Skip navigation links

Additional languages
5.5.7.4 Setting Up SSL Certificates for MySQL »
Section Navigation      [Toggle]

5.5.7.3. SSL Command Options

The following list describes options that are used for specifying the use of SSL, certificate files, and key files. They can be given on the command line or in an option file. These options are not available unless MySQL has been built with SSL support. See Section 5.5.7.2, “Using SSL Connections”. (There are also --master-ssl* options that can be used for setting up a secure connection from a slave replication server to a master server; see Section 19.1.3, “Replication Options and Variables”.)

Name Cmd-Line Option file System Var Status Var Var Scope Dynamic
have_openssl     Yes   Global No
have_ssl     Yes   Global No
skip-ssl Yes Yes        
ssl Yes Yes        
ssl-ca Yes Yes     Global No
- Variable: ssl_ca     Yes   Global No
ssl-capath Yes Yes     Global No
- Variable: ssl_capath     Yes   Global No
ssl-cert Yes Yes     Global No
- Variable: ssl_cert     Yes   Global No
ssl-cipher Yes Yes     Global No
- Variable: ssl_cipher     Yes   Global No
ssl-key Yes Yes     Global No
- Variable: ssl_key     Yes   Global No
ssl-verify-server-cert Yes Yes        

  • --ssl

    For the server, this option specifies that the server allows SSL connections. For a client program, it allows the client to connect to the server using SSL. This option is not sufficient in itself to cause an SSL connection to be used. You must also specify the --ssl-ca option, and possibly the --ssl-cert and --ssl-key options.

    This option is more often used in its opposite form to override any other SSL options and indicate that SSL should not be used. To do this, specify the option as --skip-ssl or --ssl=0.

    Note that use of --ssl does not require an SSL connection. For example, if the server or client is compiled without SSL support, a normal unencrypted connection is used.

    The secure way to require use of an SSL connection is to create an account on the server that includes a REQUIRE SSL clause in the GRANT statement. Then use that account to connect to the server, where both the server and the client have SSL support enabled.

    The REQUIRE clause allows other SSL-related restrictions as well. The description of REQUIRE in Section 12.5.1.3, “GRANT Syntax”, provides additional detail about which SSL command options may or must be specified by clients that connect using accounts that are created using the various REQUIRE options.

  • --ssl-ca=file_name

    The path to a file that contains a list of trusted SSL CAs.

  • --ssl-capath=directory_name

    The path to a directory that contains trusted SSL CA certificates in PEM format.

  • --ssl-cert=file_name

    The name of the SSL certificate file to use for establishing a secure connection.

  • --ssl-cipher=cipher_list

    A list of allowable ciphers to use for SSL encryption. For greatest portability, cipher_list should be a list of one or more cipher names, separated by colons. Examples: 

    --ssl-cipher=AES128-SHA
--ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA

    This format is understood both by OpenSSL and yaSSL. OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at http://www.openssl.org/docs/apps/ciphers.html. However, this extended syntax will fail if used with a MySQL installation compiled against yaSSL.

    If no cipher in the list is supported, SSL connections will not work.

  • --ssl-key=file_name

    The name of the SSL key file to use for establishing a secure connection.

  • --ssl-verify-server-cert

    This option is available for client programs. It causes the server's Common Name value in the certificate that the server sends to the client to be verified against the hostname that the client uses for connecting to the server, and the connection is rejected if there is a mismatch. This feature can be used to prevent man-in-the-middle attacks. Verification is disabled by default. This option was added in MySQL 5.1.11.

As of MySQL 5.1.18, if you use SSL when establishing a client connection, you can tell the client not to authenticate the server certificate by specifying neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established via GRANT statements for the client, and it still uses any --ssl-ca/--ssl-capath values that were passed to server at startup time.


User Comments

Posted by Andreas Ley on December 15 2004 1:46pm[Delete] [Edit]

It's not obvious from the documentation how to use an encrypted connection, but authenticate using passwords. Specifying --ssl (beside REQUIRE SSL) won't work, you have to use --ssl-ca, but you can omit --ssl-key and --ssl-cert from the client options. You can use anything as CA, even --ssl-ca=/dev/null - at least MySQL 4.1.7 won't check the certificate, so beware, it's encrypted, but not secured!

Posted by Christopher Weldon on May 20 2007 3:23am[Delete] [Edit]

The comment posted right below this one also serves for the server as well. Using all the appropriate options (--ssl, --ssl-ca,--ssl-key,--ssl-cert,--ssl-cipher) will still leave ssl disabled (have_openssl DISABLED). DO NOT USE --ssl when trying to start a server (at least with 5.0.40).

Posted by Jan Mönnich on July 17 2008 9:20am[Delete] [Edit]

It seems that neither --ssl-ca nor --ssl-cert allows the server to send the complete CA chain during handshake. Unfortunately the server seems to handle just one CA which isn't sufficient for most scenarios (just have a look on https://www.sun.com for example, a certification hierarchy with more than 1 CA certificate is odinary today).

Add your own comment.