MySQL 5.7 Reference Manual Including MySQL NDB Cluster 7.5 and NDB Cluster 7.6

4.2.3 Command Options for Connecting to the Server

This section describes options supported by most MySQL client programs that control how client programs establish connections to the server and whether connections are encrypted. These options can be given on the command line or in an option file.

Command Options for Connection Establishment

This section describes options that control how client programs establish connections to the server. For additional information and examples showing how to use them, see Section 4.2.4, “Connecting to the MySQL Server Using Command Options”.

Table 4.3 Connection-Establishment Option Summary

Option Name Description Deprecated
--default-auth Authentication plugin to use
--host Host on which MySQL server is located
--password Password to use when connecting to server
--pipe Connect to server using named pipe (Windows only)
--plugin-dir Directory where plugins are installed
--port TCP/IP port number for connection
--protocol Connection protocol to use
--secure-auth Do not send passwords to server in old (pre-4.1) format 5.7.5
--shared-memory-base-name Name of shared memory to use for shared-memory connections
--socket Unix socket file or Windows named pipe to use
--user MySQL user name to use when connecting to server

  • --default-auth=plugin

    A hint about which client-side authentication plugin to use. See Section 6.2.13, “Pluggable Authentication”.

  • --host=host_name, -h host_name

    The host on which the MySQL server is running. The value can be a host name, IPv4 address, or IPv6 address. The default value is localhost.

  • --password[=pass_val], -p[pass_val]

    The password of the MySQL account used for connecting to the server. The password value is optional. If not given, the program prompts for one. If given, there must be no space between --password= or -p and the password following it. If no password option is specified, the default is to send no password.

    Specifying a password on the command line should be considered insecure. To avoid giving the password on the command line, use an option file. See Section 6.1.2.1, “End-User Guidelines for Password Security”.

    To explicitly specify that there is no password and that the client program should not prompt for one, use the --skip-password option.

  • --pipe, -W

    On Windows, connect to the server using a named pipe. This option applies only if the server was started with the named_pipe system variable enabled to support named-pipe connections. In addition, the user making the connection must be a member of the Windows group specified by the named_pipe_full_access_group system variable.

  • --plugin-dir=dir_name

    The directory in which to look for plugins. Specify this option if the --default-auth option is used to specify an authentication plugin but the client program does not find it. See Section 6.2.13, “Pluggable Authentication”.

  • --port=port_num, -P port_num

    For TCP/IP connections, the port number to use. The default port number is 3306.

  • --protocol={TCP|SOCKET|PIPE|MEMORY}

    This option explicitly specifies which protocol to use for connecting to the server. It is useful when other connection parameters normally result in use of a protocol other than the one you want. For example, connections on Unix to localhost are made using a Unix socket file by default:

    mysql --host=localhost
    

    To force a TCP/IP connection to be used instead, specify a --protocol option:

    mysql --host=localhost --protocol=TCP
    

    The following table shows the permissible --protocol option values and indicates the platforms on which each value may be used. The values are not case-sensitive.

    --protocol Value Connection Protocol Permissible Operating Systems
    TCP TCP/IP connection to local or remote server All
    SOCKET Unix socket file connection to local server Unix only
    PIPE Named-pipe connection to local or remote server Windows only
    MEMORY Shared-memory connection to local server Windows only
  • --secure-auth

    Do not send passwords to the server in old (pre-4.1) format. This prevents connections except for servers that use the newer password format.

    As of MySQL 5.7.5, this option is deprecated and will be removed in a future MySQL release. It is always enabled and attempting to disable it (--skip-secure-auth, --secure-auth=0) produces an error. Before MySQL 5.7.5, this option is enabled by default but can be disabled.

    Note

    Passwords that use the pre-4.1 hashing method are less secure than passwords that use the native password hashing method and should be avoided. Pre-4.1 passwords are deprecated and support for them was removed in MySQL 5.7.5. For account upgrade instructions, see Section 6.4.1.3, “Migrating Away from Pre-4.1 Password Hashing and the mysql_old_password Plugin”.

