Rechercher dans le manuel MySQL
4.2.3 Command Options for Connecting to the Server
This section describes options supported by most MySQL client programs that control how client programs establish connections to the server, whether connections are encrypted, and whether connections are compressed. These options can be given on the command line or in an option file.
Command Options for Connection Establishment
This section describes options that control how client programs establish connections to the server. For additional information and examples showing how to use them, see Section 4.2.4, “Connecting to the MySQL Server Using Command Options”.
Table 4.3 Connection-Establishment Option Summary
Option Name | Description | Removed |
---|---|---|
--default-auth | Authentication plugin to use | |
--host | Host on which MySQL server is located | |
--password | Password to use when connecting to server | |
--pipe | Connect to server using named pipe (Windows only) | |
--plugin-dir | Directory where plugins are installed | |
--port | TCP/IP port number for connection | |
--protocol | Connection protocol to use | |
--secure-auth | Do not send passwords to server in old (pre-4.1) format | 8.0.3 |
--shared-memory-base-name | Name of shared memory to use for shared-memory connections | |
--socket | Unix socket file or Windows named pipe to use | |
--user | MySQL user name to use when connecting to server |
A hint about which client-side authentication plugin to use. See Section 6.2.17, “Pluggable Authentication”.
--host=
,host_name
-h
host_name
The host on which the MySQL server is running. The value can be a host name, IPv4 address, or IPv6 address. The default value is
localhost
.--password[=
,pass_val
]-p[
pass_val
]The password of the MySQL account used for connecting to the server. The password value is optional. If not given, the program prompts for one. If given, there must be no space between
--password=
or-p
and the password following it. If no password option is specified, the default is to send no password.Specifying a password on the command line should be considered insecure. To avoid giving the password on the command line, use an option file. See Section 6.1.2.1, “End-User Guidelines for Password Security”.
To explicitly specify that there is no password and that the client program should not prompt for one, use the
--skip-password
option.--pipe
,-W
On Windows, connect to the server using a named pipe. This option applies only if the server was started with the
named_pipe
system variable enabled to support named-pipe connections. In addition, the user making the connection must be a member of the Windows group specified by thenamed_pipe_full_access_group
system variable.The directory in which to look for plugins. Specify this option if the
--default-auth
option is used to specify an authentication plugin but the client program does not find it. See Section 6.2.17, “Pluggable Authentication”.--port=
,port_num
-P
port_num
For TCP/IP connections, the port number to use. The default port number is 3306.
--protocol={TCP|SOCKET|PIPE|MEMORY}
This option explicitly specifies which protocol to use for connecting to the server. It is useful when other connection parameters normally result in use of a protocol other than the one you want. For example, connections on Unix to
localhost
are made using a Unix socket file by default:mysql --host=localhost
To force a TCP/IP connection to be used instead, specify a
--protocol
option:mysql --host=localhost --protocol=TCP
The following table shows the permissible
--protocol
option values and indicates the platforms on which each value may be used. The values are not case-sensitive.--protocol
ValueConnection Protocol Permissible Operating Systems TCP
TCP/IP connection to local or remote server All SOCKET
Unix socket file connection to local server Unix only PIPE
Named-pipe connection to local or remote server Windows only MEMORY
Shared-memory connection to local server Windows only This option was removed in MySQL 8.0.3.
--shared-memory-base-name=
name
On Windows, the shared-memory name to use for connections made using shared memory to a local server. The default value is
MYSQL
. The shared-memory name is case-sensitive.This option applies only if the server was started with the
shared_memory
system variable enabled to support shared-memory connections.--socket=
,path
-S
path
On Unix, the name of the Unix socket file to use for connections made using a named pipe to a local server. The default Unix socket file name is
/tmp/mysql.sock
.On Windows, the name of the named pipe to use for connections to a local server. The default Windows pipe name is
MySQL
. The pipe name is not case-sensitive.On Windows, this option applies only if the server was started with the
named_pipe
system variable enabled to support named-pipe connections. In addition, the user making the connection must be a member of the Windows group specified by thenamed_pipe_full_access_group
system variable.--user=
,user_name
-u
user_name
The user name of the MySQL account to use for connecting to the server. The default user name is
ODBC
on Windows or your Unix login name on Unix.
