Documentation Home
MySQL 5.7 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 38.0Mb
PDF (A4) - 38.1Mb
PDF (RPM) - 37.3Mb
HTML Download (TGZ) - 10.2Mb
HTML Download (Zip) - 10.3Mb
HTML Download (RPM) - 8.9Mb
Man Pages (TGZ) - 217.0Kb
Man Pages (Zip) - 329.9Kb
Info (Gzip) - 3.5Mb
Info (Zip) - 3.5Mb
Excerpts from this Manual

MySQL 5.7 Reference Manual  /  ...  /  Command Options for Encrypted Connections

6.4.2 Command Options for Encrypted Connections

This section describes options that specify whether to use encrypted connections, the names of certificate and key files, and other parameters related to encrypted-connection support. These options can be given on the command line or in an option file. For examples of suggested use and how to check whether a connection is encrypted, see Section 6.4.1, “Configuring MySQL to Use Encrypted Connections”.

For information about using encrypted connections from the MySQL C API, see Section 27.8.15, “C API Encrypted Connection Support”.

Table 6.8 Encrypted-Connection Option Summary

FormatDescriptionIntroduced
--skip-sslDo not use encrypted connection 
--sslEnable encrypted connection 
--ssl-caFile that contains list of trusted SSL Certificate Authorities 
--ssl-capathDirectory that contains trusted SSL Certificate Authority certificate files 
--ssl-certFile that contains X509 certificate 
--ssl-cipherList of permitted ciphers for connection encryption 
--ssl-crlFile that contains certificate revocation lists 
--ssl-crlpathDirectory that contains certificate revocation list files 
--ssl-keyFile that contains X509 key 
--ssl-modeSecurity state of connection to server5.7.11
--ssl-verify-server-certVerify host name against server certificate Common Name identity 
--tls-versionProtocols permitted for encrypted connections5.7.10

  • --ssl

    This option has different effects on the client and server sides.

    Note

    The client-side --ssl option is deprecated as of MySQL 5.7.11 and is removed in MySQL 8.0. For client programs, use --ssl-mode instead:

    The server-side --ssl option is not deprecated.

    By default, MySQL client programs attempt to establish an encrypted connection if the server supports encrypted connections, with further control available through the --ssl option: The client-side --ssl option works as follows:

    • In the absence of an --ssl option, clients attempt to connect using encryption, falling back to an unencrypted connection if an encrypted connection cannot be established.

    • The presence of an explicit --ssl option or a synonym (--ssl=1, --enable-ssl) is prescriptive: Clients require an encrypted connection and fail if one cannot be established.

    • With an --ssl=0 option or a synonym (--skip-ssl, --disable-ssl), clients use an unencrypted connection.

    To require use of encrypted connections by a MySQL account, use CREATE USER to create the account with a REQUIRE SSL clause, or use ALTER USER for an existing account to add a REQUIRE SSL clause. Connection attempts by clients that use the account will be rejected unless MySQL supports encrypted connections and an encrypted connection can be established.

    The REQUIRE clause permits other encryption-related options, which can be used to enforce security requirements stricter than REQUIRE SSL. For additional details about which command options may or must be specified by clients that connect using accounts configured using the various REQUIRE options, see the description of REQUIRE in Section 13.7.1.2, “CREATE USER Syntax”.

    On the server side, the --ssl option specifies that the server permits but does not require encrypted connections. The option is enabled on the server side by default. --ssl is implied by other --ssl-xxx options, as indicated in the descriptions for those options.

    The --ssl option in negated form indicates that encryption should not be used and overrides other --ssl-xxx options. Specify the option as --ssl=0 or a synonym (--skip-ssl, --disable-ssl).

    To specify additional parameters for encrypted connections, use at least --ssl-cert and --ssl-key on the server side and --ssl-ca on the client side. See Section 6.4.1, “Configuring MySQL to Use Encrypted Connections”. That section also describes server capabilities for certificate and key file autogeneration and autodiscovery.

  • --ssl-ca=file_name

    The path name of the Certificate Authority (CA) certificate file in PEM format. On the server side, this option implies --ssl.

    To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any --ssl-ca or --ssl-capath option values specified on the server side.

  • --ssl-capath=dir_name

    The path name of the directory that contains trusted SSL certificate authority (CA) certificate files in PEM format. On the server side, this option implies --ssl.

    To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any --ssl-ca or --ssl-capath option values specified on the server side.

    MySQL distributions compiled using OpenSSL support the --ssl-capath option (see Section 6.4.4, “OpenSSL Versus yaSSL”). Distributions compiled using yaSSL do not because yaSSL does not look in any directory and does not follow a chained certificate tree. yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file and specify that file as the value of the --ssl-ca option.

  • --ssl-cert=file_name

    The path name of the SSL public key certificate file in PEM format. On the client side, this is the client public key certificate. On the server side, this is the server public key certificate. On the server side, this option implies --ssl.

