MySQL Shell 8.0 (part of MySQL 8.0)
Using encrypted connections is possible when connecting to a TLS (sometimes referred to as SSL) enabled MySQL server. Much of the configuration of MySQL Shell is based on the options used by MySQL server, see Using Encrypted Connections for more information.
To configure an encrypted connection at startup of MySQL Shell, use the following command options:
--ssl
: Deprecated, to be
removed in a future version. Use
--ssl-mode
. This option
enables or disables encrypted connections.
--ssl-mode
: This option
specifies the desired security state of the connection to
the server.
--ssl-ca=
:
The path to a file in PEM format that contains a list of
trusted SSL Certificate Authorities.
file_name
--ssl-capath=
:
The path to a directory that contains trusted SSL
Certificate Authority certificates in PEM format.
dir_name
--ssl-cert=
:
The name of the SSL certificate file in PEM format to use
for establishing an encrypted connection.
file_name
--ssl-cipher=
:
The name of the SSL cipher to use for establishing an
encrypted connection.
name
--ssl-key=
:
The name of the SSL key file in PEM format to use for
establishing an encrypted connection.
file_name
--ssl-crl=
:
The path to a file containing certificate revocation lists
in PEM format.
name
--ssl-crlpath=
:
The path to a directory that contains files containing
certificate revocation lists in PEM format.
dir_name
--tls-version=
:
The TLS protocols permitted for encrypted connections,
specified as a comma separated list. For example
version
--tls-version=
.
TLSv1.1,TLSv1.2
--tls-ciphersuites=
:
The TLS cipher suites permitted for encrypted connections,
specified as a colon separated list of TLS cipher suite
names. For example
suites
--tls-ciphersuites=
.
Added in version 8.0.18.
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
Alternatively, the SSL options can be encoded as part of a
URI-like connection string as part of the query element. The
available SSL options are the same as those listed above, but
written without the preceding hyphens. For example,
ssl-ca
is the equivalent of
--ssl-ca
.
Paths specified in a URI-like string must be percent encoded, for example:
ssluser@127.0.0.1?ssl-ca%3D%2Froot%2Fclientcert%2Fca-cert.pem%26ssl-cert%3D%2Fro\ ot%2Fclientcert%2Fclient-cert.pem%26ssl-key%3D%2Froot%2Fclientcert%2Fclient-key .pem
See Connecting to the Server Using URI-Like Strings or Key-Value Pairs for more information.
To establish an encrypted connection for a scripting session in
JavaScript or Python mode, set the SSL information in the
connectionData
dictionary. For example:
mysql-js> var session=mysqlx.getSession({host: 'localhost',
user: 'root',
password: 'password
',
ssl_ca: "path_to_ca_file",
ssl_cert: "path_to_cert_file",
ssl_key: "path_to_key_file"});
Sessions created using mysqlx.getSession()
,
mysql.getSession()
, or
mysql.getClassicSession()
use
ssl-mode=REQUIRED
as the default if no
ssl-mode
is provided, and neither
ssl-ca
nor ssl-capath
is
provided. If no ssl-mode
is provided and any
of ssl-ca
or ssl-capath
is
provided, created sessions default to
ssl-mode=VERIFY_CA
.
See Connecting Using Key-Value Pairs for more information.