This section describes options that specify whether to use encrypted connections, the names of certificate and key files, and other parameters related to encrypted-connection support. For examples of suggested use and how to check whether a connection is encrypted, see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.
For information about using encrypted connections from the MySQL C API, see Section 28.7.22, “C API Encrypted Connection Support”.
Table 4.4 Connection-Encryption Option Summary
Option Name | Description | Introduced |
---|---|---|
--get-server-public-key | Request RSA public key from server | 8.0.3 |
--server-public-key-path | Path name to file containing RSA public key | |
--skip-ssl | Disable connection encryption | |
--ssl | Enable connection encryption | |
--ssl-ca | File that contains list of trusted SSL Certificate Authorities | |
--ssl-capath | Directory that contains trusted SSL Certificate Authority certificate files | |
--ssl-cert | File that contains X.509 certificate | |
--ssl-cipher | Permissible ciphers for connection encryption | |
--ssl-crl | File that contains certificate revocation lists | |
--ssl-crlpath | Directory that contains certificate revocation-list files | |
--ssl-fips-mode | Whether to enable FIPS mode on client side | 8.0.11 |
--ssl-key | File that contains X.509 key | |
--ssl-mode | Desired security state of connection to server | |
--tls-ciphersuites | Permissible TLSv1.3 ciphersuites for encrypted connections | 8.0.16 |
--tls-version | Permissible TLS protocols for encrypted connections |
Request from the server the public key required for RSA key pair-based password exchange. This option applies to clients that authenticate with the
caching_sha2_password
authentication plugin. For that plugin, the server does not send the public key unless requested. This option is ignored for accounts that do not authenticate with that plugin. It is also ignored if RSA-based password exchange is not used, as is the case when the client connects to the server using a secure connection.If
--server-public-key-path=
is given and specifies a valid public key file, it takes precedence overfile_name
--get-server-public-key
.For information about the
caching_sha2_password
plugin, see Section 6.4.1.3, “Caching SHA-2 Pluggable Authentication”.--server-public-key-path=
file_name
The path name to a file containing a client-side copy of the public key required by the server for RSA key pair-based password exchange. The file must be in PEM format. This option applies to clients that authenticate with the
sha256_password
orcaching_sha2_password
authentication plugin. This option is ignored for accounts that do not authenticate with one of those plugins. It is also ignored if RSA-based password exchange is not used, as is the case when the client connects to the server using a secure connection.If
--server-public-key-path=
is given and specifies a valid public key file, it takes precedence overfile_name
--get-server-public-key
.This option is available only if MySQL was built using OpenSSL.
For information about the
sha256_password
andcaching_sha2_password
plugins, see Section 6.4.1.2, “SHA-256 Pluggable Authentication”, and Section 6.4.1.3, “Caching SHA-2 Pluggable Authentication”.-
Note
The client-side
--ssl
option is removed in MySQL 8.0. For client programs, use--ssl-mode
instead.On the server side, the
--ssl
option specifies that the server permits but does not require encrypted connections. The option is enabled on the server side by default.--ssl
is implied by other--ssl-
options, as indicated in the descriptions for those options.xxx
The
--ssl
option can be specified in negated form as--skip-ssl
or a synonym (--ssl=0
,--disable-ssl
). In this case, the option specifies that the server does not permit encrypted connections and overrides other--ssl-
options.xxx
To specify additional parameters for encrypted connections, consider using at least
--ssl-cert
and--ssl-key
on the server side and--ssl-ca
on the client side. See Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”, which also describes server capabilities for certificate and key file autogeneration and autodiscovery. The path name of the Certificate Authority (CA) certificate file in PEM format. On the server side, this option implies
--ssl
.To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither
--ssl-ca
nor--ssl-capath
. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any--ssl-ca
or--ssl-capath
option values specified on the server side.The path name of the directory that contains trusted SSL certificate authority (CA) certificate files in PEM format. On the server side, this option implies
--ssl
.To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither
--ssl-ca
nor--ssl-capath
. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any--ssl-ca
or--ssl-capath
option values specified on the server side.The path name of the SSL public key certificate file in PEM format. On the client side, this is the client public key certificate. On the server side, this is the server public key certificate. On the server side, this option implies
--ssl
.If the server is started with an
--ssl-cert
option specifying a certificate that uses any of the preceding restricted ciphers or cipher categories, the server starts with support for encrypted connections disabled.The list of permissible ciphers for connection encryption. If no cipher in the list is supported, encrypted connections will not work. On the server side, this option implies
--ssl
.For greatest portability,
cipher_list
should be a list of one or more cipher names, separated by colons. Examples:--ssl-cipher=AES128-SHA --ssl-cipher=DHE-RSA-AES128-GCM-SHA256:AES128-SHA
OpenSSL supports the syntax for specifying ciphers described in the OpenSSL documentation at https://www.openssl.org/docs/manmaster/man1/ciphers.html.
