The following list describes options that are used for
specifying the use of SSL, certificate files, and key files.
They can be given on the command line or in an option file.
These options are not available unless MySQL has been built with
SSL support. See Section 220.127.116.11, “Using SSL Connections”. (There are
--master-ssl* options that can be used for
setting up a secure connection from a slave replication server
to a master server; see Section 16.1.3, “Replication and Binary Logging Options and Variables”.)
Table 5.7. SSL Option/Variable Summary
|Name||Cmd-Line||Option file||System Var||Status Var||Var Scope||Dynamic|
|- Variable: ssl_ca||Yes||Global||No|
|- Variable: ssl_capath||Yes||Global||No|
|- Variable: ssl_cert||Yes||Global||No|
|- Variable: ssl_cipher||Yes||Global||No|
|- Variable: ssl_key||Yes||Global||No|
For the server, this option specifies that the server allows
SSL connections. For a client program, it allows the client
to connect to the server using SSL. This option is not
sufficient in itself to cause an SSL connection to be used.
You must also specify the
--ssl-ca option, and
Note that use of
not require an SSL connection. For
example, if the server or client is compiled without SSL
support, a normal unencrypted connection is used.
The secure way to require use of an SSL connection is to
create an account on the server that includes a
REQUIRE SSL clause in the
GRANT statement. Then use
that account to connect to the server, where both the server
and the client have SSL support enabled.
REQUIRE clause allows other
SSL-related restrictions as well. The description of
REQUIRE in Section 18.104.22.168, “
provides additional detail about which SSL command options
may or must be specified by clients that connect using
accounts that are created using the various
The path to a file that contains a list of trusted SSL CAs.
The path to a directory that contains trusted SSL CA certificates in PEM format.
The name of the SSL certificate file to use for establishing a secure connection.
A list of allowable ciphers to use for SSL encryption. For
should be a list of one or more cipher names, separated by
This format is understood both by OpenSSL and yaSSL. OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at http://www.openssl.org/docs/apps/ciphers.html. However, this extended syntax will fail if used with a MySQL installation compiled against yaSSL.
If no cipher in the list is supported, SSL connections will not work.
The name of the SSL key file to use for establishing a secure connection.
This option is available for client programs only, not the server. It causes the server's Common Name value in the certificate that the server sends to the client to be verified against the host name that the client uses for connecting to the server, and the connection is rejected if there is a mismatch. This feature can be used to prevent man-in-the-middle attacks. Verification is disabled by default.
If you use SSL when establishing a client connection, you can
tell the client not to authenticate the server certificate by
--ssl-capath. The server still
verifies the client according to any applicable requirements
for the client, and it still uses any
values that were passed to server at startup time.