Documentation Home
Connectors and APIs Manual
Download this Manual
PDF (US Ltr) - 4.1Mb
PDF (A4) - 4.1Mb


3.5.3.5 Security

  • paranoid

    Take measures to prevent exposure sensitive information in error messages and clear data structures holding sensitive data when possible?

    Default Value false
    Since Version 3.0.1
  • serverRSAPublicKeyFile

    File path to the server RSA public key file for 'sha256_password' authentication. If not specified, the public key will be retrieved from the server.

    Since Version 5.1.31
  • allowPublicKeyRetrieval

    Allows special handshake round-trip to get an RSA public key directly from server.

    Default Value false
    Since Version 5.1.31
  • sslMode

    By default, network connections are SSL encrypted; this property permits secure connections to be turned off, or a different levels of security to be chosen. The following values are allowed: "DISABLED" - Establish unencrypted connections; "PREFERRED" - Establish encrypted connections if the server enabled them, otherwise fall back to unencrypted connections; "REQUIRED" - Establish secure connections if the server enabled them, fail otherwise; "VERIFY_CA" - Like "REQUIRED" but additionally verify the server TLS certificate against the configured Certificate Authority (CA) certificates; "VERIFY_IDENTITY" - Like "VERIFY_CA", but additionally verify that the server certificate matches the host to which the connection is attempted.

    This property replaced the deprecated legacy properties 'useSSL', 'requireSSL', and 'verifyServerCertificate', which are still accepted but translated into a value for 'sslMode' if 'sslMode' is not explicitly set: "useSSL=false" is translated to "sslMode=DISABLED"; {"useSSL=true", "requireSSL=false", "verifyServerCertificate=false"} is translated to "sslMode=PREFERRED"; {"useSSL=true", "requireSSL=true", "verifyServerCertificate=false"} is translated to "sslMode=REQUIRED"; {"useSSL=true", "verifyServerCertificate=true"} is translated to "sslMode=VERIFY_CA". There is no equivalent legacy settings for "sslMode=VERIFY_IDENTITY". Note that, for all server versions, the default setting of 'sslMode' is "PREFERRED", and it is equivalent to the legacy settings of "useSSL=true", "requireSSL=false", and "verifyServerCertificate=false", which are different from their default settings for Connector/J 8.0.12 and earlier in some situations. Applications that continue to use the legacy properties and rely on their old default settings should be reviewed.

    The legacy properties are ignored if 'sslMode' is set explicitly. If none of 'sslMode' or 'useSSL' is set explicitly, the default setting of "sslMode=PREFERRED" applies.

    Default Value PREFERRED
    Since Version 8.0.13
  • trustCertificateKeyStoreUrl

    URL for the trusted root certificates key store.

    If not specified, the property 'fallbackToSystemTrustStore' determines if system-wide trust store is used.

    Since Version 5.1.0
  • trustCertificateKeyStoreType

    Key store type for trusted root certificates.

    Null or empty means use the default, which is "JKS". Standard key store types supported by the JVM are "JKS" and "PKCS12", your environment may have more available depending on what security providers are installed and available to the JVM.

    Default Value JKS
    Since Version 5.1.0
  • trustCertificateKeyStorePassword

    Password for the trusted root certificates key store.

    Since Version 5.1.0
  • fallbackToSystemTrustStore

    Whether the absence of setting a value for 'trustCertificateKeyStoreUrl' falls back to using the system-wide default trust store or one defined through the system properties 'javax.net.ssl.trustStore*'.

    Default Value true
    Since Version 8.0.22
  • clientCertificateKeyStoreUrl

    URL for the client certificate KeyStore.

    If not specified, the property 'fallbackToSystemKeyStore' determines if system-wide key store is used.

    Since Version 5.1.0
  • clientCertificateKeyStoreType

    Key store type for client certificates.

    Null or empty means use the default, which is "JKS". Standard key store types supported by the JVM are "JKS" and "PKCS12", your environment may have more available depending on what security providers are installed and available to the JVM.

    Default Value JKS
    Since Version 5.1.0
  • clientCertificateKeyStorePassword

    Password for the client certificates key store.

    Since Version 5.1.0
  • fallbackToSystemKeyStore

    Whether the absence of setting a value for 'clientCertificateKeyStoreUrl' falls back to using the system-wide key store defined through the system properties 'javax.net.ssl.keyStore*'.

