Documentation Home
MySQL 5.5 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 27.2Mb
PDF (A4) - 27.2Mb
PDF (RPM) - 25.6Mb
HTML Download (TGZ) - 6.4Mb
HTML Download (Zip) - 6.5Mb
HTML Download (RPM) - 5.5Mb
Man Pages (TGZ) - 159.2Kb
Man Pages (Zip) - 263.0Kb
Info (Gzip) - 2.6Mb
Info (Zip) - 2.6Mb
Excerpts from this Manual

MySQL 5.5 Reference Manual  /  ...  /  Command Options for Connecting to the Server

4.2.3 Command Options for Connecting to the Server

This section describes options supported by most MySQL client programs that control how client programs establish connections to the server and whether connections are encrypted. These options can be given on the command line or in an option file.

Command Options for Connection Establishment

This section describes options that control how client programs establish connections to the server. For additional information and examples showing how to use them, see Section 4.2.4, “Connecting to the MySQL Server Using Command Options”.

Table 4.3 Connection-Establishment Option Summary

Option Name Description Introduced
--default-auth Authentication plugin to use 5.5.7
--host Host on which MySQL server is located
--password Password to use when connecting to server
--pipe Connect to server using named pipe (Windows only)
--plugin-dir Directory where plugins are installed 5.5.7
--port TCP/IP port number for connection
--protocol Connection protocol to use
--secure-auth Do not send passwords to server in old (pre-4.1) format
--shared-memory-base-name Name of shared memory to use for shared-memory connections
--socket Unix socket file or Windows named pipe to use
--user MySQL user name to use when connecting to server

  • --default-auth=plugin

    A hint about which client-side authentication plugin to use. See Section 6.2.10, “Pluggable Authentication”.

  • --host=host_name, -h host_name

    The host on which the MySQL server is running. The value can be a host name, IPv4 address, or IPv6 address. The default value is localhost.

  • --password[=pass_val], -p[pass_val]

    The password of the MySQL account used for connecting to the server. The password value is optional. If not given, the program prompts for one. If given, there must be no space between --password= or -p and the password following it. If no password option is specified, the default is to send no password.

    Specifying a password on the command line should be considered insecure. To avoid giving the password on the command line, use an option file. See Section 6.1.2.1, “End-User Guidelines for Password Security”.

    To explicitly specify that there is no password and that the client program should not prompt for one, use the --skip-password option.

  • --pipe, -W

    On Windows, connect to the server using a named pipe. This option applies only if the server was started with the named_pipe system variable enabled to support named-pipe connections.

  • --plugin-dir=dir_name

    The directory in which to look for plugins. Specify this option if the --default-auth option is used to specify an authentication plugin but the client program does not find it. See Section 6.2.10, “Pluggable Authentication”.

  • --port=port_num, -P port_num

    For TCP/IP connections, the port number to use. The default port number is 3306.

  • --protocol={TCP|SOCKET|PIPE|MEMORY}

    This option explicitly specifies which protocol to use for connecting to the server. It is useful when other connection parameters normally result in use of a protocol other than the one you want. For example, connections on Unix to localhost are made using a Unix socket file by default:

    mysql --host=localhost

    To force a TCP/IP connection to be used instead, specify a --protocol option:

    mysql --host=localhost --protocol=TCP

    The following table shows the permissible --protocol option values and indicates the platforms on which each value may be used. The values are not case-sensitive.

    --protocol Value Connection Protocol Permissible Operating Systems
    TCP TCP/IP connection to local or remote server All
    SOCKET Unix socket file connection to local server Unix only
    PIPE Named-pipe connection to local or remote server Windows only
    MEMORY Shared-memory connection to local server Windows only
  • --secure-auth

    Do not send passwords to the server in old (pre-4.1) format. This prevents connections except for servers that use the newer password format.

    Note

    Passwords that use the pre-4.1 hashing method are less secure than passwords that use the native password hashing method and should be avoided.

  • --shared-memory-base-name=name

    On Windows, the shared-memory name to use for connections made using shared memory to a local server. The default value is MYSQL. The shared-memory name is case-sensitive.

    This option applies only if the server was started with the shared_memory system variable enabled to support shared-memory connections.

  • --socket=path, -S path

    On Unix, the name of the Unix socket file to use for connections made using a named pipe to a local server. The default Unix socket file name is /tmp/mysql.sock.

    On Windows, the name of the named pipe to use for connections to a local server. The default Windows pipe name is MySQL. The pipe name is not case-sensitive.

    On Windows, this option applies only if the server was started with the named_pipe system variable enabled to support named-pipe connections.

  • --user=user_name, -u user_name

    The user name of the MySQL account to use for connecting to the server. The default user name is ODBC on Windows or your Unix login name on Unix.

Command Options for Encrypted Connections

This section describes options that specify whether to use encrypted connections, the names of certificate and key files, and other parameters related to encrypted-connection support. They are not available unless MySQL has been built with SSL support. See Section 6.3.4, “Building MySQL with Support for Encrypted Connections”. For examples of suggested use and how to check whether a connection is encrypted, see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.

