4.5.7.4 SSL GRANT Options - MySQL

MySQL can check X509 certificate attributes in addition to the usual authentication that is based on the username and password. To specify SSL-related options for a MySQL account, use the REQUIRE clause of the GRANT statement, as described in the MySQL Language Reference.

4.5.7.5 SSL Command-Line Options

The following list describes options that are used for specifying the use of SSL, certificate files, and key files. These options are available beginning with MySQL 4.0. They may be given on the command line or in an option file.

--ssl

For the server, this option specifies that the server allows SSL connections. For a client program, it allows the client to connect to the server using SSL. This option is not sufficient in itself to cause an SSL connection to be used. You must also specify the --ssl-ca, --ssl-cert, and --ssl-key options.

This option is more often used in its opposite form to indicate that SSL should not be used. To do this, specify the option as --skip-ssl or --ssl=0.

Note that use of --ssl doesn't require an SSL connection. For example, if the server or client is compiled without SSL support, a normal unencrypted connection will be used.

The secure way to ensure that an SSL connection will be used is to create an account on the server that includes a REQUIRE SSL clause in the GRANT statement. Then use this account to connect to the server, with both a server and client that have SSL support enabled.

--ssl-ca=file_name

The path to a file with a list of trusted SSL CAs.

--ssl-capath=directory_name

The path to a directory that contains trusted SSL CA certificates in pem format.

--ssl-cert=file_name

The name of the SSL certificate file to use for establishing a secure connection.

--ssl-cipher=cipher_list

A list of allowable ciphers to use for SSL encryption. cipher_list has the same format as the openssl ciphers command.

Example: --ssl-cipher=ALL:-AES:-EXP

--ssl-key=file_name

The name of the SSL key file to use for establishing a secure connection.

4.5.7.6 Connecting to MySQL Remotely from Windows with SSH

Here is a note about how to connect to get a secure connection to remote MySQL server with SSH (by David Carlson dcarlson@mplcomm.com):

Install an SSH client on your Windows machine. As a user, the best non-free one I've found is from SecureCRT from http://www.vandyke.com/. Another option is f-secure from http://www.f-secure.com/. You can also find some free ones on Google at http://directory.google.com/Top/
Computers/Security/Products_and
Tools/Cryptography/SSH/Clients/ Windows/.

Start your Windows SSH client. Set Host_Name = yourmysqlserver_URL_or_IP. Set userid=your_userid to log in to your server. This userid value may not be the same as the username of your MySQL account.

Set up port forwarding. Either do a remote forward (Set local_port: 3306, remote_host: yourmysqlservername_or_ip, remote_port: 3306 ) or a local forward (Set port: 3306, host: localhost, remote port: 3306).

Save everything, otherwise you'll have to redo it the next time.

Log in to your server with the SSH session you just created.

On your Windows machine, start some ODBC application (such as Access).

Create a new file in Windows and link to MySQL using the ODBC driver the same way you normally do, except type in localhost for the MySQL host server, not yourmysqlservername.

You should now have an ODBC connection to MySQL, encrypted using SSH.

Please check back next week for the continuation of this article.