To use SSL connections between the MySQL server and client programs, your system must support either OpenSSL or yaSSL and your version of MySQL must be built with SSL support.
To make it easier to use secure connections, MySQL is bundled with yaSSL. (MySQL and yaSSL employ the same licensing model, whereas OpenSSL uses an Apache-style license.) yaSSL support initially was available only for a few platforms, but now it is available on all MySQL platforms supported by Sun Microsystems, Inc.
To get secure connections to work with MySQL and SSL, you must do the following:
If you are not using a binary (precompiled) version of MySQL that has been built with SSL support, and you are going to use OpenSSL rather than the bundled yaSSL library, install OpenSSL if it has not already been installed. We have tested MySQL with OpenSSL 0.9.6. To obtain OpenSSL, visit http://www.openssl.org.
Building MySQL using OpenSSL requires a shared OpenSSL library, otherwise linker errors occur. Alternatively, build MySQL using yaSSL.
If you are not using a binary (precompiled) version of MySQL that has been built with SSL support, configure a MySQL source distribution to use SSL. When you configure MySQL, invoke the configure script like this:
shell> ./configure --with-ssl
That configures the distribution to use the bundled yaSSL
library. To use OpenSSL instead, specify the
--with-ssl
option with the path to the
directory where the OpenSSL header files and libraries are
located:
shell> ./configure --with-ssl=path
Before MySQL 5.1.11, you must use the appropriate option to select the SSL library that you want to use.
For yaSSL:
shell> ./configure --with-yassl
For OpenSSL:
shell> ./configure --with-openssl
Note that yaSSL support on Unix platforms requires that
either /dev/urandom
or
/dev/random
be available to retrieve
true random numbers. For additional information (especially
regarding yaSSL on Solaris versions prior to 2.8 and HP-UX),
see Bug#13164.
Make sure that the user
in the
mysql
database includes the SSL-related
columns (beginning with ssl_
and
x509_
). If your user
table does not have these columns, it must be upgraded; see
Section 4.4.8, “mysql_upgrade — Check Tables for MySQL Upgrade”.
To check whether a server binary is compiled with SSL
support, invoke it with the
--ssl
option. An error will
occur if the server does not support SSL:
shell> mysqld --ssl --help
060525 14:18:52 [ERROR] mysqld: unknown option '--ssl'
To check whether a running mysqld server
supports SSL, examine the value of the
have_ssl
system variable
(if you have no have_ssl
variable, check for
have_openssl
):
mysql> SHOW VARIABLES LIKE 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl | YES |
+---------------+-------+
If the value is YES
, the server supports
SSL connections. If the value is
DISABLED
, the server supports SSL
connections but was not started with the appropriate
--ssl-
options (described later in this section).
xxx
To enable SSL connections, the proper SSL-related options must be used (see Section 5.5.7.3, “SSL Command Options”).
To start the MySQL server so that it allows clients to connect via SSL, use the options that identify the key and certificate files the server needs when establishing a secure connection:
shell>mysqld --ssl-ca=
cacert.pem
\--ssl-cert=
server-cert.pem
\--ssl-key=
server-key.pem
--ssl-ca
identifies the
Certificate Authority (CA) certificate.
--ssl-cert
identifies the
server public key. This can be sent to the client and
authenticated against the CA certificate that it has.
--ssl-key
identifies the
server private key.
To establish a secure connection to a MySQL server with SSL
support, the options that a client must specify depend on the
SSL requirements of the user account that the client uses. (See
the discussion of the REQUIRE
clause in
Section 12.5.1.3, “GRANT
Syntax”.)
If the account has no special SSL requirements or was created
using a GRANT
statement that
includes the REQUIRE SSL
option, a client can
connect securely by using just the
--ssl-ca
option:
shell> mysql --ssl-ca=cacert.pem
To require that a client certificate also be specified, create
the account using the REQUIRE X509
option.
Then the client must also specify the proper client key and
certificate files or the server will reject the connection:
shell>mysql --ssl-ca=
cacert.pem
\--ssl-cert=
client-cert.pem
\--ssl-key=
client-key.pem
In other words, the options are similar to those used for the server. Note that the Certificate Authority certificate has to be the same.
A client can determine whether the current connection with the
server uses SSL by checking the value of the
Ssl_cipher
status variable.
The value of Ssl_cipher
is
nonempty if SSL is used, and empty otherwise. For example:
mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value |
+---------------+--------------------+
| Ssl_cipher | DHE-RSA-AES256-SHA |
+---------------+--------------------+
For the mysql client, you can use the
STATUS
or \s
command and
check the SSL
line:
mysql> \s
...
SSL: Not in use
...
Or:
mysql> \s
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...
To establish a secure connection from within an application
program, use the mysql_ssl_set()
C API function to set the appropriate certificate options before
calling mysql_real_connect()
.
See Section 20.10.3.67, “mysql_ssl_set()
”. After the connection is
established, you can use
mysql_get_ssl_cipher()
to
determine whether SSL is in use. A non-NULL
return value indicates a secure connection and names the SSL
cipher used for encryption. A NULL
return
value indicates that SSL is not being used. See
Section 20.10.3.33, “mysql_get_ssl_cipher()
”.
User Comments
Add your own comment.