Documentation Home
MySQL Connector/J 8.0 Developer Guide
Related Documentation Download this Manual
PDF (US Ltr) - 0.8Mb
PDF (A4) - 0.8Mb
HTML Download (TGZ) - 152.7Kb
HTML Download (Zip) - 172.0Kb


6.3.5 Security

  • paranoid

    Take measures to prevent exposure sensitive information in error messages and clear data structures holding sensitive data when possible? (defaults to 'false')

    Default Value false
    Since Version 3.0.1
  • serverRSAPublicKeyFile

    File path to the server RSA public key file for sha256_password authentication. If not specified, the public key will be retrieved from the server.

    Since Version 5.1.31
  • allowPublicKeyRetrieval

    Allows special handshake round-trip to get an RSA public key directly from server.

    Default Value false
    Since Version 5.1.31
  • sslMode

    By default, network connections are SSL encrypted; this property permits secure connections to be turned off, or a different levels of security to be chosen. The following values are allowed: "DISABLED" - Establish unencrypted connections; "PREFERRED" - (default) Establish encrypted connections if the server enabled them, otherwise fall back to unencrypted connections; "REQUIRED" - Establish secure connections if the server enabled them, fail otherwise; "VERIFY_CA" - Like "REQUIRED" but additionally verify the server TLS certificate against the configured Certificate Authority (CA) certificates; "VERIFY_IDENTITY" - Like "VERIFY_CA", but additionally verify that the server certificate matches the host to which the connection is attempted.

    This property replaced the deprecated legacy properties "useSSL", "requireSSL", and "verifyServerCertificate", which are still accepted but translated into a value for "sslMode" if "sslMode" is not explicitly set: "useSSL=false" is translated to "sslMode=DISABLED"; {"useSSL=true", "requireSSL=false", "verifyServerCertificate=false"} is translated to "sslMode=PREFERRED"; {"useSSL=true", "requireSSL=true", "verifyServerCertificate=false"} is translated to "sslMode=REQUIRED"; {"useSSL=true" AND "verifyServerCertificate=true"} is translated to "sslMode=VERIFY_CA". There is no equivalent legacy settings for "sslMode=VERIFY_IDENTITY". Note that, for ALL server versions, the default setting of "sslMode" is "PREFERRED", and it is equivalent to the legacy settings of "useSSL=true", "requireSSL=false", and "verifyServerCertificate=false", which are different from their default settings for Connector/J 8.0.12 and earlier in some situations. Applications that continue to use the legacy properties and rely on their old default settings should be reviewed.

    The legacy properties are ignored if "sslMode" is set explicitly. If none of "sslMode" or "useSSL" is set explicitly, the default setting of "sslMode=PREFERRED" applies.

    Default Value PREFERRED
    Since Version 8.0.13
  • trustCertificateKeyStoreUrl

    URL for the trusted root certificates key store.

    If not specified, the property 'fallbackToSystemTrustStore' determines if system-wide trust store is used.

    Since Version 5.1.0
  • trustCertificateKeyStoreType

    Key store type for trusted root certificates.

    NULL or empty means use the default, which is "JKS". Standard key store types supported by the JVM are "JKS" and "PKCS12", your environment may have more available depending on what security products are installed and available to the JVM.

    Default Value JKS
    Since Version 5.1.0
  • trustCertificateKeyStorePassword

    Password for the trusted root certificates key store.

    Since Version 5.1.0
  • fallbackToSystemTrustStore

    Whether the absence of setting a value for 'trustCertificateKeyStoreUrl' falls back to using the system-wide default trust store or one defined through the system properties 'javax.net.ssl.trustStore*'.

    Default Value true
    Since Version 8.0.22
  • clientCertificateKeyStoreUrl

    URL for the client certificate KeyStore

    If not specified, the property 'fallbackToSystemKeyStore' determines if system-wide key store is used.

    Since Version 5.1.0
  • clientCertificateKeyStoreType

    Key store type for client certificates.

    NULL or empty means use the default, which is "JKS". Standard key store types supported by the JVM are "JKS" and "PKCS12", your environment may have more available depending on what security products are installed and available to the JVM.

    Default Value JKS
    Since Version 5.1.0
  • clientCertificateKeyStorePassword

    Password for the client certificates key store.

    Since Version 5.1.0
  • fallbackToSystemKeyStore

    Whether the absence of setting a value for 'clientCertificateKeyStoreUrl' falls back to using the system-wide key store defined through the system properties 'javax.net.ssl.keyStore*'.

    Default Value true
    Since Version 8.0.22
  • enabledSSLCipherSuites

    If "useSSL" is set to "true", overrides the cipher suites enabled for use on the underlying SSL sockets. This may be required when using external JSSE providers or to specify cipher suites compatible with both MySQL server and used JVM.

    Since Version 5.1.35
  • enabledTLSProtocols

    If "useSSL" is set to "true", overrides the TLS protocols enabled for use on the underlying SSL sockets. This may be used to restrict connections to specific TLS versions.

    Since Version 8.0.8
  • allowLoadLocalInfile

    Should the driver allow use of "LOAD DATA LOCAL INFILE ..."?

    Setting to "true" overrides whatever path is set in 'allowLoadLocalInfileInPath', allowing uploading files from any location.

    Default Value false
    Since Version 3.0.3
  • allowLoadLocalInfileInPath

    Enables "LOAD DATA LOCAL INFILE ..." statements, but only allows loading files from the specified path. Files within sub-directories are also allowed, but relative paths or symlinks that fall outside this path are forbidden.

    Since Version 8.0.22
  • allowMultiQueries

    Allow the use of ';' to delimit multiple queries during one statement (true/false). Default is 'false', and it does not affect the addBatch() and executeBatch() methods, which rely on rewriteBatchStatements instead.

    Default Value false
    Since Version 3.1.1
  • allowUrlInLocalInfile

    Should the driver allow URLs in "LOAD DATA LOCAL INFILE ..." statements?

    Default Value false
    Since Version 3.1.4
  • requireSSL

    For 8.0.12 and earlier: Require server support of SSL connection if useSSL=true? (defaults to 'false').

    For 8.0.13 and later: DEPRECATED. See sslMode property description for details.

    Default Value false
    Since Version 3.1.0
  • useSSL

    For 8.0.12 and earlier: Use SSL when communicating with the server (true/false), default is 'true' when connecting to MySQL 5.5.45+, 5.6.26+ or 5.7.6+, otherwise default is 'false'.

    For 8.0.13 and later: Default is 'true'. DEPRECATED. See sslMode property description for details.

    Default Value true
    Since Version 3.0.2
  • verifyServerCertificate

    For 8.0.12 and earlier: If "useSSL" is set to "true", should the driver verify the server's certificate? When using this feature, the key store parameters should be specified by the "clientCertificateKeyStore*" properties, rather than system properties. Default is 'false' when connecting to MySQL 5.5.45+, 5.6.26+ or 5.7.6+ and "useSSL" was not explicitly set to "true". Otherwise default is 'true'.

    For 8.0.13 and later: Default is 'false'. DEPRECATED. See sslMode property description for details.

    Default Value false
    Since Version 5.1.6