For information about which encryption ciphers MySQL supports, see Section 6.3.2, “Encrypted Connection Protocols and Ciphers”.
The path name of the file containing certificate revocation lists in PEM format. On the server side, this option implies
--ssl
.If neither
--ssl-crl
nor--ssl-crlpath
is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.The path name of the directory that contains certificate revocation-list files in PEM format. On the server side, this option implies
--ssl
.If neither
--ssl-crl
nor--ssl-crlpath
is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.--ssl-fips-mode={OFF|ON|STRICT}
Controls whether to enable FIPS mode on the client side. The
--ssl-fips-mode
option differs from other--ssl-
options in that it is not used to establish encrypted connections, but rather to affect which cryptographic operations are permitted. See Section 6.5, “FIPS Support”.xxx
These
--ssl-fips-mode
values are permissible:OFF
: Disable FIPS mode.ON
: Enable FIPS mode.STRICT
: Enable “strict” FIPS mode.
NoteIf the OpenSSL FIPS Object Module is not available, the only permissible value for
--ssl-fips-mode
isOFF
. In this case, setting--ssl-fips-mode
toON
orSTRICT
causes the client to produce a warning at startup and to operate in non-FIPS mode.To specify the FIPS mode for the server, use the
ssl_fips_mode
system variable.The path name of the SSL private key file in PEM format. On the client side, this is the client private key. On the server side, this is the server private key. On the server side, this option implies
--ssl
.If the key file is protected by a passphrase, the program prompts the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key.
For better security, use a certificate with an RSA key size of at least 2048 bits.
This option is available only for client programs, not the server. It specifies the desired security state of the connection to the server. These mode values are permissible, in order of increasing strictness:
DISABLED
: Establish an unencrypted connection.PREFERRED
: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. This is the default if--ssl-mode
is not specified.Encrypted connections over Unix sockets are disabled by default, so
PREFERRED
does not establish an encrypted connection. To enforce encryption for Unix socket connections, use a mode ofREQUIRED
or stricter.REQUIRED
: Establish an encrypted connection if the server supports encrypted connections. The connection attempt fails if an encrypted connection cannot be established.VERIFY_CA
: LikeREQUIRED
, but additionally verify the server Certificate Authority (CA) certificate against the configured CA certificates. The connection attempt fails if no valid matching CA certificates are found.VERIFY_IDENTITY
: LikeVERIFY_CA
, but additionally perform host name identity verification by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client:As of MySQL 8.0.12, if the client uses OpenSSL 1.0.2 or higher, the client checks whether the host name that it uses for connecting matches either the Subject Alternative Name value or the Common Name value in the server certificate.
Otherwise, the client checks whether the host name that it uses for connecting matches the Common Name value in the server certificate.
The connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks.
NoteHost name identity verification with
VERIFY_IDENTITY
does not work with self-signed certificates that are created automatically by the server or manually using mysql_ssl_rsa_setup (see Section 6.3.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”). Such self-signed certificates do not contain the server name as the Common Name value.Host name identity verification also does not work with certificates that specify the Common Name using wildcards because that name is compared verbatim to the server name.
