SSL Command Options
The following list describes options that are used for specifying the use of SSL, certificate files, and key files. They can be given on the command line or in an option file. These options are not available unless MariaDB has been built with SSL support. See , "Using SSL Connections".
Table 5.17. SSL Option/Variable Summary
| Name | Cmd-Line | Option file | System Var | Status Var | Var Scope | Dynamic |
|---|---|---|---|---|---|---|
| have_openssl | Yes | Global | No | |||
| have_ssl | Yes | Global | No | |||
| skip-ssl | Yes | Yes | ||||
| ssl | Yes | Yes | ||||
| ssl-ca | Yes | Yes | Global | No | ||
| - Variable: ssl_ca | Yes | Global | No | |||
| ssl-capath | Yes | Yes | Global | No | ||
| - Variable: ssl_capath | Yes | Global | No | |||
| ssl-cert | Yes | Yes | Global | No | ||
| - Variable: ssl_cert | Yes | Global | No | |||
| ssl-cipher | Yes | Yes | Global | No | ||
| - Variable: ssl_cipher | Yes | Global | No | |||
| ssl-crl | Yes | Yes | Global | No | ||
| - Variable: ssl_crl | Yes | Global | No | |||
| ssl-crlpath | Yes | Yes | Global | No | ||
| - Variable: ssl_crlpath | Yes | Global | No | |||
| ssl-key | Yes | Yes | Global | No | ||
| - Variable: ssl_key | Yes | Global | No | |||
| ssl-verify-server-cert | Yes | Yes |
--sslFor the server, this option specifies that the server permits SSL connections. For a client program, it permits the client to connect to the server using SSL. This option is not sufficient in itself to cause an SSL connection to be used. You must also specify the
--ssl-caoption, and possibly the--ssl-certand--ssl-keyoptions.This option is more often used in its opposite form to override any other SSL options and indicate that SSL should not be used. To do this, specify the option as
--skip-sslor--ssl=0.Note that use of
--ssldoes not require an SSL connection. For example, if the server or client is compiled without SSL support, a normal unencrypted connection is used.The secure way to require use of an SSL connection is to create an account on the server that includes a
REQUIRE SSLclause in theGRANTstatement. Then use that account to connect to the server, where both the server and the client have SSL support enabled.The
REQUIREclause permits other SSL-related restrictions as well. The description ofREQUIREin , "GRANTSyntax", provides additional detail about which SSL command options may or must be specified by clients that connect using accounts that are created using the variousREQUIREoptions.--ssl-ca=file_nameThe path to a file that contains a list of trusted SSL CAs.
--ssl-capath=dir_nameThe path to a directory that contains trusted SSL CA certificates in PEM format.
--ssl-cert=file_nameThe name of the SSL certificate file to use for establishing a secure connection.
--ssl-cipher=cipher_listA list of permissible ciphers to use for SSL encryption. For greatest portability,
cipher_listshould be a list of one or more cipher names, separated by colons. Examples:--ssl-cipher=AES128-SHA --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA
This format is understood both by OpenSSL and yaSSL. OpenSSL supports a more flexible syntax for specifying ciphers, as described in the OpenSSL documentation at http://www.openssl.org/docs/apps/ciphers.html. However, this extended syntax will fail if used with a MariaDB installation compiled against yaSSL.
If no cipher in the list is supported, SSL connections will not work.
--ssl-crl=file_nameThe path to a file containing certificate revocation lists in PEM format. Revocation lists work for MariaDB distributions compiled against OpenSSL (but not yaSSL).
If neither
--ssl-crlnor--ssl-crlpathis given, no CRL checks are performed, even if the CA path contains certificate revocation lists.This option was added in MariaDB 5.6.3.
--ssl-crlpath=dir_nameThe path to a directory that contains files containing certificate revocation lists in PEM format. Revocation lists work for MariaDB distributions compiled against OpenSSL (but not yaSSL).
If neither
--ssl-crlnor--ssl-crlpathis given, no CRL checks are performed, even if the CA path contains certificate revocation lists.This option was added in MariaDB 5.6.3.
--ssl-key=file_nameThe name of the SSL key file to use for establishing a secure connection.
If the key file is protected by a passphrase, and the MariaDB distribution was built using OpenSSL or (as of MariaDB 5.6.3) yaSSL, the program will prompt the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key. Before MariaDB 5.6.3, an error occurs if the key file is protected by a passphrase for distributions built using yaSSL.
--ssl-verify-server-certThis option is available for client programs only, not the server. It causes the server's Common Name value in the certificate that the server sends to the client to be verified against the host name that the client uses for connecting to the server, and the connection is rejected if there is a mismatch. This feature can be used to prevent man-in-the-middle attacks. Verification is disabled by default.
If you use SSL when establishing a client connection, you can tell the client not to authenticate the server certificate by specifying neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established using GRANT statements for the client, and it still uses any --ssl-ca/--ssl-capath values that were passed to server at startup time.