6.3.6 Using SSL for Secure Connections

6.3.6.1 OpenSSL Versus yaSSL
6.3.6.2 Building MySQL with SSL Support
6.3.6.3 Configuring MySQL to Use SSL Connections
6.3.6.4 SSL Command Options

With an unencrypted connection between the MySQL client and the server, someone with access to the network could watch all your traffic and look at the data being sent or received, or even change the data while it is in transit between client and server.

When you must move information over a network in a secure fashion, an unencrypted connection is unacceptable. Encryption is the way to make any kind of data unreadable. Encryption algorithms must include security elements to resist many kinds of known attacks such as changing the order of encrypted messages or replaying data twice.

MySQL supports secure (encrypted) connections between clients and the server using the Secure Sockets Layer (SSL) protocol. SSL uses encryption algorithms to ensure that data received over a public network can be trusted. It has mechanisms to detect any data change, loss, or replay. SSL also incorporates algorithms that provide identity verification using the X509 standard.

X509 makes it possible to identify someone on the Internet. It is most commonly used in e-commerce applications. In basic terms, there should be some entity called a Certificate Authority (or CA) that assigns electronic certificates to anyone who needs them. Certificates rely on asymmetric encryption algorithms that have two encryption keys (a public key and a secret key). A certificate owner can show the certificate to another party as proof of identity. A certificate consists of its owner's public key. Any data encrypted with this public key can be decrypted only using the corresponding secret key, which is held by the owner of the certificate.

For more information about SSL, X509, encryption, or public-key cryptography, perform an Internet search for the keywords in which you are interested.

MySQL supports SSL using the TLSv1.0 protocol. To see which protocol version an SSL connection uses, check the value of the Ssl_version status variable using this query:

mysql> SHOW SESSION STATUS LIKE 'Ssl_version';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| Ssl_version   | TLSv1 |
+---------------+-------+

MySQL enables SSL encryption on a per-connection basis, and use of SSL can be optional or mandatory. You can choose an unencrypted connection or a secure SSL connection according to the requirements of individual applications. For information on how to require users to use SSL connections, see the discussion of the REQUIRE clause of the GRANT statement in Section 13.7.1.3, “GRANT Syntax”.

Encrypted connections are not used by default. For applications that require the security provided by encrypted connections, the extra computation to encrypt the data is worthwhile.

Secure connections are are available through the MySQL C API using the mysql_ssl_set() function. See Section 21.8.7.67, “mysql_ssl_set()”.

Replication uses the C API, so secure connections can be used between master and slave servers. See Section 16.3.7, “Setting Up Replication Using SSL”.

Secure connections are based on the OpenSSL API. MySQL can be compiled using either OpenSSL or yaSSL; see Section 6.3.6.2, “Building MySQL with SSL Support”. OpenSSL and yaSSL offer the same basic functionality, but some features not supported by yaSSL are available in MySQL distributions compiled using OpenSSL. OpenSSL supports a wider range of encryption ciphers values to choose from for the --ssl-cipher option, and supports the --ssl-capath. See Section 6.3.6.4, “SSL Command Options”.

Another way to connect securely is from within an SSH connection to the MySQL server host. For an example, see Section 6.3.8, “Connecting to MySQL Remotely from Windows with SSH”.