The
--ssl-mode
option interacts with CA certificate options as follows:If
--ssl-mode
is not explicitly set otherwise, use of--ssl-ca
or--ssl-capath
implies--ssl-mode=VERIFY_CA
.For
--ssl-mode
values ofVERIFY_CA
orVERIFY_IDENTITY
,--ssl-ca
or--ssl-capath
is also required, to supply a CA certificate that matches the one used by the server.An explicit
--ssl-mode
option with a value other thanVERIFY_CA
orVERIFY_IDENTITY
, together with an explicit--ssl-ca
or--ssl-capath
option, produces a warning that no verification of the server certificate will be done, despite a CA certificate option being specified.
To require use of encrypted connections by a MySQL account, use
CREATE USER
to create the account with aREQUIRE SSL
clause, or useALTER USER
for an existing account to add aREQUIRE SSL
clause. This causes connection attempts by clients that use the account to be rejected unless MySQL supports encrypted connections and an encrypted connection can be established.The
REQUIRE
clause permits other encryption-related options, which can be used to enforce security requirements stricter thanREQUIRE SSL
. For additional details about which command options may or must be specified by clients that connect using accounts configured using the variousREQUIRE
options, see CREATE USER SSL/TLS Options.--tls-ciphersuites=
ciphersuite_list
For client programs, the permissible TLSv1.3 ciphersuites for encrypted connections. The value is a list of one or more colon-separated ciphersuite names. For example:
mysql --tls-ciphersuites="suite1:suite2:suite3"
The ciphersuites that can be named for this option depend on the SSL library used to compile MySQL. For details, see Section 6.3.2, “Encrypted Connection Protocols and Ciphers”.
This option was added in MySQL 8.0.16.
To specify which ciphersuites the server permits, use the
tls_ciphersuites
system variable.For client programs, the TLS protocols the client permits for encrypted connections. The value is a list of one or more comma-separated protocol names. For example:
mysql --tls-version="TLSv1.1,TLSv1.2"
The protocols that can be named for this option depend on the SSL library used to compile MySQL. Permitted protocols should be chosen such as not to leave “holes” in the list. For example, these values do not have holes:
--tls-version="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3" --tls-version="TLSv1.1,TLSv1.2,TLSv1.3" --tls-version="TLSv1.2,TLSv1.3" --tls-version="TLSv1.3"
These values do have holes and should not be used:
--tls-version="TLSv1,TLSv1.2" --tls-version="TLSv1.1,TLSv1.3"
For details, see Section 6.3.2, “Encrypted Connection Protocols and Ciphers”.
To specify which TLS protocols the server permits, use the
tls_version
system variable.
This section describes options that enable client programs to control use of compression for connections to the server. For additional information and examples showing how to use them, see Section 4.2.6, “Connection Compression Control”.
Table 4.5 Connection-Compression Option Summary
Option Name | Description | Introduced | Deprecated |
---|---|---|---|
--compress | Compress all information sent between client and server | 8.0.18 | |
--compression-algorithms | Permitted compression algorithms for connections to server | 8.0.18 | |
--zstd-compression-level | Compression level for connections to server that use zstd compression | 8.0.18 |
--compress
,-C
Compress all information sent between the client and the server if possible.
As of MySQL 8.0.18, this option is deprecated. It will be removed in a future MySQL version. See Legacy Connection Compression Configuration.
--compression-algorithms=
value
The permitted compression algorithms for connections to the server. The available algorithms are the same as for the
protocol_compression_algorithms
system variable. The default value isuncompressed
.This option was added in MySQL 8.0.18.
--zstd-compression-level=
level
The compression level to use for connections to the server that use the
zstd
compression algorithm. The permitted levels are from 1 to 22, with larger values indicating increasing levels of compression. The defaultzstd
compression level is 3. The compression level setting has no effect on connections that do not usezstd
compression.This option was added in MySQL 8.0.18.
Document created the 26/06/2006, last modified the 26/10/2018
Source of the printed document:https://www.gaudry.be/en/mysql-rf-connection-options.html
The infobrol is a personal site whose content is my sole responsibility. The text is available under CreativeCommons license (BY-NC-SA). More info on the terms of use and the author.
References
These references and links indicate documents consulted during the writing of this page, or which may provide additional information, but the authors of these sources can not be held responsible for the content of this page.
The author This site is solely responsible for the way in which the various concepts, and the freedoms that are taken with the reference works, are presented here. Remember that you must cross multiple source information to reduce the risk of errors.