To enable encrypted connections, your MySQL distribution must be built with SSL support, as described in Section 6.4.5, “Building MySQL with Support for Encrypted Connections”. In addition, several options are available to indicate whether to use encrypted connections, and to specify the appropriate certificate and key files. This section provides general guidance about configuring the server and clients for encrypted connections:
For a complete list of options related to establishment of encrypted connections, see Section 6.4.2, “Command Options for Encrypted Connections”. If you need to create the required certificate and key files, see Section 6.4.3, “Creating SSL Certificates and Keys Using openssl”.
Encrypted connections can be used between master and slave replication servers. See Section 17.3.7, “Setting Up Replication to Use Encrypted Connections”.
Encrypted connections are available through the MySQL C API. See Section 23.8.15, “C API Encrypted Connection Support”.
These options on the server side identify the certificate and key files the server uses when permitting clients to establish encrypted connections:
For example, to enable the server for encrypted connections,
start it with these lines in the
file, changing the file names as necessary:
[mysqld] ssl-ca=ca.pem ssl-cert=server-cert.pem ssl-key=server-key.pem
Each option names a file in PEM format. If you have a MySQL
source distribution, you can test your setup using the
demonstration certificate and key files in its
These options on the client side identify the certificate and
key files clients use when establishing encrypted connections to
the server. They are similar to the options used on the server
--ssl-key identify the client
public and private key:
Depending on the encryption requirements of the MySQL account used by a client, the client may be required to specify certain options to connect using encryption to a MySQL server that supports encrypted connections.
Suppose that you want to connect using an account that has no
special encryption requirements or was created using a
GRANT statement that includes the
REQUIRE SSL option. As a recommended set of
encrypted-connection options, start the server with at least
--ssl-key, and invoke the client
--ssl-ca. A client can
connect using encryption like this:
To require that a client certificate also be specified, create
the account using the
REQUIRE X509 option.
Then the client must also specify the proper client key and
certificate files or the server will reject the connection:
mysql --ssl-ca=ca.pem \ --ssl-cert=client-cert.pem \ --ssl-key=client-key.pem
For additional information about the
clause, see the discussion in Section 22.214.171.124, “GRANT Syntax”.
To determine whether the current connection with the server uses
encryption, check the value of the
Ssl_cipher status variable. If
the value is empty, the connection is not encrypted. Otherwise,
the connection is encrypted and the value indicates the
encryption cipher. For example:
mysql> SHOW SESSION STATUS LIKE 'Ssl_cipher'; +---------------+--------------------+ | Variable_name | Value | +---------------+--------------------+ | Ssl_cipher | DHE-RSA-AES256-SHA | +---------------+--------------------+
For the mysql client, an alternative is to
command and check the
mysql> \s ... SSL: Not in use ...
mysql> \s ... SSL: Cipher in use is DHE-RSA-AES256-SHA ...