--default-auth=plugin

A hint about which client-side authentication plugin to use. See Section 8.2.17, “Pluggable Authentication”.

--host=host_name, -h host_name

The host on which the MySQL server is running. The value can be a host name, IPv4 address, or IPv6 address. The default value is localhost.

--password[=pass_val], -p[pass_val]

The password of the MySQL account used for connecting to the server. The password value is optional. If not given, the client program prompts for one. If given, there must be no space between --password= or -p and the password following it. If no password option is specified, the default is to send no password.

Specifying a password on the command line should be considered insecure. To avoid giving the password on the command line, use an option file. See Section 8.1.2.1, “End-User Guidelines for Password Security”.

To explicitly specify that there is no password and that the client program should not prompt for one, use the --skip-password option.

--password1[=pass_val]

The password for multifactor authentication factor 1 of the MySQL account used for connecting to the server. The password value is optional. If not given, the client program prompts for one. If given, there must be no space between --password1= and the password following it. If no password option is specified, the default is to send no password.

Specifying a password on the command line should be considered insecure. To avoid giving the password on the command line, use an option file. See Section 8.1.2.1, “End-User Guidelines for Password Security”.

To explicitly specify that there is no password and that the client program should not prompt for one, use the --skip-password1 option.

--password1 and --password are synonymous, as are --skip-password1 and --skip-password.

--password2[=pass_val]

The password for multifactor authentication factor 2 of the MySQL account used for connecting to the server. The semantics of this option are similar to the semantics for --password1; see the description of that option for details.

--password3[=pass_val]

The password for multifactor authentication factor 3 of the MySQL account used for connecting to the server. The semantics of this option are similar to the semantics for --password1; see the description of that option for details.

--pipe, -W

On Windows, connect to the server using a named pipe. This option applies only if the server was started with the named_pipe system variable enabled to support named-pipe connections. In addition, the user making the connection must be a member of the Windows group specified by the named_pipe_full_access_group system variable.

--plugin-dir=dir_name

The directory in which to look for plugins. Specify this option if the --default-auth option is used to specify an authentication plugin but the client program does not find it. See Section 8.2.17, “Pluggable Authentication”.

--port=port_num, -P port_num

For TCP/IP connections, the port number to use. The default port number is 3306.

--protocol={TCP|SOCKET|PIPE|MEMORY}

This option explicitly specifies which transport protocol to use for connecting to the server. It is useful when other connection parameters normally result in use of a protocol other than the one you want. For example, connections on Unix to localhost are made using a Unix socket file by default:

mysql --host=localhost

To force TCP/IP transport to be used instead, specify a --protocol option:

mysql --host=localhost --protocol=TCP

The following table shows the permissible --protocol option values and indicates the applicable platforms for each value. The values are not case-sensitive.

See also Section 6.2.7, “Connection Transport Protocols”

--shared-memory-base-name=name

On Windows, the shared-memory name to use for connections made using shared memory to a local server. The default value is MYSQL. The shared-memory name is case-sensitive.

This option applies only if the server was started with the shared_memory system variable enabled to support shared-memory connections.

--socket=path, -S path

On Unix, the name of the Unix socket file to use for connections made using a named pipe to a local server. The default Unix socket file name is /tmp/mysql.sock.

On Windows, the name of the named pipe to use for connections to a local server. The default Windows pipe name is MySQL. The pipe name is not case-sensitive.

On Windows, this option applies only if the server was started with the named_pipe system variable enabled to support named-pipe connections. In addition, the user making the connection must be a member of the Windows group specified by the named_pipe_full_access_group system variable.

--user=user_name, -u user_name

The user name of the MySQL account to use for connecting to the server. The default user name is ODBC on Windows or your Unix login name on Unix.

--get-server-public-key

Request from the server the public key required for RSA key pair-based password exchange. This option applies to clients that authenticate with the caching_sha2_password authentication plugin. For that plugin, the server does not send the public key unless requested. This option is ignored for accounts that do not authenticate with that plugin. It is also ignored if RSA-based password exchange is not used, as is the case when the client connects to the server using a secure connection.

If --server-public-key-path=file_name is given and specifies a valid public key file, it takes precedence over --get-server-public-key.

For information about the caching_sha2_password plugin, see Section 8.4.1.1, “Caching SHA-2 Pluggable Authentication”.

--server-public-key-path=file_name

The path name to a file in PEM format containing a client-side copy of the public key required by the server for RSA key pair-based password exchange. This option applies to clients that authenticate with the sha256_password (deprecated) or caching_sha2_password authentication plugin. This option is ignored for accounts that do not authenticate with one of those plugins. It is also ignored if RSA-based password exchange is not used, as is the case when the client connects to the server using a secure connection.

If --server-public-key-path=file_name is given and specifies a valid public key file, it takes precedence over --get-server-public-key.

This option is available only if MySQL was built using OpenSSL.

For information about the sha256_password (deprecated) and caching_sha2_password plugins, see Section 8.4.1.2, “SHA-256 Pluggable Authentication”, and Section 8.4.1.1, “Caching SHA-2 Pluggable Authentication”.

--ssl-ca=file_name

The path name of the Certificate Authority (CA) certificate file in PEM format. The file contains a list of trusted SSL Certificate Authorities.

To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any ssl_ca or ssl_capath system variable values specified on the server side.

To specify the CA file for the server, set the ssl_ca system variable.

--ssl-capath=dir_name

The path name of the directory that contains trusted SSL certificate authority (CA) certificate files in PEM format.

To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any ssl_ca or ssl_capath system variable values specified on the server side.

To specify the CA directory for the server, set the ssl_capath system variable.

--ssl-cert=file_name

The path name of the client SSL public key certificate file in PEM format. Chained SSL certificates are supported.

