6.3.6.2 Configuring MySQL for SSL

To use SSL connections between the MySQL server and client programs, your system must support either OpenSSL or yaSSL, and your version of MySQL must be built with SSL support. To make it easier to use secure connections, MySQL is bundled with yaSSL, which uses the same licensing model as MySQL. (OpenSSL uses an Apache-style license.) yaSSL support is available on all MySQL platforms supported by Oracle Corporation.

To get secure connections to work with MySQL and SSL, you must do the following:

  1. If you are not using a binary (precompiled) version of MySQL that has been built with SSL support, and you are going to use OpenSSL rather than the bundled yaSSL library, install OpenSSL if it has not already been installed. We have tested MySQL with OpenSSL 0.9.6. To obtain OpenSSL, visit http://www.openssl.org.

    Building MySQL using OpenSSL requires a shared OpenSSL library, otherwise linker errors occur. Alternatively, build MySQL using yaSSL.

  2. If you are not using a binary (precompiled) version of MySQL that has been built with SSL support, configure a MySQL source distribution to use SSL. When you configure MySQL, invoke the configure script like this:

    shell> ./configure --with-ssl
    

    That command configures the distribution to use the bundled yaSSL library. To use OpenSSL instead, specify the --with-ssl option with the path to the directory where the OpenSSL header files and libraries are located:

    shell> ./configure --with-ssl=path
    
    Note

    On some platforms the full determination of the You may also need to explicitly add the SSL library and header directories. You can do this by setting the LDFLAGS, CFLAGS, CPPFLAGS and CXXFLAGS with the full directories. For example:

    shell> LDFLAGS="-L/usr/local/ssl/lib" CFLAGS="-I/usr/local/ssl/include" \
    CPPFLAGS="-I/usr/local/ssl/include" CXXFLAGS="-I/usr/local/ssl/include" \
    configure --with-ssl=/usr/local/ssl
    

    Before MySQL 5.1.11, you must use the appropriate option to select the SSL library that you want to use.

    For yaSSL:

    shell> ./configure --with-yassl
    

    For OpenSSL:

    shell> ./configure --with-openssl
    

    Then compile and install the distribution.

    On Unix platforms, yaSSL retrieves true random numbers from either /dev/urandom or /dev/random. Bug#13164 lists workarounds for some very old platforms which do not support these devices.

  3. To check whether a mysqld server supports SSL, examine the value of the have_ssl system variable:

    mysql> SHOW VARIABLES LIKE 'have_ssl';
    +---------------+-------+
    | Variable_name | Value |
    +---------------+-------+
    | have_ssl      | YES   |
    +---------------+-------+
    

    If the value is YES, the server supports SSL connections. If the value is DISABLED, the server is capable of supporting SSL connections but was not started with the appropriate --ssl-xxx options to enable them to be used; see Section 6.3.6.3, “Using SSL Connections”.