Configuring MySQL for SSL

To use SSL connections between the MySQL server and client programs, your system must support either OpenSSL or yaSSL, and your version of MySQL must be built with SSL support. To make it easier to use secure connections, MySQL is bundled with yaSSL, which uses the same licensing model as MySQL. (OpenSSL uses an Apache-style license.) yaSSL support is available on all MySQL platforms supported by Oracle Corporation.

To get secure connections to work with MySQL and SSL, you must do the following:

  1. If you are not using a binary (precompiled) version of MySQL that has been built with SSL support, and you are going to use OpenSSL rather than the bundled yaSSL library, install OpenSSL if it has not already been installed. We have tested MySQL with OpenSSL 0.9.6. To obtain OpenSSL, visit http://www.openssl.org.

    Building MySQL using OpenSSL requires a shared OpenSSL library, otherwise linker errors occur. Alternatively, build MySQL using yaSSL.

  2. If you are not using a binary (precompiled) version of MySQL that has been built with SSL support, configure a MySQL source distribution to use SSL. When you configure MySQL, invoke CMake like this:

    shell> cmake . -DWITH_SSL=bundled

    That command configures the distribution to use the bundled yaSSL library. To use the system SSL library instead, specify the option like this instead:

    shell> cmake . -DWITH_SSL=system

    See Section 2.9.4, “MySQL Source-Configuration Options”.

    Then compile and install the distribution.

    On Unix platforms, yaSSL retrieves true random numbers from either /dev/urandom or /dev/random. Bug#13164 lists workarounds for some very old platforms which do not support these devices.

  3. To check whether a mysqld server supports SSL, examine the value of the have_ssl system variable:

    mysql> SHOW VARIABLES LIKE 'have_ssl';
    | Variable_name | Value |
    | have_ssl      | YES   |

    If the value is YES, the server supports SSL connections. If the value is DISABLED, the server is capable of supporting SSL connections but was not started with the appropriate --ssl-xxx options to enable them to be used; see Section, “Using SSL Connections”.