Table of Contents
Advertisement
provides additional detail about which SSL command options may or must be specified by clients
that connect using accounts that are created using the various
•
--ssl-ca=file_name
The path to a file in PEM format that contains a list of trusted SSL certificate authorities. This option
implies
[607].
--ssl
As of MySQL 5.0.40, if you use SSL when establishing a client connection, you can tell the client
not to authenticate the server certificate by specifying neither
[608]. The server still verifies the client according to any applicable requirements
capath
established using
GRANT
[608]
values that were passed to server at startup.
capath
•
--ssl-capath=directory_name
The path to a directory that contains trusted SSL certificate authority certificates in PEM format. This
option implies
--ssl
As of MySQL 5.0.40, if you use SSL when establishing a client connection, you can tell the client
not to authenticate the server certificate by specifying neither
[608]. The server still verifies the client according to any applicable requirements
capath
established using
GRANT
[608]
values that were passed to server at startup.
capath
MySQL distributions built with OpenSSL support the
built with yaSSL do not because yaSSL does not look in any directory and does not follow a chained
certificate tree. yaSSL requires that all components of the CA certificate tree be contained within
a single CA certificate tree and that each certificate in the file has a unique SubjectName value.
To work around this yaSSL limitation, concatenate the individual certificate files comprising the
certificate tree into a new file. Then specify the new file as the value of the
option.
•
--ssl-cert=file_name
The name of the SSL certificate file in PEM format to use for establishing a secure connection. This
option implies
--ssl
•
--ssl-cipher=cipher_list
A list of permissible ciphers to use for SSL encryption. If no cipher in the list is supported, SSL
connections will not work. This option implies
For greatest portability,
colons. This format is understood both by OpenSSL and yaSSL. Examples:
--ssl-cipher=AES128-SHA
--ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA
OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL
documentation at http://www.openssl.org/docs/apps/ciphers.html. However, yaSSL does not, so
attempts to use that extended syntax fails for a MySQL distribution built with yaSSL.
•
--ssl-key=file_name
The name of the SSL key file in PEM format to use for establishing a secure connection.
If the MySQL distribution was built using OpenSSL and the key file is protected by a passphrase, the
program will prompt the user for the passphrase. The password must be given interactively; it cannot
be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the
key. If the MySQL distribution was built using yaSSL and the key file is protected by a passphrase,
an error occurs.
Using SSL for Secure Connections
[608]
statements for the client, and it still uses any
[608]
[607].
statements for the client, and it still uses any
[608]
[607].
[608]
should be a list of one or more cipher names, separated by
cipher_list
[608]
608
REQUIRE
--ssl-ca
--ssl-ca
--ssl-capath
[607].
--ssl
options.
[608]
nor
--ssl-
--ssl-ca [608]/--ssl-
[608]
nor
--ssl-
--ssl-ca [608]/--ssl-
[608]
option. Distributions
[608]
--ssl-capath
Advertisement
Chapters
Table of Contents
Troubleshooting
