To enable SSL connections, your MySQL distribution must be built with SSL support, as described in Section 18.104.22.168, “Building MySQL with SSL Support”. In addition, the proper SSL-related options must be used to specify the appropriate certificate and key files. For a complete list of SSL options, see Section 22.214.171.124, “SSL Command Options”.
To start the MySQL server so that it permits clients to connect using SSL, use the options that identify the certificate and key files the server uses when establishing a secure connection:
For example, start the server like this:
Each option names a file in PEM format. For instructions on
generating the required SSL certificate and key files, see
Section 126.96.36.199, “Setting Up SSL Certificates and Keys for MySQL”. If you have a MySQL source
distribution, you can also test your setup using the
demonstration certificate and key files in the
mysql-test/std_data directory of the
Similar options are used on the client side, but
--ssl-key identify the client
public and private key. The Certificate Authority certificate,
if specified, must be the same as used by the server.
To establish a secure connection to a MySQL server with SSL
support, the options that a client must specify depend on the
SSL requirements of the MySQL account used by the client. (See
the discussion of the
REQUIRE clause in
Section 188.8.131.52, “GRANT Syntax”.)
Suppose that you want to connect using an account that has no
special SSL requirements or was created using a
GRANT statement that includes the
REQUIRE SSL option. As a recommended set of
SSL options, start the server with at least
--ssl-key, and invoke the client
--ssl-ca. A client can
connect securely like this:
To require that a client certificate also be specified, create
the account using the
REQUIRE X509 option.
Then the client must also specify the proper client key and
certificate files or the server will reject the connection:
A client can determine whether the current connection with the
server uses SSL by checking the value of the
Ssl_cipher status variable.
The value is nonempty if SSL is used, and empty otherwise. For
SHOW STATUS LIKE 'Ssl_cipher';+---------------+--------------------+ | Variable_name | Value | +---------------+--------------------+ | Ssl_cipher | DHE-RSA-AES256-SHA | +---------------+--------------------+
For the mysql client, an alternative is to
command and check the
\s... SSL: Cipher in use is DHE-RSA-AES256-SHA ...
\s... SSL: Not in use ...
The C API enables application programs to use SSL:
To establish a secure connection, use the
mysql_ssl_set() C API
function to set the appropriate certificate options before
Section 184.108.40.206, “mysql_ssl_set()”. To require the use of SSL,
To determine whether SSL is in use after the connection is
NULL return value indicates a secure
connection and names the SSL cipher used for encryption. A
NULL return value indicates that SSL is
not being used. See Section 220.127.116.11, “mysql_get_ssl_cipher()”.
Replication uses the C API, so secure connections can be used between master and slave servers. See Section 17.3.7, “Setting Up Replication Using SSL”.