Table of Contents
Advertisement
To establish a secure connection to a MySQL server with SSL support, the options that a client must
specify depend on the SSL requirements of the MySQL account used by the client. (See the discussion
of the
REQUIRE
Suppose that you want to connect using an account that has no special SSL requirements or was
created using a
SSL options, start the server with at least
the client with
shell>
mysql --ssl-ca=ca-cert.pem
To require that a client certificate also be specified, create the account using the
option. Then the client must also specify the proper client key and certificate files or the server will
reject the connection:
shell>
mysql --ssl-ca=ca-cert.pem \
--ssl-cert=client-cert.pem \
--ssl-key=client-key.pem
A client can determine whether the current connection with the server uses SSL by checking the value
of the
Ssl_cipher
and empty otherwise. For example:
mysql>
SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value
+---------------+--------------------+
| Ssl_cipher
+---------------+--------------------+
For the
mysql
mysql>
\s
...
SSL:
...
Or:
mysql>
\s
...
SSL:
...
The C API enables application programs to use SSL:
• To establish a secure connection, program, use the
appropriate certificate options before calling mysql_real_connect(). See
"mysql_ssl_set()".
• To determine whether SSL is in use after the connection is established, use
mysql_get_ssl_cipher(). A
the SSL cipher used for encryption. A
Section 20.6.6.33,
Replication uses the C API, so secure connections can be used between master and slave servers.
See
Section 16.3.7, "Setting Up Replication Using
6.3.6.4. SSL Command Options
This section describes options that are used to specify whether to use SSL and the names of SSL
certificate and key files. These options can be given on the command line or in an option file. They are
not available unless MySQL has been built with SSL support. See
for
SSL". (There are also
Using SSL for Secure Connections
clause in
Section 13.7.1.3,
statement that includes the
GRANT
[608]. A client can connect securely like this:
--ssl-ca
[532]
status variable. The value of
| DHE-RSA-AES256-SHA |
client, an alternative is to use the
Not in use
Cipher in use is DHE-RSA-AES256-SHA
non-NULL
"mysql_get_ssl_cipher()".
--master-ssl*
"GRANT
Syntax".)
REQUIRE SSL
[608]
and
--ssl-cert
Ssl_cipher
|
or
STATUS
\s
mysql_ssl_set()
return value indicates a secure connection and names
return value indicates that SSL is not being used. See
NULL
SSL".
options that can be used for setting up a secure connection
606
option. As a recommended set of
[608], and invoke
--ssl-key
REQUIRE X509
[532]
is nonempty if SSL is used,
command and check the
C API function to set the
Section 20.6.6.67,
Section 6.3.6.2, "Configuring MySQL
line:
SSL
Advertisement
Chapters
Table of Contents
Troubleshooting