  • --shared-memory-base-name=name

    On Windows, the shared-memory name to use for connections made using shared memory to a local server. The default value is MYSQL. The shared-memory name is case-sensitive.

    This option applies only if the server was started with the shared_memory system variable enabled to support shared-memory connections.

  • --socket=path, -S path

    On Unix, the name of the Unix socket file to use for connections made using a named pipe to a local server. The default Unix socket file name is /tmp/mysql.sock.

    On Windows, the name of the named pipe to use for connections to a local server. The default Windows pipe name is MySQL. The pipe name is not case-sensitive.

    On Windows, this option applies only if the server was started with the named_pipe system variable enabled to support named-pipe connections. In addition, the user making the connection must be a member of the Windows group specified by the named_pipe_full_access_group system variable.

  • --user=user_name, -u user_name

    The user name of the MySQL account to use for connecting to the server. The default user name is ODBC on Windows or your Unix login name on Unix.

Command Options for Encrypted Connections

This section describes options that specify whether to use encrypted connections, the names of certificate and key files, and other parameters related to encrypted-connection support. For examples of suggested use and how to check whether a connection is encrypted, see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.

For information about using encrypted connections from the MySQL C API, see Section 27.8.15, “C API Encrypted Connection Support”.

Table 4.4 Connection-Encryption Option Summary

Option Name Description Introduced
--get-server-public-key Request RSA public key from server 5.7.23
--server-public-key-path Path name to file containing RSA public key
--skip-ssl Disable connection encryption
--ssl Enable connection encryption
--ssl-ca File that contains list of trusted SSL Certificate Authorities
--ssl-capath Directory that contains trusted SSL Certificate Authority certificate files
--ssl-cert File that contains X.509 certificate
--ssl-cipher Permissible ciphers for connection encryption
--ssl-crl File that contains certificate revocation lists
--ssl-crlpath Directory that contains certificate revocation-list files
--ssl-key File that contains X.509 key
--ssl-mode Desired security state of connection to server 5.7.11
--ssl-verify-server-cert Verify host name against server certificate Common Name identity
--tls-version Permissible TLS protocols for encrypted connections 5.7.10

  • --get-server-public-key

    Request from the server the public key required for RSA key pair-based password exchange. This option applies to clients that authenticate with the caching_sha2_password authentication plugin. For that plugin, the server does not send the public key unless requested. This option is ignored for accounts that do not authenticate with that plugin. It is also ignored if RSA-based password exchange is not used, as is the case when the client connects to the server using a secure connection.

    If --server-public-key-path=file_name is given and specifies a valid public key file, it takes precedence over --get-server-public-key.

    For information about the caching_sha2_password plugin, see Section 6.4.1.5, “Caching SHA-2 Pluggable Authentication”.

    The --get-server-public-key option was added in MySQL 5.7.23.

  • --server-public-key-path=file_name

    The path name to a file containing a client-side copy of the public key required by the server for RSA key pair-based password exchange. The file must be in PEM format. This option applies to clients that authenticate with the sha256_password or caching_sha2_password authentication plugin. This option is ignored for accounts that do not authenticate with one of those plugins. It is also ignored if RSA-based password exchange is not used, as is the case when the client connects to the server using a secure connection.

    This option is available only if MySQL was built using OpenSSL.

    For information about the sha256_password and caching_sha2_password plugins, see Section 6.4.1.4, “SHA-256 Pluggable Authentication”, and Section 6.4.1.5, “Caching SHA-2 Pluggable Authentication”.

  • --ssl, --skip-ssl

    This option has different effects on the client and server sides.

    Note

    The client-side --ssl option is deprecated as of MySQL 5.7.11 and is removed in MySQL 8.0. For client programs, use --ssl-mode instead:

    The server-side --ssl option is not deprecated.

    By default, MySQL client programs attempt to establish an encrypted connection if the server supports encrypted connections, with further control available through the --ssl option: The client-side --ssl option works as follows:

    • In the absence of an --ssl option, clients attempt to connect using encryption, falling back to an unencrypted connection if an encrypted connection cannot be established.

