--ssl

For the server, this option specifies that the server permits SSL connections. For a client program, it permits the client to connect to the server using SSL, but this option is not sufficient in itself to cause an SSL connection to be used. As a recommended set of options to enable SSL connections, use at least --ssl-cert and --ssl-key on the server side and --ssl-ca on the client side.

--ssl is implied by other --ssl-xxx options as indicated in the descriptions for those options. For this reason, --ssl is not usually specified explicitly. It is more often used explicitly in its opposite form to override other SSL options and indicate that SSL should not be used. To do this, specify the option as --skip-ssl or --ssl=0. For example, you might have SSL options specified in the [client] group of your option file to use SSL connections by default when you invoke MySQL client programs. To use an unencrypted connection instead, invoke the client program with --skip-ssl on the command line to override the options in the option file.

Use of --ssl does not require an SSL connection to be used, it only permits it. For example, if you specify this option for a client program but the server has not been configured to permit SSL connections, an unencrypted connection is used.

The secure way to require use of an SSL connection is to create a MySQL account that includes at least a REQUIRE SSL clause in the GRANT statement. In this case, connections for that account will be rejected unless MySQL supports SSL connections and the server and client have been started with the proper SSL options.

The REQUIRE clause permits other SSL-related restrictions as well. These can be used for stricter requirements than REQUIRE SSL. The description of REQUIRE in Section 13.7.1.3, “GRANT Syntax”, provides additional detail about which SSL command options may or must be specified by clients that connect using accounts that are created using the various REQUIRE options.

--ssl-ca=file_name

The path to a file in PEM format that contains a list of trusted SSL certificate authorities. This option implies --ssl.

As of MySQL 5.1.18, if you use SSL when establishing a client connection, you can tell the client not to authenticate the server certificate by specifying neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established using GRANT statements for the client, and it still uses any --ssl-ca/--ssl-capath values that were passed to server at startup.

--ssl-capath=directory_name

The path to a directory that contains trusted SSL certificate authority certificates in PEM format. This option implies --ssl.

As of MySQL 5.1.18, if you use SSL when establishing a client connection, you can tell the client not to authenticate the server certificate by specifying neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established using GRANT statements for the client, and it still uses any --ssl-ca/--ssl-capath values that were passed to server at startup.

MySQL distributions built with OpenSSL support the --ssl-capath option. Distributions built with yaSSL do not because yaSSL does not look in any directory and does not follow a chained certificate tree. yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file. Then specify the new file as the value of the --ssl-capath option.

--ssl-cert=file_name

The name of the SSL certificate file in PEM format to use for establishing a secure connection. This option implies --ssl.

--ssl-cipher=cipher_list

A list of permissible ciphers to use for SSL encryption. If no cipher in the list is supported, SSL connections will not work. This option implies --ssl.

For greatest portability, cipher_list should be a list of one or more cipher names, separated by colons. This format is understood both by OpenSSL and yaSSL. Examples:

--ssl-cipher=AES128-SHA
--ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA

OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at http://www.openssl.org/docs/apps/ciphers.html. However, yaSSL does not, so attempts to use that extended syntax fails for a MySQL distribution built with yaSSL.

--ssl-key=file_name

The name of the SSL key file in PEM format to use for establishing a secure connection.

If the MySQL distribution was built using OpenSSL and the key file is protected by a passphrase, the program will prompt the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key. If the MySQL distribution was built using yaSSL and the key file is protected by a passphrase, an error occurs.

--ssl-verify-server-cert

This option is available for client programs only, not the server. It causes the client to check the server's Common Name value in the certificate that the server sends to the client. The client verifies that name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. This feature can be used to prevent man-in-the-middle attacks. Verification is disabled by default. This option was added in MySQL 5.1.11.