To specify the server SSL public key certificate file, set the ssl_cert system variable.

--ssl-cipher=cipher_list

The list of permissible encryption ciphers for connections that use TLSv1.2. If no cipher in the list is supported, encrypted connections that use these TLS protocols do not work.

For greatest portability, cipher_list should be a list of one or more cipher names, separated by colons. Examples:

--ssl-cipher=AES128-SHA
--ssl-cipher=DHE-RSA-AES128-GCM-SHA256:AES128-SHA

OpenSSL supports the syntax for specifying ciphers described in the OpenSSL documentation at https://www.openssl.org/docs/manmaster/man1/ciphers.html.

For information about which encryption ciphers MySQL supports, see Section 8.3.2, “Encrypted Connection TLS Protocols and Ciphers”.

To specify the encryption ciphers for the server, set the ssl_cipher system variable.

--ssl-crl=file_name

The path name of the file containing certificate revocation lists in PEM format.

If neither --ssl-crl nor --ssl-crlpath is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.

To specify the revocation-list file for the server, set the ssl_crl system variable.

--ssl-crlpath=dir_name

The path name of the directory that contains certificate revocation-list files in PEM format.

If neither --ssl-crl nor --ssl-crlpath is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.

To specify the revocation-list directory for the server, set the ssl_crlpath system variable.

--ssl-fips-mode={OFF|ON|STRICT}

Controls whether to enable FIPS mode on the client side. The --ssl-fips-mode option differs from other --ssl-xxx options in that it is not used to establish encrypted connections, but rather to affect which cryptographic operations to permit. See Section 8.8, “FIPS Support”.

These --ssl-fips-mode values are permissible:

To specify the FIPS mode for the server, set the ssl_fips_mode system variable.

--ssl-key=file_name

The path name of the client SSL private key file in PEM format. For better security, use a certificate with an RSA key size of at least 2048 bits.

If the key file is protected by a passphrase, the client program prompts the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key.

To specify the server SSL private key file, set the ssl_key system variable.

--ssl-mode=mode

This option specifies the desired security state of the connection to the server. These mode values are permissible, in order of increasing strictness:

The --ssl-mode option interacts with CA certificate options as follows:

To require use of encrypted connections by a MySQL account, use CREATE USER to create the account with a REQUIRE SSL clause, or use ALTER USER for an existing account to add a REQUIRE SSL clause. This causes connection attempts by clients that use the account to be rejected unless MySQL supports encrypted connections and an encrypted connection can be established.

The REQUIRE clause permits other encryption-related options, which can be used to enforce security requirements stricter than REQUIRE SSL. For additional details about which command options may or must be specified by clients that connect using accounts configured using the various REQUIRE options, see CREATE USER SSL/TLS Options.

--ssl-session-data=file_name

The path name of the client SSL session data file in PEM format for session reuse.

When you invoke a MySQL client program with the --ssl-session-data option, the client attempts to deserialize session data from the file, if provided, and then use it to establish a new connection. If you supply a file, but the session is not reused, then the connection fails unless you also specified the --ssl-session-data-continue-on-failed-reuse option on the command line when you invoked the client program.

The mysql command, ssl_session_data_print, generates the session data file (see Section 6.5.1.2, “mysql Client Commands”).

ssl-session-data-continue-on-failed-reuse

Controls whether a new connection is started to replace an attempted connection that tried but failed to reuse session data specified with the --ssl-session-data command-line option. By default, the --ssl-session-data-continue-on-failed-reuse command-line option is off, which causes a client program to return a connect failure when session data are supplied and not reused.

To ensure that a new, unrelated connection opens after session reuse fails silently, invoke MySQL client programs with both the --ssl-session-data and --ssl-session-data-continue-on-failed-reuse command-line options.

--tls-ciphersuites=ciphersuite_list

This option specifies which ciphersuites the client permits for encrypted connections that use TLSv1.3. The value is a list of zero or more colon-separated ciphersuite names. For example:

mysql --tls-ciphersuites="suite1:suite2:suite3"

The ciphersuites that can be named for this option depend on the SSL library used to compile MySQL. If this option is not set, the client permits the default set of ciphersuites. If the option is set to the empty string, no ciphersuites are enabled and encrypted connections cannot be established. For more information, see Section 8.3.2, “Encrypted Connection TLS Protocols and Ciphers”.

To specify which ciphersuites the server permits, set the tls_ciphersuites system variable.

--tls-version=protocol_list

This option specifies the TLS protocols the client permits for encrypted connections. The value is a list of one or more comma-separated protocol versions. For example:

mysql --tls-version="TLSv1.2,TLSv1.3"

The protocols that can be named for this option depend on the SSL library used to compile MySQL, and on the MySQL Server release.

Permitted protocols should be chosen such as not to leave “holes” in the list. For example, these values do not have holes:

--tls-version="TLSv1.2,TLSv1.3"
--tls-version="TLSv1.3"

For details, see Section 8.3.2, “Encrypted Connection TLS Protocols and Ciphers”.

To specify which TLS protocols the server permits, set the tls_version system variable.

--compress, -C

Compress all information sent between the client and the server if possible.

This option is deprecated. Expect it to be removed in a future version of MySQL. See Configuring Legacy Connection Compression.

--compression-algorithms=value

The permitted compression algorithms for connections to the server. The available algorithms are the same as for the protocol_compression_algorithms system variable. The default value is uncompressed.

--zstd-compression-level=level

The compression level to use for connections to the server that use the zstd compression algorithm. The permitted levels are from 1 to 22, with larger values indicating increasing levels of compression. The default zstd compression level is 3. The compression level setting has no effect on connections that do not use zstd compression.