Rechercher dans le manuel MySQL
6.4.2 Command Options for Encrypted Connections
This section describes options that specify whether to use encrypted connections, the names of certificate and key files, and other parameters related to encrypted-connection support. These options can be given on the command line or in an option file. For examples of suggested use and how to check whether a connection is encrypted, see Section 6.4.1, “Configuring MySQL to Use Encrypted Connections”.
For information about using encrypted connections from the MySQL C API, see Section 28.7.18, “C API Encrypted Connection Support”.
Table 6.11 Encrypted-Connection Option Summary
Format | Description | Introduced |
---|---|---|
--skip-ssl | Do not use encrypted connection | |
--ssl | Enable encrypted connection | |
--ssl-ca | File that contains list of trusted SSL Certificate Authorities | |
--ssl-capath | Directory that contains trusted SSL Certificate Authority certificate files | |
--ssl-cert | File that contains X.509 certificate | |
--ssl-cipher | List of permitted ciphers for connection encryption | |
--ssl-crl | File that contains certificate revocation lists | |
--ssl-crlpath | Directory that contains certificate revocation list files | |
--ssl-fips-mode | Whether to enable FIPS mode on the client side | 8.0.11 |
--ssl-key | File that contains X.509 key | |
--ssl-mode | Security state of connection to server | |
--tls-version | Protocols permitted for encrypted connections |
-
Note
The client-side
--ssl
option is removed in MySQL 8.0. For client programs, use--ssl-mode
instead.On the server side, the
--ssl
option specifies that the server permits but does not require encrypted connections. The option is enabled on the server side by default.--ssl
is implied by other--ssl-
options, as indicated in the descriptions for those options.xxx
The
--ssl
option in negated form indicates that encryption should not be used and overrides other--ssl-
options. Specify the option asxxx
--ssl=0
or a synonym (--skip-ssl
,--disable-ssl
).To specify additional parameters for encrypted connections, use at least
--ssl-cert
and--ssl-key
on the server side and--ssl-ca
on the client side. See Section 6.4.1, “Configuring MySQL to Use Encrypted Connections”. That section also describes server capabilities for certificate and key file autogeneration and autodiscovery. The path name of the Certificate Authority (CA) certificate file in PEM format. On the server side, this option implies
--ssl
.To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither
--ssl-ca
nor--ssl-capath
. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any--ssl-ca
or--ssl-capath
option values specified on the server side.The path name of the directory that contains trusted SSL certificate authority (CA) certificate files in PEM format. On the server side, this option implies
--ssl
.To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither
--ssl-ca
nor--ssl-capath
. The server still verifies the client according to any applicable requirements established for the client account, and it still uses any--ssl-ca
or--ssl-capath
option values specified on the server side.MySQL distributions compiled using OpenSSL support the
--ssl-capath
option (see Section 6.4.4, “OpenSSL Versus wolfSSL”). Distributions compiled using wolfSSL do not because wolfSSL does not look in any directory and do not follow a chained certificate tree. wolfSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this wolfSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file and specify that file as the value of the--ssl-ca
option.The path name of the SSL public key certificate file in PEM format. On the client side, this is the client public key certificate. On the server side, this is the server public key certificate. On the server side, this option implies
--ssl
.The list of permitted ciphers for connection encryption. If no cipher in the list is supported, encrypted connections will not work. On the server side, this option implies
--ssl
.For greatest portability,
cipher_list
should be a list of one or more cipher names, separated by colons. Examples:--ssl-cipher=AES128-SHA --ssl-cipher=DHE-RSA-AES128-GCM-SHA256:AES128-SHA
OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at https://www.openssl.org/docs/manmaster/man1/ciphers.html. wolfSSL does not, so attempts to use that extended syntax fail for a MySQL distribution compiled using wolfSSL.
For information about which encryption ciphers MySQL supports, see Section 6.4.6, “Encrypted Connection Protocols and Ciphers”.
The path name of the file containing certificate revocation lists in PEM format. On the server side, this option implies
--ssl
.If neither
--ssl-crl
nor--ssl-crlpath
is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.MySQL distributions compiled using OpenSSL support the
--ssl-crl
option (see Section 6.4.4, “OpenSSL Versus wolfSSL”). Distributions compiled using wolfSSL do not because revocation lists do not work with wolfSSL.The path name of the directory that contains certificate revocation list files in PEM format. On the server side, this option implies
--ssl
.If neither
--ssl-crl
nor--ssl-crlpath
is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.MySQL distributions compiled using OpenSSL support the
--ssl-crlpath
option (see Section 6.4.4, “OpenSSL Versus wolfSSL”). Distributions compiled using wolfSSL do not because revocation lists do not work with wolfSSL.--ssl-fips-mode={OFF|ON|STRICT}
Controls whether to enable FIPS mode on the client side. The
--ssl-fips-mode
option differs from other--ssl-
options in that it is not used to establish encrypted connections, but rather to affect which cryptographic operations are permitted. See Section 6.6, “FIPS Support”.xxx
These
--ssl-fips-mode
values are permitted:OFF
: Disable FIPS mode.ON
: Enable FIPS mode.STRICT
: Enable “strict” FIPS mode.
