at http://www.openssl.org/docs/apps/ciphers.html. However, yaSSL does not, so attempts to use that extended syntax fails for a MySQL distribution built with yaSSL.
The name of the SSL key file in PEM format to use for establishing a secure connection.
If the MySQL distribution was built using OpenSSL and the key file is protected by a passphrase, the program will prompt the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key. If the MySQL distribution was built using yaSSL and the key file is protected by a passphrase, an error occurs.
This option is available for client programs only, not the server. It causes the client to check the server's Common Name value in the certificate that the server sends to the client. The client verifies that name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. This feature can be used to prevent man-in-the-middle attacks. Verification is disabled by default. This option was added in MySQL 5.0.23.
User Comments
It's not obvious from the documentation how to use an encrypted connection, but authenticate using passwords. Specifying --ssl (beside REQUIRE SSL) won't work, you have to use --ssl-ca, but you can omit --ssl-key and --ssl-cert from the client options. You can use anything as CA, even --ssl-ca=/dev/null - at least MySQL 4.1.7 won't check the certificate, so beware, it's encrypted, but not secured!
The comment posted right below this one also serves for the server as well. Using all the appropriate options (--ssl, --ssl-ca,--ssl-key,--ssl-cert,--ssl-cipher) will still leave ssl disabled (have_openssl DISABLED). DO NOT USE --ssl when trying to start a server (at least with 5.0.40).
It seems that neither --ssl-ca nor --ssl-cert allows the server to send the complete CA chain during handshake. Unfortunately the server seems to handle just one CA which isn't sufficient for most scenarios (just have a look on https://www.sun.com for example, a certification hierarchy with more than 1 CA certificate is odinary today).
With a MySQL 4 client connecting to a MySQL 4 server, if the server isn't checking client-side certs, it was sufficient to do something like this to use SSL:
mysql -h hostname -u user -p --ssl-ca=/dev/null
This no longer works with a MySQL 5 client. It appears have to supply --ssl-cert and --ssl-key even when connecting to a MySQL 4 server that doesn't care about them.
Another commenter mentioned that `mysql --ssl` is not enough to get you connected to the mysqld over ssl. However, if you do:
mysql --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA
then it will connect over ssl without having to specify any key, ca-crt or other stuff that you may not care about if you just want to type your password over ssl.
As of mysql 5.5 the above trick does not seem to work anymore (just specifying a cipher). Indeed I have not yet found a way to make the 5.5 command line connect using SSL at all (to either a 5.5 server or a 5.1 server). Similarly SSL replicattion breaks after the upgrade.
Verify the SSL connection from the mysql client program with the "\s" option. Example:
%mysql --ssl .....
...
...
mysql> \s
--------------
/usr/local/mysql/bin/mysql Ver 14.14 Distrib 5.6.10, for osx10.6 (x86_64) using EditLine wrapper
Connection id: 35584
Current database:
Current user: anonymous@testserver_1002
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.5.25a-log MySQL Community Server (GPL)
Protocol version: 10
Connection: testserver_1001 via TCP/IP
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 18 days 21 hours 14 min 15 sec
Threads: 11 Questions: 5698256 Slow queries: 0 Opens: 1666 Flush tables: 23 Open tables: 247 Queries per second avg: 33.492
--------------
If SSL is not used/active the results will contain:
"SSL: Not in use"
Add your own comment.