For information about using encrypted connections from the MySQL C API, see Section 23.8.15, “C API Encrypted Connection Support”.

Table 4.4 Connection-Encryption Option Summary

Option Name Description Introduced
--skip-ssl Disable connection encryption
--ssl Enable connection encryption
--ssl-ca File that contains list of trusted SSL Certificate Authorities
--ssl-capath Directory that contains trusted SSL Certificate Authority certificate files
--ssl-cert File that contains X.509 certificate
--ssl-cipher Permissible ciphers for connection encryption
--ssl-key File that contains X.509 key
--ssl-mode Desired security state of connection to server 5.5.49
--ssl-verify-server-cert Verify host name against server certificate Common Name identity

  • --ssl, --skip-ssl

    For the MySQL server, this option specifies that the server permits but does not require encrypted connections.

    For MySQL client programs, this option permits but does not require the client to connect to the server using encryption. Therefore, this option is not sufficient in itself to cause an encrypted connection to be used. For example, if you specify this option for a client program but the server has not been configured to support encrypted connections, the client falls back to an unencrypted connection.

    As a recommended set of options to enable encrypted connections, consider using at least --ssl-cert and --ssl-key on the server side and --ssl-ca on the client side. See Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.

    --ssl may be implied by other --ssl-xxx options, as indicated in the descriptions for those options.

    The --ssl option in negated form indicates that encryption should not be used and overrides other --ssl-xxx options. Specify the option as --skip-ssl or a synonym (--ssl=0, --disable-ssl). For example, you might have options specified in the [client] group of your option file to use encrypted connections by default when you invoke MySQL client programs. To use an unencrypted connection instead, invoke the client program with --ssl=0 on the command line to override the options in the option file.

    To require use of encrypted connections by a MySQL account, use a GRANT statement for the account that includes a REQUIRE SSL clause. This causes connection attempts by clients that use the account to be rejected unless MySQL supports encrypted connections and an encrypted connection can be established.

    The REQUIRE clause permits other encryption-related options, which can be used to enforce security requirements stricter than REQUIRE SSL. For additional details about which command options may or must be specified by clients that connect using accounts configured using the various REQUIRE options, see the description of REQUIRE in Section 13.7.1.3, “GRANT Syntax”.

  • --ssl-ca=file_name

    The path name of the Certificate Authority (CA) certificate file in PEM format. This option implies --ssl.

    To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any --ssl-ca or --ssl-capath option values specified on the server side.

  • --ssl-capath=dir_name

    The path name of the directory that contains trusted SSL certificate authority (CA) certificate files in PEM format. This option implies --ssl.

    To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any --ssl-ca or --ssl-capath option values specified on the server side.

    Support for this option depends on the SSL library used to compile MySQL. See Section 6.3.3, “SSL Library-Dependent Capabilities”.

  • --ssl-cert=file_name

    The path name of the SSL public key certificate file in PEM format. On the client side, this is the client public key certificate. On the server side, this is the server public key certificate. This option implies --ssl.

  • --ssl-cipher=cipher_list

    The list of permissible ciphers for connection encryption. If no cipher in the list is supported, encrypted connections will not work. This option implies --ssl.

    For greatest portability, cipher_list should be a list of one or more cipher names, separated by colons. This format is understood both by OpenSSL and yaSSL. Examples:

    --ssl-cipher=AES128-SHA
    --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA

    OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at https://www.openssl.org/docs/manmaster/man1/ciphers.html. yaSSL does not, so attempts to use that extended syntax fail for a MySQL distribution compiled using yaSSL.

    For information about which encryption ciphers MySQL supports, see Section 6.3.5, “Encrypted Connection Protocols and Ciphers”.

  • --ssl-key=file_name

    The path name of the SSL private key file in PEM format. On the client side, this is the client private key. On the server side, this is the server private key. This option implies --ssl.

    If the MySQL distribution was compiled using OpenSSL and the key file is protected by a passphrase, the program prompts the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key. If the MySQL distribution was built using yaSSL and the key file is protected by a passphrase, an error occurs.

  • --ssl-mode=mode

    This option is available only for client programs, not the server. It specifies the desired security state of the connection to the server:

    • If this option is not specified, the default is to establish an unencrypted connection. This is like the --ssl=0 option or its synonyms (--skip-ssl, --disable-ssl).

    • If this option is specified, the only permissible value is REQUIRED (establish an encrypted connection if the server supports encrypted connections). The connection attempt fails if an encrypted connection cannot be established.

    The --ssl-mode option was added in MySQL 5.5.49.

    Note

    To require encrypted connections in MySQL 5.5, the standard MySQL client programs check whether the connection is encrypted if --ssl-mode=REQUIRED was specified. If not, the client exits with an error. Third-party applications that must be able to require encrypted connections can use the same technique. For details, see Section 23.8.7.67, “mysql_ssl_set()”.

  • --ssl-verify-server-cert

    This option is available only for client programs, not the server. It causes the client to perform host name identity verification by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client. The client checks whether the host name that it uses for connecting matches the Common Name value in the server certificate. The connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. Host name identity verification is disabled by default.