This section describes options supported by most MySQL client programs that control how client programs establish connections to the server and whether connections are encrypted. These options can be given on the command line or in an option file.
This section describes options that control how client programs establish connections to the server. For additional information and examples showing how to use them, see Section 4.2.4, “Connecting to the MySQL Server Using Command Options”.
Table 4.3 Connection-Establishment Option Summary
Option Name | Description |
---|---|
--default-auth | Authentication plugin to use |
--host | Host on which MySQL server is located |
--password | Password to use when connecting to server |
--pipe | Connect to server using named pipe (Windows only) |
--plugin-dir | Directory where plugins are installed |
--port | TCP/IP port number for connection |
--protocol | Transport protocol to use |
--secure-auth | Do not send passwords to server in old (pre-4.1) format |
--shared-memory-base-name | Shared-memory name for shared-memory connections (Windows only) |
--socket | Unix socket file or Windows named pipe to use |
--user | MySQL user name to use when connecting to server |
A hint about which client-side authentication plugin to use. See Section 6.2.11, “Pluggable Authentication”.
--host=
,host_name
-h
host_name
The host on which the MySQL server is running. The value can be a host name, IPv4 address, or IPv6 address. The default value is
localhost
.--password[=
,pass_val
]-p[
pass_val
]The password of the MySQL account used for connecting to the server. The password value is optional. If not given, the client program prompts for one. If given, there must be no space between
--password=
or-p
and the password following it. If no password option is specified, the default is to send no password.Specifying a password on the command line should be considered insecure. To avoid giving the password on the command line, use an option file. See Section 6.1.2.1, “End-User Guidelines for Password Security”.
To explicitly specify that there is no password and that the client program should not prompt for one, use the
--skip-password
option.--pipe
,-W
On Windows, connect to the server using a named pipe. This option applies only if the server was started with the
named_pipe
system variable enabled to support named-pipe connections. In addition, the user making the connection must be a member of the Windows group specified by thenamed_pipe_full_access_group
system variable.The directory in which to look for plugins. Specify this option if the
--default-auth
option is used to specify an authentication plugin but the client program does not find it. See Section 6.2.11, “Pluggable Authentication”.--port=
,port_num
-P
port_num
For TCP/IP connections, the port number to use. The default port number is 3306.
--protocol={TCP|SOCKET|PIPE|MEMORY}
This option explicitly specifies which transport protocol to use for connecting to the server. It is useful when other connection parameters normally result in use of a protocol other than the one you want. For example, connections on Unix to
localhost
are made using a Unix socket file by default:mysql --host=localhost
To force TCP/IP transport to be used instead, specify a
--protocol
option:mysql --host=localhost --protocol=TCP
The following table shows the permissible
--protocol
option values and indicates the applicable platforms for each value. The values are not case-sensitive.--protocol
ValueTransport Protocol Used Applicable Platforms TCP
TCP/IP transport to local or remote server All SOCKET
Unix socket-file transport to local server Unix and Unix-like systems PIPE
Named-pipe transport to local server Windows MEMORY
Shared-memory transport to local server Windows Do not send passwords to the server in old (pre-4.1) format. This prevents connections except for servers that use the newer password format. This option is enabled by default; use
--skip-secure-auth
to disable it.NotePasswords that use the pre-4.1 hashing method are less secure than passwords that use the native password hashing method and should be avoided. Pre-4.1 passwords are deprecated; expect support for them to be removed in a future MySQL release. For account upgrade instructions, see Section 6.4.1.3, “Migrating Away from Pre-4.1 Password Hashing and the mysql_old_password Plugin”.
NoteThis option is deprecated; expect it to be removed in a future release. As of MySQL 5.7.5, it is always enabled and attempting to disable it produces an error.
