To enable SSL connections, the proper SSL-related options must be used to specify the appropriate certificate and key files. For a complete list of SSL options, see Section 184.108.40.206, “SSL Command Options”.
If you need to create the required SSL files, see Section 6.3.13, “Creating SSL and RSA Certificates and Keys”.
To start the MySQL server so that it permits clients to connect using SSL, use options that identify the certificate and key files the server uses when establishing a secure connection:
For example, start the server with these lines in the
my.cnf file, changing the file names as
[mysqld] ssl-ca=ca.pem ssl-cert=server-cert.pem ssl-key=server-key.pem
Each option names a file in PEM format. If you have a MySQL
source distribution, you can also test your setup using the
demonstration certificate and key files in its
As of MySQL 5.7.5, the server-side
--ssl option value is enabled by
default. Also as of MySQL 5.7.5, MySQL servers compiled using
OpenSSL can generate missing SSL files automatically at startup.
See Section 220.127.116.11, “Creating SSL and RSA Certificates and Keys using MySQL”.
SSL file autodiscovery is enabled as of MySQL 5.7.5 (for servers
compiled using OpenSSL) or 5.7.6 (for servers compiled using
--ssl is enabled
(possibly along with
--ssl-cipher) and other SSL
options are not given to configure SSL explicitly, the server
attempts to enable SSL automatically at startup:
If the server discovers valid SSL files named
server-key.pemin the data directory, it enables SSL to permit SSL connections by clients. (These files need not have been autogenerated; what matters is that they have the indicated names and are valid.)
If the server does not find valid SSL files in the data directory, it continues executing but does not enable SSL.
If the server automatically enables SSL, it writes a message to the error log. As of MySQL 5.7.6, if the server discovers that the CA certificate is self-signed, it writes a warning to the error log. (The certificate will be self-signed if created automatically by the server or manually using mysql_ssl_rsa_setup.)
To establish a secure connection to a MySQL server with SSL
support, the options that a client must specify depend on the
SSL requirements of the MySQL account used by the client. (See
the discussion of the
REQUIRE clause in
Section 18.104.22.168, “CREATE USER Syntax”.)
Suppose that you want to connect using an account that has no
special SSL requirements or was created using a
CREATE USER statement that
REQUIRE SSL option. As a
recommended set of SSL options, start the server with at least
--ssl-key, and invoke the client
--ssl-ca. A client can
connect securely like this:
To require that a client certificate also be specified, create
the account using the
REQUIRE X509 option.
Then the client must also specify the proper client key and
certificate files or the server will reject the connection:
mysql --ssl-ca=ca.pem \
As of MySQL 5.7.7, MySQL client programs attempt to establish an SSL connection by default whenever the server is enabled to support SSL:
In the absence of an
--ssloption, the client falls back to an unencrypted connection if SSL is not available.
To require an SSL connection and fail if SSL is unavailable, invoke the client with an explicit
To suppress the attempt at using SSL for the connection, specify the
A client can determine whether the current connection with the
server uses SSL by checking the value of the
Ssl_cipher status variable.
The value is nonempty if SSL is used, and empty otherwise. For
SHOW STATUS LIKE 'Ssl_cipher';+---------------+--------------------+ | Variable_name | Value | +---------------+--------------------+ | Ssl_cipher | DHE-RSA-AES256-SHA | +---------------+--------------------+
For the mysql client, an alternative is to
command and check the
\s... SSL: Cipher in use is DHE-RSA-AES256-SHA ...
\s... SSL: Not in use ...
The C API enables application programs to use SSL:
To establish a secure connection, use the
mysql_ssl_set()C API function to set the appropriate certificate options before calling
mysql_real_connect(). See Section 22.214.171.124, “mysql_ssl_set()”. To require the use of SSL, call
To determine whether SSL is in use after the connection is established, use
mysql_get_ssl_cipher(). A non-
NULLreturn value indicates a secure connection and names the SSL cipher used for encryption. A
NULLreturn value indicates that SSL is not being used. See Section 126.96.36.199, “mysql_get_ssl_cipher()”.
Replication uses the C API, so secure connections can be used between master and slave servers. See Section 17.3.7, “Setting Up Replication Using SSL”.