    • The presence of an explicit --ssl option or a synonym (--ssl=1, --enable-ssl) is prescriptive: Clients require an encrypted connection and fail if one cannot be established.

    • With an --ssl=0 option or a synonym (--skip-ssl, --disable-ssl), clients use an unencrypted connection.

    To require use of encrypted connections by a MySQL account, use CREATE USER to create the account with a REQUIRE SSL clause, or use ALTER USER for an existing account to add a REQUIRE SSL clause. This causes connection attempts by clients that use the account to be rejected unless MySQL supports encrypted connections and an encrypted connection can be established.

    The REQUIRE clause permits other encryption-related options, which can be used to enforce security requirements stricter than REQUIRE SSL. For additional details about which command options may or must be specified by clients that connect using accounts configured using the various REQUIRE options, see CREATE USER SSL/TLS Options.

    On the server side, the --ssl option specifies that the server permits but does not require encrypted connections. The option is enabled on the server side by default. --ssl is implied by other --ssl-xxx options, as indicated in the descriptions for those options.

    The --ssl option in negated form indicates that encryption should not be used and overrides other --ssl-xxx options. Specify the option as --skip-ssl or a synonym (--ssl=0, --disable-ssl).

    To specify additional parameters for encrypted connections, consider using at least --ssl-cert and --ssl-key on the server side and --ssl-ca on the client side. See Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”, which also describes server capabilities for certificate and key file autogeneration and autodiscovery.

  • --ssl-ca=file_name

    The path name of the Certificate Authority (CA) certificate file in PEM format. On the server side, this option implies --ssl.

    To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any --ssl-ca or --ssl-capath option values specified on the server side.

  • --ssl-capath=dir_name

    The path name of the directory that contains trusted SSL certificate authority (CA) certificate files in PEM format. On the server side, this option implies --ssl.

    To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any --ssl-ca or --ssl-capath option values specified on the server side.

    Support for this option depends on the SSL library used to compile MySQL. See Section 6.3.4, “SSL Library-Dependent Capabilities”.

  • --ssl-cert=file_name

    The path name of the SSL public key certificate file in PEM format. On the client side, this is the client public key certificate. On the server side, this is the server public key certificate. On the server side, this option implies --ssl.

    If the server is started with an --ssl-cert option specifying a certificate that uses any of the preceding restricted ciphers or cipher categories, the server starts with support for encrypted connections disabled.

  • --ssl-cipher=cipher_list

    The list of permissible ciphers for connection encryption. If no cipher in the list is supported, encrypted connections will not work. On the server side, this option implies --ssl.

    For greatest portability, cipher_list should be a list of one or more cipher names, separated by colons. This format is understood both by OpenSSL and yaSSL. Examples:

    --ssl-cipher=AES128-SHA
    --ssl-cipher=DHE-RSA-AES128-GCM-SHA256:AES128-SHA
    

    OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at https://www.openssl.org/docs/manmaster/man1/ciphers.html. yaSSL does not, so attempts to use that extended syntax fail for a MySQL distribution compiled using yaSSL.

    For information about which encryption ciphers MySQL supports, see Section 6.3.2, “Encrypted Connection Protocols and Ciphers”.

  • --ssl-crl=file_name

    The path name of the file containing certificate revocation lists in PEM format. On the server side, this option implies --ssl.

    If neither --ssl-crl nor --ssl-crlpath is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.

    Support for this option depends on the SSL library used to compile MySQL. See Section 6.3.4, “SSL Library-Dependent Capabilities”.

  • --ssl-crlpath=dir_name

    The path name of the directory that contains certificate revocation-list files in PEM format. On the server side, this option implies --ssl.

    If neither --ssl-crl nor --ssl-crlpath is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.

    Support for this option depends on the SSL library used to compile MySQL. See Section 6.3.4, “SSL Library-Dependent Capabilities”.

  • --ssl-key=file_name

    The path name of the SSL private key file in PEM format. On the client side, this is the client private key. On the server side, this is the server private key. On the server side, this option implies --ssl.

    If the key file is protected by a passphrase, the program prompts the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key.