    Default Value true
    Since Version 8.0.22
  • tlsCiphersuites

    When establishing secure connections, overrides the cipher suites enabled for use on the underlying SSL sockets. This may be required when using external JSSE providers or to specify cipher suites compatible with both MySQL server and used JVM. Prior to version 8.0.28, this property was named 'enabledSSLCipherSuites', which remains as an alias.

    Since Version 5.1.35
  • tlsVersions

    List of TLS protocols to allow when establishing secure connections. Overrides the TLS protocols enabled in the underlying SSL sockets. This can be used to restrict connections to specific TLS versions and, by doing that, avoid TLS negotiation fallback. Allowed and default values are "TLSv1.2" and "TLSv1.3". Prior to version 8.0.28, this property was named 'enabledTLSProtocols', which remains as an alias.

    Since Version 8.0.8
  • fipsCompliantJsse

    Enables Connector/J to be compatible to JSSE operating in FIPS mode. Should be set to "true" if the JSSE is configured to operate in FIPS mode and Connector/J receives the error "FIPS mode: only SunJSSE TrustManagers may be used" when creating secure connections. If set to "true" then, when establishing secure connections, the driver operates as if the 'sslMode' was set to "VERIFY_CA" or "VERIFY_IDENTITY", i.e., all secure connections require at least server certificate validation, for which a trust store must be configured or fall back to the system-wide trust store must be enabled.

    Default Value false
    Since Version 8.1.0
  • KeyManagerFactoryProvider

    The name of the a Java Security Provider that provides a 'javax.net.ssl.KeyManagerFactory' implementation. If none is specified then the default one is used.

    Since Version 8.1.0
  • trustManagerFactoryProvider

    The name of the a Java Security Provider that provides a 'javax.net.ssl.TrustManagerFactory' implementation. If none is specified then the default one is used.

    Since Version 8.1.0
  • keyStoreProvider

    The name of the a Java Security Provider that provides a 'java.security.KeyStore' implementation that supports the key stores types specified with 'clientCertificateKeyStoreType' and 'trustCertificateKeyStoreType'. If none is specified then the default one is used.

    Since Version 8.1.0
  • sslContextProvider

    The name of the a Java Security Provider that provides a 'javax.net.ssl.SSLContext' implementation. If none is specified then the default one is used.

    Since Version 8.1.0
  • allowLoadLocalInfile

    Should the driver allow use of "LOAD DATA LOCAL INFILE ..."?

    Setting to "true" overrides whatever path is set in 'allowLoadLocalInfileInPath', allowing uploading files from any location.

    Default Value false
    Since Version 3.0.3
  • allowLoadLocalInfileInPath

    Enables "LOAD DATA LOCAL INFILE ..." statements, but only allows loading files from the specified path. Files within sub-directories are also allowed, but relative paths or symlinks that fall outside this path are forbidden.

    Since Version 8.0.22
  • allowMultiQueries

    Allow the use of ";" to delimit multiple queries during one statement. This option does not affect the 'addBatch()' and 'executeBatch()' methods, which rely on 'rewriteBatchStatements' instead.

    Default Value false
    Since Version 3.1.1
  • allowUrlInLocalInfile

    Should the driver allow URLs in "LOAD DATA LOCAL INFILE ..." statements?

    Default Value false
    Since Version 3.1.4
  • requireSSL

    DEPRECATED: See 'sslMode' property description for details.

    For 8.0.12 and earlier: Require server support of SSL connection if "useSSL=true".

    Default Value false
    Since Version 3.1.0
  • useSSL

    DEPRECATED: See 'sslMode' property description for details.

    For 8.0.12 and earlier: Use SSL when communicating with the server, default is "true" when connecting to MySQL 5.5.45+, 5.6.26+ or 5.7.6+, otherwise default is "false".

    For 8.0.13 and later: Default is "true".

    Default Value true
    Since Version 3.0.2
  • verifyServerCertificate

    DEPRECATED: See 'sslMode' property description for details.

    For 8.0.12 and earlier: If 'useSSL' is set to "true", should the driver verify the server's certificate? When using this feature, the key store parameters should be specified by the 'clientCertificateKeyStore*' properties, rather than system properties. Default is "false" when connecting to MySQL 5.5.45+, 5.6.26+ or 5.7.6+ and 'useSSL' was not explicitly set to "true". Otherwise default is "true".

    For 8.0.13 and later: Default is "false".

    Default Value false
    Since Version 5.1.6