Table of Contents
Advertisement
Limits not specified retain their current values.
For more information on restricting access to server resources, see
Resource
Limits".
MySQL can check X509 certificate attributes in addition to the usual authentication that is based on
the user name and password. To specify SSL-related options for a MySQL account, use the
clause of the
statement. (For background information on the use of SSL with MySQL, see
GRANT
Section 6.3.6, "Using SSL for Secure
There are a number of different possibilities for limiting connection types for a given account:
•
indicates that the account has no SSL or X509 requirements. This is the default if
REQUIRE NONE
no SSL-related
REQUIRE
name and password are valid. However, encrypted connections can also be used, at the client's
option, if the client has the proper certificate and key files. That is, the client need not specify any
SSL command options, in which case the connection will be unencrypted. To use an encrypted
connection, the client must specify either the
[608],
ca
--ssl-key
• The
option tells the server to permit only SSL-encrypted connections for the account.
REQUIRE SSL
GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
IDENTIFIED BY 'goodsecret' REQUIRE SSL;
To connect, the client must specify the
and may additionally specify the
[608]
option nor
ssl-ca
the server certificate.
•
means that the client must have a valid certificate but that the exact certificate,
REQUIRE X509
issuer, and subject do not matter. The only requirement is that it should be possible to verify its
signature with one of the CA certificates.
GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
IDENTIFIED BY 'goodsecret' REQUIRE X509;
To connect, the client must specify the
options. This is also true for
•
REQUIRE ISSUER 'issuer'
present a valid X509 certificate issued by CA 'issuer'. If the client presents a certificate that is
valid but has a different issuer, the server rejects the connection. Use of X509 certificates always
implies encryption, so the
GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
IDENTIFIED BY 'goodsecret'
REQUIRE ISSUER '/C=FI/ST=Some-State/L=Helsinki/
O=MySQL Finland AB/CN=Tonu Samuel/emailAddress=tonu@example.com';
The
value should be entered as a single string.
'issuer'
Note
If MySQL is linked against a version of OpenSSL older than 0.9.6h, use
Email
•
REQUIRE SUBJECT 'subject'
present a valid X509 certificate containing the subject subject. If the client presents a certificate
that is valid but has a different subject, the server rejects the connection.
GRANT ALL PRIVILEGES ON test.* TO 'root'@'localhost'
IDENTIFIED BY 'goodsecret'
Account Management Statements
Connections".)
options are specified. Unencrypted connections are permitted if the user
[608], and
--ssl-cert
--ssl-ca
--ssl-key
[608]
--ssl-capath
--ssl-ca
and
ISSUER
SUBJECT
places the restriction on connection attempts that the client must
option is unnecessary in this case.
SSL
rather than
emailAddress
places the restriction on connection attempts that the client must
1158
Section 6.3.4, "Setting Account
[608]
option, or all three of the
--ssl-ca
[608]
options.
[608]
option to authenticate the server certificate,
[608]
and
--ssl-cert
option is specified, the client does not authenticate
[608],
--ssl-key
because those
REQUIRE
in the
'issuer'
REQUIRE
--ssl-
[608]
options. If neither
[608], and
--ssl-cert
options imply X509.
value.
--
[608]
Advertisement
Chapters
Table of Contents
Troubleshooting