NoteIf the OpenSSL FIPS Object Module is not available, the only permitted value for
--ssl-fips-mode
isOFF
. In this case, setting--ssl-fips-mode
toON
orSTRICT
causes the client to produce a warning at startup and to operate in non-FIPS mode.The path name of the SSL private key file in PEM format. On the client side, this is the client private key. On the server side, this is the server private key. On the server side, this option implies
--ssl
.If the key file is protected by a passphrase, the program prompts the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key.
For better security, use a certificate with an RSA key size of at least 2048 bits.
This option is available only for client programs, not the server. It specifies the security state of the connection to the server. These option values are permitted:
PREFERRED
: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. This is the default if--ssl-mode
is not specified.Encrypted connections over Unix sockets are disabled by default, so
PREFERRED
does not establish an encrypted connection. To enforce encryption for Unix socket connections, useREQUIRED
or above.REQUIRED
: Establish an encrypted connection if the server supports encrypted connections. The connection attempt fails if an encrypted connection cannot be established.VERIFY_CA
: LikeREQUIRED
, but additionally verify the server Certificate Authority (CA) certificate against the configured CA certificates. The connection attempt fails if no valid matching CA certificates are found.VERIFY_IDENTITY
: LikeVERIFY_CA
, but additionally perform host name identity verification by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client:As of MySQL 8.0.12, if the client uses OpenSSL 1.0.2 or higher, the client checks whether the host name that it uses for connecting matches either the Subject Alternative Name value or the Common Name value in the server certificate.
Otherwise, the client checks whether the host name that it uses for connecting matches the Common Name value in the server certificate.
The connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks.
NoteHost name identity verification with
VERIFY_IDENTITY
does not work with self-signed certificates created automatically by the server, or manually using mysql_ssl_rsa_setup (see Section 6.4.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”). Such self-signed certificates do not contain the server name as the Common Name value.Host name identity verification also does not work with certificates that specify the Common Name using wildcards because that name is compared verbatim to the server name.
DISABLED
: Establish an unencrypted connection.
The
--ssl-mode
option interacts with CA certificate options as follows:If
--ssl-mode
is not explicitly set otherwise, use of--ssl-ca
or--ssl-capath
implies--ssl-mode=VERIFY_CA
.For
--ssl-mode
values ofVERIFY_CA
orVERIFY_IDENTITY
,--ssl-ca
or--ssl-capath
is also required, to supply a CA certificate that matches the one used by the server.An explicit
--ssl-mode
option with a value other thanVERIFY_CA
orVERIFY_IDENTITY
, together with an explicit--ssl-ca
or--ssl-capath
option, produces a warning that no verification of the server certificate will be done, despite a CA certificate option being specified.
To require use of encrypted connections by a MySQL account, use
CREATE USER
to create the account with aREQUIRE SSL
clause, or useALTER USER
for an existing account to add aREQUIRE SSL
clause. Connection attempts by clients that use the account will be rejected unless MySQL supports encrypted connections and an encrypted connection can be established.The
REQUIRE
clause permits other encryption-related options, which can be used to enforce security requirements stricter thanREQUIRE SSL
. For additional details about which command options may or must be specified by clients that connect using accounts configured using the variousREQUIRE
options, see the description ofREQUIRE
in Section 13.7.1.3, “CREATE USER Syntax”.For client programs, the protocols permitted by the client for encrypted connections. The value is a comma-separated list containing one or more protocol names. For example:
mysql --tls-version="TLSv1.1,TLSv1.2"
The protocols that can be named for this option depend on the SSL library used to compile MySQL. For details, see Section 6.4.6, “Encrypted Connection Protocols and Ciphers”.
On the server side, use the
tls_version
system variable instead.
Traduction non disponible
Le manuel MySQL n'est pas encore traduit en français sur l'infobrol. Seule la version anglaise est disponible pour l'instant.
Document créé le 26/06/2006, dernière modification le 26/10/2018
Source du document imprimé : https://www.gaudry.be/mysql-rf-encrypted-connection-options.html
L'infobrol est un site personnel dont le contenu n'engage que moi. Le texte est mis à disposition sous licence CreativeCommons(BY-NC-SA). Plus d'info sur les conditions d'utilisation et sur l'auteur.
Références
Ces références et liens indiquent des documents consultés lors de la rédaction de cette page, ou qui peuvent apporter un complément d'information, mais les auteurs de ces sources ne peuvent être tenus responsables du contenu de cette page.
L'auteur de ce site est seul responsable de la manière dont sont présentés ici les différents concepts, et des libertés qui sont prises avec les ouvrages de référence. N'oubliez pas que vous devez croiser les informations de sources multiples afin de diminuer les risques d'erreurs.