6.3.6.3 Using SSL Connections

To enable SSL connections, your MySQL distribution must be built with SSL support, as described in Section 6.3.6.2, “Configuring MySQL for SSL”. In addition, the proper SSL-related options must be used to specify the appropriate certificate and key files. For a complete list of SSL options, see Section 6.3.6.4, “SSL Command Options”.

To start the MySQL server so that it permits clients to connect using SSL, use the options that identify the certificate and key files the server uses when establishing a secure connection:

For example, start the server like this:

shell> mysqld --ssl-ca=ca-cert.pem \
         --ssl-cert=server-cert.pem \
         --ssl-key=server-key.pem

Each option names a file in PEM format. For instructions on generating the required SSL certificate and key files, see Section 6.3.6.5, “Setting Up SSL Certificates and Keys for MySQL”. If you have a MySQL source distribution, you can also test your setup using the demonstration certificate and key files in the mysql-test/std_data directory of the distribution.

Similar options are used on the client side, but --ssl-cert and --ssl-key identify the client public and private key. The Certificate Authority certificate, if specified, must be the same as used by the server.

To establish a secure connection to a MySQL server with SSL support, the options that a client must specify depend on the SSL requirements of the MySQL account used by the client. (See the discussion of the REQUIRE clause in Section 13.7.1.3, “GRANT Syntax”.)

Suppose that you want to connect using an account that has no special SSL requirements or was created using a GRANT statement that includes the REQUIRE SSL option. As a recommended set of SSL options, start the server with at least --ssl-cert and --ssl-key, and invoke the client with --ssl-ca. A client can connect securely like this:

shell> mysql --ssl-ca=ca-cert.pem

To require that a client certificate also be specified, create the account using the REQUIRE X509 option. Then the client must also specify the proper client key and certificate files or the server will reject the connection:

shell> mysql --ssl-ca=ca-cert.pem \
       --ssl-cert=client-cert.pem \
       --ssl-key=client-key.pem

To prevent use of SSL and override other SSL options, invoke the client program with --ssl=0 or a synonym (--skip-ssl, --disable-ssl):

shell> mysql --ssl=0

A client can determine whether the current connection with the server uses SSL by checking the value of the Ssl_cipher status variable. The value is nonempty if SSL is used, and empty otherwise. For example:

mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value              |
+---------------+--------------------+
| Ssl_cipher    | DHE-RSA-AES256-SHA |
+---------------+--------------------+

For the mysql client, an alternative is to use the STATUS or \s command and check the SSL line:

mysql> \s
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...

Or:

mysql> \s
...
SSL: Not in use
...

The C API enables application programs to use SSL:

Replication uses the C API, so secure connections can be used between master and slave servers. See Section 16.3.7, “Setting Up Replication Using SSL”.