    For better security, use a certificate with an RSA key size of at least 2048 bits.

  • --ssl-mode=mode

    This option is available only for client programs, not the server. It specifies the desired security state of the connection to the server. These mode values are permissible, in order of increasing strictness:

    • DISABLED: Establish an unencrypted connection. This is like the legacy --ssl=0 option or its synonyms (--skip-ssl, --disable-ssl).

    • PREFERRED: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. This is the default if --ssl-mode is not specified.

      Encrypted connections over Unix sockets are disabled by default, so PREFERRED does not establish an encrypted connection. To enforce encryption for Unix socket connections, use a mode of REQUIRED or stricter.

    • REQUIRED: Establish an encrypted connection if the server supports encrypted connections. The connection attempt fails if an encrypted connection cannot be established.

    • VERIFY_CA: Like REQUIRED, but additionally verify the server Certificate Authority (CA) certificate against the configured CA certificates. The connection attempt fails if no valid matching CA certificates are found.

    • VERIFY_IDENTITY: Like VERIFY_CA, but additionally perform host name identity verification by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client:

      • As of MySQL 5.7.23, if the client uses OpenSSL 1.0.2 or higher, the client checks whether the host name that it uses for connecting matches either the Subject Alternative Name value or the Common Name value in the server certificate.

      • Otherwise, the client checks whether the host name that it uses for connecting matches the Common Name value in the server certificate.

      The connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. This is like the legacy --ssl-verify-server-cert option.

      Note

      Host name identity verification with VERIFY_IDENTITY does not work with self-signed certificates that are created automatically by the server or manually using mysql_ssl_rsa_setup (see Section 6.3.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”). Such self-signed certificates do not contain the server name as the Common Name value.

      Host name identity verification also does not work with certificates that specify the Common Name using wildcards because that name is compared verbatim to the server name.

    The --ssl-mode option interacts with CA certificate options as follows:

    The --ssl-mode option was added in MySQL 5.7.11.

    To require use of encrypted connections by a MySQL account, use CREATE USER to create the account with a REQUIRE SSL clause, or use ALTER USER for an existing account to add a REQUIRE SSL clause. This causes connection attempts by clients that use the account to be rejected unless MySQL supports encrypted connections and an encrypted connection can be established.

    The REQUIRE clause permits other encryption-related options, which can be used to enforce security requirements stricter than REQUIRE SSL. For additional details about which command options may or must be specified by clients that connect using accounts configured using the various REQUIRE options, see CREATE USER SSL/TLS Options.

  • --ssl-verify-server-cert

    Note

    The --ssl-verify-server-cert option is deprecated as of MySQL 5.7.11 and is removed in MySQL 8.0. Use --ssl-mode=VERIFY_IDENTITY instead.

    This option is available only for client programs, not the server. It causes the client to perform host name identity verification by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client:

    • As of MySQL 5.7.23, if the client uses OpenSSL 1.0.2 or higher, the client checks whether the host name that it uses for connecting matches either the Subject Alternative Name value or the Common Name value in the server certificate.

    • Otherwise, the client checks whether the host name that it uses for connecting matches the Common Name value in the server certificate.

    The connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. Host name identity verification is disabled by default.

    Note

    Host name identity verification does not work with self-signed certificates created automatically by the server, or manually using mysql_ssl_rsa_setup (see Section 6.3.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”). Such self-signed certificates do not contain the server name as the Common Name value.

    Host name identity verification also does not work with certificates that specify the Common Name using wildcards because that name is compared verbatim to the server name.

    To specify the FIPS mode for the server, use the ssl_fips_mode system variable.

  • --tls-version=protocol_list

    For client programs, the TLS protocols the client permits for encrypted connections. The value is a list of one or more comma-separated protocol names. For example:

    mysql --tls-version="TLSv1.1,TLSv1.2"
    

    The protocols that can be named for this option depend on the SSL library used to compile MySQL. For details, see Section 6.3.2, “Encrypted Connection Protocols and Ciphers”.

    This option was added in MySQL 5.7.10.

    To specify which TLS protocols the server permits, use the tls_version system variable.