Documentation Home
MySQL 5.5 Reference Manual
Related Documentation
MySQL 5.5 Release Notes
Download this Manual
PDF (US Ltr) - 25.8Mb
PDF (A4) - 25.9Mb
PDF (RPM) - 25.4Mb
EPUB - 6.6Mb
HTML Download (TGZ) - 6.3Mb
HTML Download (Zip) - 6.4Mb
HTML Download (RPM) - 5.4Mb
Eclipse Doc Plugin (TGZ) - 7.0Mb
Eclipse Doc Plugin (Zip) - 8.7Mb
Man Pages (TGZ) - 182.7Kb
Man Pages (Zip) - 289.0Kb
Info (Gzip) - 2.4Mb
Info (Zip) - 2.4Mb
Excerpts from this Manual
MySQL Backup and Recovery
MySQL Cluster NDB 7.2
MySQL Globalization
MySQL Information Schema
MySQL Installation Guide
MySQL and Linux/Unix
MySQL and OS X
MySQL Partitioning
MySQL Performance Schema
MySQL Replication
MySQL Restrictions and Limitations
Security in MySQL
MySQL and Solaris
Building MySQL from Source
Starting and Stopping MySQL
MySQL Tutorial
MySQL and Windows

6.3.9.5 SSL Command Options

This section describes options that specify whether to use SSL and the names of SSL certificate and key files. These options can be given on the command line or in an option file. They are not available unless MySQL has been built with SSL support. See Section 6.3.9.3, “Building MySQL with SSL Support”. For examples of suggested use and how to check whether a connection is secure, see Section 6.3.9.4, “Configuring MySQL to Use Secure Connections”.

Table 6.15 SSL Option/Variable Summary

NameCmd-LineOption FileSystem VarStatus VarVar ScopeDynamic
have_openssl Yes GlobalNo
have_ssl Yes GlobalNo
skip-sslYesYes
sslYesYes
ssl-caYesYes GlobalNo
- Variable: ssl_ca Yes GlobalNo
ssl-capathYesYes GlobalNo
- Variable: ssl_capath Yes GlobalNo
ssl-certYesYes GlobalNo
- Variable: ssl_cert Yes GlobalNo
ssl-cipherYesYes GlobalNo
- Variable: ssl_cipher Yes GlobalNo
ssl-keyYesYes GlobalNo
- Variable: ssl_key Yes GlobalNo

  • --ssl

    For the MySQL server, this option specifies that the server permits but does not require SSL connections.

    For MySQL client programs, this option permits but does not require the client to connect to the server using SSL. Therefore, this option is not sufficient in itself to cause an SSL connection to be used. For example, if you specify this option for a client program but the server has not been configured to enable SSL connections, the client falls back to an unencrypted connection.

    As a recommended set of options to enable SSL connections, use at least --ssl-cert and --ssl-key on the server side and --ssl-ca on the client side. See Section 6.3.9.4, “Configuring MySQL to Use Secure Connections”.

    --ssl may be implied by other --ssl-xxx options, as indicated in the descriptions for those options.

    The --ssl option in negated form overrides other SSL options and indicates that SSL should not be used. To do this, specify the option as --ssl=0 or a synonym (--skip-ssl, --disable-ssl). For example, you might have SSL options specified in the [client] group of your option file to use SSL connections by default when you invoke MySQL client programs. To use an unencrypted connection instead, invoke the client program with --ssl=0 on the command line to override the options in the option file.

    To require use of SSL connections for a MySQL account, issue a GRANT statement for the account that includes at least a REQUIRE SSL clause. Connections for the account will be rejected unless MySQL supports SSL connections and the server and client have been started with the proper SSL options.

    The REQUIRE clause permits other SSL-related options, which can be used to enforce stricter requirements than REQUIRE SSL. For additional details about which SSL command options may or must be specified by clients that connect using accounts configured using the various REQUIRE options, see the description of REQUIRE in Section 13.7.1.3, “GRANT Syntax”.

  • --ssl-ca=file_name

    The path to a file in PEM format that contains a list of trusted SSL certificate authorities. This option implies --ssl.

    If you use SSL when establishing a client connection, to tell the client not to authenticate the server certificate, specify neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any --ssl-ca or --ssl-capath option values specified at server startup.

  • --ssl-capath=directory_name

    The path to a directory that contains trusted SSL certificate authority certificates in PEM format. This option implies --ssl.

    If you use SSL when establishing a client connection, to tell the client not to authenticate the server certificate, specify neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any --ssl-ca or --ssl-capath option values specified at server startup.

    MySQL distributions compiled using OpenSSL support the --ssl-capath option (see Section 6.3.9.1, “OpenSSL Versus yaSSL”). Distributions compiled using yaSSL do not because yaSSL does not look in any directory and does not follow a chained certificate tree. yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file and specify that file as the value of the --ssl-ca option.

  • --ssl-cert=file_name

    The name of the SSL certificate file in PEM format to use for establishing a secure connection. This option implies --ssl.

  • --ssl-cipher=cipher_list

    A list of permissible ciphers to use for SSL encryption. If no cipher in the list is supported, SSL connections will not work. This option implies --ssl.

    For greatest portability, cipher_list should be a list of one or more cipher names, separated by colons. This format is understood both by OpenSSL and yaSSL. Examples: 

    --ssl-cipher=AES128-SHA
--ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA

    OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at http://www.openssl.org/docs/apps/ciphers.html. However, yaSSL does not, so attempts to use that extended syntax fail for a MySQL distribution compiled using yaSSL.

    For information about which encryption ciphers MySQL supports, see Section 6.3.9.2, “Secure Connection Protocols and Ciphers”.

  • --ssl-key=file_name

    The name of the SSL key file in PEM format to use for establishing a secure connection. This option implies --ssl.

    If the MySQL distribution was compiled using OpenSSL and the key file is protected by a passphrase, the program prompts the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key. If the MySQL distribution was built using yaSSL and the key file is protected by a passphrase, an error occurs.

  • --ssl-verify-server-cert

    This option is available for client programs only, not the server. It causes the client to check the server's Common Name value in the certificate that the server sends to the client. The client verifies that name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. When SSL is used, this option helps prevent man-in-the-middle attacks. Verification is disabled by default.


PREV   HOME   UP   NEXT
Download this Manual
PDF (US Ltr) - 25.8Mb
PDF (A4) - 25.9Mb
PDF (RPM) - 25.4Mb
EPUB - 6.6Mb
HTML Download (TGZ) - 6.3Mb
HTML Download (Zip) - 6.4Mb
HTML Download (RPM) - 5.4Mb
Eclipse Doc Plugin (TGZ) - 7.0Mb
Eclipse Doc Plugin (Zip) - 8.7Mb
Man Pages (TGZ) - 182.7Kb
Man Pages (Zip) - 289.0Kb
Info (Gzip) - 2.4Mb
Info (Zip) - 2.4Mb
User Comments
Sign Up Login You must be logged in to post a comment.