--shared-memory-base-name=
name
On Windows, the shared-memory name to use for connections made using shared memory to a local server. The default value is
MYSQL
. The shared-memory name is case-sensitive.This option applies only if the server was started with the
shared_memory
system variable enabled to support shared-memory connections.--socket=
,path
-S
path
On Unix, the name of the Unix socket file to use for connections made using a named pipe to a local server. The default Unix socket file name is
/tmp/mysql.sock
.On Windows, the name of the named pipe to use for connections to a local server. The default Windows pipe name is
MySQL
. The pipe name is not case-sensitive.On Windows, this option applies only if the server was started with the
named_pipe
system variable enabled to support named-pipe connections. In addition, the user making the connection must be a member of the Windows group specified by thenamed_pipe_full_access_group
system variable.--user=
,user_name
-u
user_name
The user name of the MySQL account to use for connecting to the server. The default user name is
ODBC
on Windows or your Unix login name on Unix.
This section describes options for client programs that specify whether to use encrypted connections to the server, the names of certificate and key files, and other parameters related to encrypted-connection support. For examples of suggested use and how to check whether a connection is encrypted, see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.
These options have an effect only for connections that use a transport protocol subject to encryption; that is, TCP/IP and Unix socket-file connections. See Section 4.2.5, “Connection Transport Protocols”
For information about using encrypted connections from the MySQL C API, see Support for Encrypted Connections.
Table 4.4 Connection-Encryption Option Summary
Option Name | Description | Introduced |
---|---|---|
--server-public-key-path | Path name to file containing RSA public key | |
--skip-ssl | Disable connection encryption | |
--ssl | Enable connection encryption | |
--ssl-ca | File that contains list of trusted SSL Certificate Authorities | |
--ssl-capath | Directory that contains trusted SSL Certificate Authority certificate files | |
--ssl-cert | File that contains X.509 certificate | |
--ssl-cipher | Permissible ciphers for connection encryption | |
--ssl-crl | File that contains certificate revocation lists | |
--ssl-crlpath | Directory that contains certificate revocation-list files | |
--ssl-key | File that contains X.509 key | |
--ssl-mode | Desired security state of connection to server | 5.6.30 |
--ssl-verify-server-cert | Verify host name against server certificate Common Name identity |
--server-public-key-path=
file_name
The path name to a file in PEM format containing a client-side copy of the public key required by the server for RSA key pair-based password exchange. This option applies to clients that connect to the server with the
sha256_password
authentication plugin. This option is ignored for accounts that do not authenticate with that plugin. It is also ignored if RSA-based password exchange is not used, as is the case when the client connects to the server using a secure connection.This option is available only if MySQL was built using OpenSSL.
For information about the
sha256_password
plugin, see Section 6.4.1.4, “SHA-256 Pluggable Authentication”.This option permits but does not require the client to connect to the server using encryption. Therefore, this option is not sufficient in itself to cause an encrypted connection to be used. For example, if you specify this option for a client program but the server has not been configured to support encrypted connections, the client falls back to an unencrypted connection.
--ssl
may be implied by other--ssl-
options, as indicated in the descriptions for those options.xxx
To specify additional parameters for encrypted connections, consider setting at least the
ssl_cert
andssl_key
system variables on the server side and the--ssl-ca
option on the client side. See Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.The
--ssl
option in negated form indicates that encryption should not be used and overrides other--ssl-
options. Specify the option asxxx
--skip-ssl
or a synonym (--ssl=0
,--disable-ssl
). For example, you might have options specified in the[client]
group of your option file to use encrypted connections by default when you invoke MySQL client programs. To use an unencrypted connection instead, invoke the client program with--ssl=0
on the command line to override the options in the option file.To require use of encrypted connections by a MySQL account, use a
GRANT
statement for the account that includes aREQUIRE SSL
clause. This causes connection attempts by clients that use the account to be rejected unless MySQL supports encrypted connections and an encrypted connection can be established.The
REQUIRE
clause permits other encryption-related options, which can be used to enforce security requirements stricter thanREQUIRE SSL
. For additional details about which command options may or must be specified by clients that connect using accounts configured using the variousREQUIRE
options, see the description ofREQUIRE
in Section 13.7.1.4, “GRANT Statement”.The path name of the Certificate Authority (CA) certificate file in PEM format. The file contains a list of trusted SSL Certificate Authorities. This option implies
