To use SSL connections between the MySQL server and client programs, your system must support OpenSSL and your version of MySQL must be 4.0.0 or newer and built with SSL support.
To get secure connections to work with MySQL and SSL, you must do the following:
Install the OpenSSL library if it has not already been installed. We have tested MySQL with OpenSSL 0.9.6. To obtain OpenSSL, visit http://www.openssl.org.
Building MySQL using OpenSSL requires a shared OpenSSL library, otherwise linker errors occur.
            If you are not using a binary (precompiled) version of MySQL
            that has been built with SSL support, configure a MySQL
            source distribution to use SSL. When you configure MySQL,
            invoke the configure script with the
            --with-vio and
            --with-openssl options:
          
shell> ./configure --with-vio --with-openssl
            Make sure that the user in the
            mysql database includes the SSL-related
            columns (beginning with ssl_ and
            x509_). If your user
            table does not have these columns, it must be upgraded; see
            Section 4.4.5, “mysql_fix_privilege_tables — Upgrade MySQL System Tables”.
          
            To check whether a server binary is compiled with SSL
            support, invoke it with the
            --ssl option. An error will
            occur if the server does not support SSL:
          
shell> mysqld --ssl --help
060525 14:18:52 [ERROR] mysqld: unknown option '--ssl'
            To check whether a running mysqld server
            supports SSL, examine the value of the
            have_openssl system
            variable:
          
mysql> SHOW VARIABLES LIKE 'have_openssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl  | YES   |
+---------------+-------+
            If the value is YES, the server supports
            OpenSSL connections.
          
To enable SSL connections, the proper SSL-related options must be used (see Section 5.6.6.3, “SSL Command Options”).
To start the MySQL server so that it allows clients to connect via SSL, use the options that identify the key and certificate files the server needs when establishing a secure connection:
shell>mysqld --ssl-ca=ca-cert.pem\--ssl-cert=server-cert.pem\--ssl-key=server-key.pem
            --ssl-ca identifies the
            Certificate Authority (CA) certificate.
          
            --ssl-cert identifies the
            server public key. This can be sent to the client and
            authenticated against the CA certificate that it has.
          
            --ssl-key identifies the
            server private key.
          
        To establish a secure connection to a MySQL server with SSL
        support, the options that a client must specify depend on the
        SSL requirements of the user account that the client uses. (See
        the discussion of the REQUIRE clause in
        Section 12.4.1.2, “GRANT Syntax”.)
      
        If the account has no special SSL requirements or was created
        using a GRANT statement that
        includes the REQUIRE SSL option, a client can
        connect securely by using just the
        --ssl-ca option:
      
shell> mysql --ssl-ca=ca-cert.pem
        To require that a client certificate also be specified, create
        the account using the REQUIRE X509 option.
        Then the client must also specify the proper client key and
        certificate files or the server will reject the connection:
      
shell>mysql --ssl-ca=ca-cert.pem\--ssl-cert=client-cert.pem\--ssl-key=client-key.pem
In other words, the options are similar to those used for the server. Note that the Certificate Authority certificate has to be the same.
        A client can determine whether the current connection with the
        server uses SSL by checking the value of the
        Ssl_cipher status variable.
        The value of Ssl_cipher is
        nonempty if SSL is used, and empty otherwise. For example:
      
mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value              |
+---------------+--------------------+
| Ssl_cipher    | DHE-RSA-AES256-SHA |
+---------------+--------------------+
        For the mysql client, you can use the
        STATUS or \s command and
        check the SSL line:
      
mysql> \s
...
SSL:                    Not in use
...
Or:
mysql> \s
...
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
...
        To establish a secure connection from within an application
        program, use the mysql_ssl_set()
        C API function to set the appropriate certificate options before
        calling mysql_real_connect().
        See Section 17.6.3.65, “mysql_ssl_set()”.
      


User Comments
Add your own comment.