  • --ssl-cipher=cipher_list

    The list of permitted ciphers for connection encryption. If no cipher in the list is supported, encrypted connections will not work. On the server side, this option implies --ssl.

    For greatest portability, cipher_list should be a list of one or more cipher names, separated by colons. This format is understood both by OpenSSL and yaSSL. Examples:

    --ssl-cipher=AES128-SHA
    --ssl-cipher=DHE-RSA-AES128-GCM-SHA256:AES128-SHA

    OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at https://www.openssl.org/docs/manmaster/man1/ciphers.html. yaSSL does not, so attempts to use that extended syntax fail for a MySQL distribution compiled using yaSSL.

    For information about which encryption ciphers MySQL supports, see Section 6.4.6, “Encrypted Connection Protocols and Ciphers”.

  • --ssl-crl=file_name

    The path name of the file containing certificate revocation lists in PEM format. On the server side, this option implies --ssl.

    If neither --ssl-crl nor --ssl-crlpath is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.

    MySQL distributions compiled using OpenSSL support the --ssl-crl option (see Section 6.4.4, “OpenSSL Versus yaSSL”). Distributions compiled using yaSSL do not because revocation lists do not work with yaSSL.

  • --ssl-crlpath=dir_name

    The path name of the directory that contains certificate revocation list files in PEM format. On the server side, this option implies --ssl.

    If neither --ssl-crl nor --ssl-crlpath is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.

    MySQL distributions compiled using OpenSSL support the --ssl-crlpath option (see Section 6.4.4, “OpenSSL Versus yaSSL”). Distributions compiled using yaSSL do not because revocation lists do not work with yaSSL.

  • --ssl-key=file_name

    The path name of the SSL private key file in PEM format. On the client side, this is the client private key. On the server side, this is the server private key. On the server side, this option implies --ssl.

    If the key file is protected by a passphrase, the program prompts the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key.

    For better security, use a certificate with an RSA key size of at least 2048 bits.

  • --ssl-mode=mode

    This option is available only for client programs, not the server. It specifies the security state of the connection to the server. These option values are permitted:

    • PREFERRED: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. This is the default if --ssl-mode is not specified.

    • REQUIRED: Establish an encrypted connection if the server supports encrypted connections. The connection attempt fails if an encrypted connection cannot be established.

    • VERIFY_CA: Like REQUIRED, but additionally verify the server Certificate Authority (CA) certificate against the configured CA certificates. The connection attempt fails if no valid matching CA certificates are found.

    • VERIFY_IDENTITY: Like VERIFY_CA, but additionally perform host name identify verification by checking the server's Common Name identity in the certificate that the server sends to the client. The client verifies the Common Name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. This is like the legacy --ssl-verify-server-cert option.

      Note

      Host name identity verification does not work with self-signed certificates created automatically by the server, or manually using mysql_ssl_rsa_setup (see Section 6.4.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”). Such self-signed certificates do not contain the server name as the Common Name value.

    • DISABLED: Establish an unencrypted connection. This is like the legacy --ssl=0 option or its synonyms (--skip-ssl, --disable-ssl).

    The --ssl-mode option interacts with CA certificate options as follows:

    The --ssl-mode option was added in MySQL 5.7.11.

    To require use of encrypted connections by a MySQL account, use CREATE USER to create the account with a REQUIRE SSL clause, or use ALTER USER for an existing account to add a REQUIRE SSL clause. Connection attempts by clients that use the account will be rejected unless MySQL supports encrypted connections and an encrypted connection can be established.

    The REQUIRE clause permits other encryption-related options, which can be used to enforce security requirements stricter than REQUIRE SSL. For additional details about which command options may or must be specified by clients that connect using accounts configured using the various REQUIRE options, see the description of REQUIRE in Section 13.7.1.2, “CREATE USER Syntax”.

  • --ssl-verify-server-cert

    Note

    The --ssl-verify-server-cert option is deprecated as of MySQL 5.7.11 and is removed in MySQL 8.0. Use --ssl-mode=VERIFY_IDENTITY instead.

    This option is available only for client programs, not the server. It causes the client to perform host name identify verification by checking the server's Common Name identity in the certificate that the server sends to the client. The client verifies the Common Name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. Host name identity verification is disabled by default.

    Note

    Host name identity verification does not work with self-signed certificates created automatically by the server, or manually using mysql_ssl_rsa_setup (see Section 6.4.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”). Such self-signed certificates do not contain the server name as the Common Name value.

  • --tls-version=protocol_list

    For client programs, the protocols permitted by the client for encrypted connections. The value is a comma-separated list containing one or more protocol names. For example:

    mysql --tls-version="TLSv1.1,TLSv1.2"

    The protocols that can be named for this option depend on the SSL library used to compile MySQL. For details, see Section 6.4.6, “Encrypted Connection Protocols and Ciphers”.

    This option was added in MySQL 5.7.10.

    On the server side, use the tls_version system variable instead.


User Comments
Sign Up Login You must be logged in to post a comment.