--ssl
.To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither
--ssl-ca
nor--ssl-capath
. The server still verifies the client according to any applicable requirements established for the client account, and it still uses anyssl_ca
orssl_capath
system variable values specified on the server side.To specify the CA file for the server, set the
ssl_ca
system variable.The path name of the directory that contains trusted SSL certificate authority (CA) certificate files in PEM format. Support for this capability depends on the SSL library used to compile MySQL; see Section 6.3.4, “SSL Library-Dependent Capabilities”. This option implies
--ssl
.To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither
--ssl-ca
nor--ssl-capath
. The server still verifies the client according to any applicable requirements established for the client account, and it still uses anyssl_ca
orssl_capath
system variable values specified on the server side.To specify the CA directory for the server, set the
ssl_capath
system variable.The path name of the client SSL public key certificate file in PEM format. This option implies
--ssl
.To specify the server SSL public key certificate file, set the
ssl_cert
system variable.The list of permissible ciphers for connection encryption. If no cipher in the list is supported, encrypted connections do not work. This option implies
--ssl
.For greatest portability,
cipher_list
should be a list of one or more cipher names, separated by colons. This format is understood both by OpenSSL and yaSSL. Examples:--ssl-cipher=AES128-SHA --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA
OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at https://www.openssl.org/docs/manmaster/man1/ciphers.html. yaSSL does not, so attempts to use that extended syntax fail for a MySQL distribution compiled using yaSSL.
For information about which encryption ciphers MySQL supports, see Section 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”.
To specify the encryption ciphers for the server, set the
ssl_cipher
system variable.The path name of the file containing certificate revocation lists in PEM format. Support for revocation-list capability depends on the SSL library used to compile MySQL. See Section 6.3.4, “SSL Library-Dependent Capabilities”. This option implies
--ssl
.If neither
--ssl-crl
nor--ssl-crlpath
is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.To specify the revocation-list file for the server, set the
ssl_crl
system variable.The path name of the directory that contains certificate revocation-list files in PEM format. Support for revocation-list capability depends on the SSL library used to compile MySQL. See Section 6.3.4, “SSL Library-Dependent Capabilities”. This option implies
--ssl
.If neither
--ssl-crl
nor--ssl-crlpath
is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.To specify the revocation-list directory for the server, set the
ssl_crlpath
system variable.The path name of the client SSL private key file in PEM format. For better security, use a certificate with an RSA key size of at least 2048 bits. This option implies
--ssl
.If the key file is protected by a passphrase, the client program prompts the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key.
To specify the server SSL private key file, set the
ssl_key
system variable.This option specifies the desired security state of the connection to the server:
If this option is not specified, the default is to establish an unencrypted connection. This is like the
--ssl=0
option or its synonyms (--skip-ssl
,--disable-ssl
).If this option is specified, the only permissible mode value is
REQUIRED
(establish an encrypted connection if the server supports encrypted connections). The connection attempt fails if an encrypted connection cannot be established.
The
--ssl-mode
option was added in MySQL 5.6.30.NoteTo require encrypted connections in MySQL 5.6, the standard MySQL client programs check whether the connection is encrypted if
--ssl-mode=REQUIRED
was specified. If not, the client exits with an error. Third-party applications that must be able to require encrypted connections can use the same technique. For details, see mysql_ssl_set().Important--ssl-mode=REQUIRED
produces an encrypted connection. However, to help prevent sophisticated man-in-the-middle attacks, it is also important for the client to verify the server’s identity. Adding the--ssl-verify-server-cert
option achieves this. To implement that additional option, you must first ensure that the CA certificate for the server is reliably available to all the clients that use it in your environment, otherwise availability issues will result.This option causes the client to perform host name identity verification by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client:
As of MySQL 5.6.41, if the client uses OpenSSL 1.0.2 or higher, the client checks whether the host name that it uses for connecting matches either the Subject Alternative Name value or the Common Name value in the server certificate. Host name identity verification also works with certificates that specify the Common Name using wildcards.
Otherwise, the client checks whether the host name that it uses for connecting matches the Common Name value in the server certificate.
The connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. Host name identity verification is disabled by default.