Spec-Zone .ru
спецификации, руководства, описания, API
|
|
Spec-Zone .ru
спецификации, руководства, описания, API
|
This section describes options that are used to specify whether to use SSL and the names of SSL certificate and key files. These options can be given on the command line or in an option file. They are not available unless MySQL has been built with SSL support. See Section 6.3.9.2, "Configuring MySQL for SSL".
Table 6.16. SSL Option/Variable Summary
| Name | Cmd-Line | Option file | System Var | Status Var | Var Scope | Dynamic |
|---|---|---|---|---|---|---|
| have_openssl | Yes | Global | No | |||
| have_ssl | Yes | Global | No | |||
| skip-ssl | Yes | Yes | ||||
| ssl | Yes | Yes | ||||
| ssl-ca | Yes | Yes | Global | No | ||
| - Variable: ssl_ca | Yes | Global | No | |||
| ssl-capath | Yes | Yes | Global | No | ||
| - Variable: ssl_capath | Yes | Global | No | |||
| ssl-cert | Yes | Yes | Global | No | ||
| - Variable: ssl_cert | Yes | Global | No | |||
| ssl-cipher | Yes | Yes | Global | No | ||
| - Variable: ssl_cipher | Yes | Global | No | |||
| ssl-crl | Yes | Yes | Global | No | ||
| - Variable: ssl_crl | Yes | Global | No | |||
| ssl-crlpath | Yes | Yes | Global | No | ||
| - Variable: ssl_crlpath | Yes | Global | No | |||
| ssl-key | Yes | Yes | Global | No | ||
| - Variable: ssl_key | Yes | Global | No | |||
| ssl-verify-server-cert | Yes | Yes |
For the server, this option specifies that the server permits SSL connections. For a client program,
it permits the client to connect to the server using SSL, but this option is not sufficient in
itself to cause an SSL connection to be used. As a recommended set of options to enable SSL
connections, use at least --ssl-cert and --ssl-key on the server side and --ssl-ca on the client side.
--ssl is
implied by other --ssl-
options as indicated in the descriptions for those options. For this reason, xxx--ssl is not usually specified explicitly. It is more often used
explicitly in its opposite form to override other SSL options and indicate that SSL should not be used. To do this, specify the option as --skip-ssl
or --ssl=0.
For example, you might have SSL options specified in the [client] group
of your option file to use SSL connections by default when you invoke MySQL client programs. To use
an unencrypted connection instead, invoke the client program with --skip-ssl on the command line to override the options in the
option file.
Use of --ssl
does not require an SSL connection to be used, it only
permits it. For example, if you specify this option for a client program but the server has not been
configured to permit SSL connections, an unencrypted connection is used.
The secure way to require use of an SSL connection is to create a MySQL account that includes at
least a REQUIRE SSL clause in the GRANT statement. In this case, connections for that account will
be rejected unless MySQL supports SSL connections and the server and client have been started with
the proper SSL options.
The REQUIRE clause permits other SSL-related restrictions as well.
These can be used for stricter requirements than REQUIRE SSL. The
description of REQUIRE in Section
13.7.1.4, "GRANT Syntax", provides additional detail about
which SSL command options may or must be specified by clients that connect using accounts that are
created using the various REQUIRE options.
The path to a file in PEM format that contains a list of trusted SSL certificate authorities. This
option implies --ssl.
If you use SSL when establishing a client connection, you can tell the client not to authenticate
the server certificate by specifying neither --ssl-ca nor --ssl-capath. The server still verifies the client according to
any applicable requirements established using GRANT statements for the client, and it still uses any --ssl-ca/--ssl-capath
values that were passed to server at startup.
The path to a directory that contains trusted SSL certificate authority certificates in PEM format.
This option implies --ssl.
If you use SSL when establishing a client connection, you can tell the client not to authenticate
the server certificate by specifying neither --ssl-ca nor --ssl-capath. The server still verifies the client according to
any applicable requirements established using GRANT statements for the client, and it still uses any --ssl-ca/--ssl-capath
values that were passed to server at startup.
MySQL distributions built with OpenSSL support the --ssl-capath option. Distributions built with yaSSL do not because
yaSSL does not look in any directory and does not follow a chained certificate tree. yaSSL requires
that all components of the CA certificate tree be contained within a single CA certificate tree and
that each certificate in the file has a unique SubjectName value. To work around this yaSSL
limitation, concatenate the individual certificate files comprising the certificate tree into a new
file. Then specify the new file as the value of the --ssl-capath option.
The name of the SSL certificate file in PEM format to use for establishing a secure connection. This
option implies --ssl.
A list of permissible ciphers to use for SSL encryption. If no cipher in the list is supported, SSL
connections will not work. This option implies --ssl.
For greatest portability, cipher_list should be a list of
one or more cipher names, separated by colons. This format is understood both by OpenSSL and yaSSL.
Examples:
--ssl-cipher=AES128-SHA--ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA
OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at . However, yaSSL does not, so attempts to use that extended syntax fails for a MySQL distribution built with yaSSL.
The path to a file containing certificate revocation lists in PEM format. This option implies --ssl. If
neither --ssl-crl nor --ssl-crlpath is given, no CRL checks are performed, even if the
CA path contains certificate revocation lists.
MySQL distributions built with OpenSSL support the --ssl-crl option. Distributions built with yaSSL do not because yaSSL
revocation lists do not work with yaSSL.
This option was added in MySQL 5.6.3.
The path to a directory that contains files containing certificate revocation lists in PEM format.
This option implies --ssl.
If neither --ssl-crl
nor --ssl-crlpath
is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.
MySQL distributions built with OpenSSL support the --ssl-crlpath option. Distributions built with yaSSL do not because
yaSSL revocation lists do not work with yaSSL.
This option was added in MySQL 5.6.3.
The name of the SSL key file in PEM format to use for establishing a secure connection.
If the MySQL distribution was built using OpenSSL or (as of MySQL 5.6.3) yaSSL and the key file is protected by a passphrase, the program will prompt the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key. Before MySQL 5.6.3, if the MySQL distribution was built using yaSSL and the key file is protected by a passphrase, an error occurs.
This option is available for client programs only, not the server. It causes the client to check the server's Common Name value in the certificate that the server sends to the client. The client verifies that name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. This feature can be used to prevent man-in-the-middle attacks. Verification is disabled by default.