First check if SSL is enabled by running SHOW VARIABLES LIKE '%ssl%'; ensure have_ssl is YES and ssl_ca, ssl_cert, ssl_key point to valid files, then use STATUS to confirm SSL is in use. 2. Generate SSL certificates either using MySQL’s built-in auto-generation for testing (enable ssl in my.cnf and restart) or create your own with OpenSSL for production, including a CA, server certificate, and optionally client certificates. 3. Configure the MySQL server by specifying ssl-ca, ssl-cert, and ssl-key paths in my.cnf under [mysqld], ensure MySQL has read access to the files, then restart the service and verify SSL is active with SHOW VARIABLES LIKE 'have_ssl';. 4. Set up users to require SSL with CREATE USER 'secure_user'@'%' IDENTIFIED BY 'password' REQUIRE SSL; or enforce client certificate authentication using REQUIRE X509, SUBJECT, or ISSUER clauses. 5. Connect clients using SSL by adding --ssl-mode=REQUIRED or providing certificate files via --ssl-ca, --ssl-cert, --ssl-key; in applications, configure SSL attributes in connection strings for PDO or mysql-connector-python. 6. Verify the SSL connection using \status or SHOW STATUS LIKE 'Ssl_cipher'; to confirm a cipher is in use, and if empty, SSL is not active. Security best practices include protecting private keys with chmod 600, using strong ciphers, rotating certificates, using CA-signed certificates in production, and monitoring logs for errors.
Configuring MySQL for SSL/TLS connections ensures that data transmitted between clients and the MySQL server is encrypted, protecting it from eavesdropping and man-in-the-middle attacks. Here’s how to set it up properly.
1. Check if SSL is Already Enabled
Before making changes, check your current SSL status:
SHOW VARIABLES LIKE '%ssl%';
Look for:
have_ssl: Should beYESssl_ca,ssl_cert,ssl_key: Should point to valid certificate files
Also check the connection type:
STATUS;
Look for "SSL" under the "SSL:" line. If it says "Not in use", SSL isn’t active for your session.
2. Generate SSL Certificates (Self-Signed or CA-Signed)
MySQL can use either self-signed certificates (for internal use) or CA-signed ones (for production).
Option A: Use MySQL’s Built-in Auto-Generate (MySQL 5.7 )
MySQL can auto-generate SSL certificates on startup if none are provided and SSL is enabled.
Enable it in your MySQL config file (my.cnf or my.ini):
[mysqld] ssl
On first startup, MySQL creates:
ca.pem(Certificate Authority)server-cert.pem,server-key.pemclient-cert.pem,client-key.pem
These are typically in the data directory.
?? Note: These are self-signed and suitable for testing or internal networks only.
Option B: Generate Your Own Certificates with OpenSSL
For more control or production use:
- Create a Certificate Authority (CA):
openssl genrsa 2048 > ca-key.pem openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca.pem
- Generate server certificate request and sign it:
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-req.pem openssl rsa -in server-key.pem -out server-key.pem openssl x509 -req -in server-req.pem -days 3650 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
- Generate client certificate (optional, for mutual TLS):
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem -out client-req.pem openssl rsa -in client-key.pem -out client-key.pem openssl x509 -req -in client-req.pem -days 3650 -CA ca.pem -CAkey ca-key.pem -set_serial 02 -out client-cert.pem
- Verify certificates:
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
3. Configure MySQL Server for SSL
Edit your MySQL configuration file (/etc/mysql/my.cnf or /etc/my.cnf):
[mysqld] ssl-ca = /path/to/ca.pem ssl-cert = /path/to/server-cert.pem ssl-key = /path/to/server-key.pem # Optional: Require SSL for all connections # require_secure_transport = ON
Make sure the MySQL user has read access to these files.
Restart MySQL:
sudo systemctl restart mysql
Verify SSL is active:
SHOW VARIABLES LIKE 'have_ssl'; -- Should return YES
4. Configure MySQL Users for SSL
You can require specific users to connect via SSL:
CREATE USER 'secure_user'@'%' IDENTIFIED BY 'strong_password' REQUIRE SSL; -- Or require a client certificate (stronger security) GRANT ALL ON db.* TO 'secure_user'@'%' REQUIRE SUBJECT '/CN=client.example.com';
Common REQUIRE options:
SSL: Encrypt connectionX509: Any valid client certificateISSUER '...': Must be issued by specific CASUBJECT '...': Must have specific subject
5. Connect Using SSL
From MySQL Client:
mysql -u secure_user -p --ssl-mode=REQUIRED
Or with explicit certificates:
mysql -u secure_user -p \ --ssl-ca=ca.pem \ --ssl-cert=client-cert.pem \ --ssl-key=client-key.pem
From Application (e.g., PHP, Python):
In PHP with PDO:
$pdo = new PDO(
'mysql:host=localhost;dbname=test',
'secure_user',
'password',
[PDO::MYSQL_ATTR_SSL_CA => '/path/to/ca.pem']
);In Python with mysql-connector-python:
import mysql.connector
conn = mysql.connector.connect(
host='localhost',
user='secure_user',
password='password',
database='test',
ssl_ca='/path/to/ca.pem',
ssl_verify_cert=True
)6. Test and Verify SSL Connection
After connecting:
\status -- Look for "SSL:" line. Should say "Cipher in use: XXX"
Or query:
SHOW STATUS LIKE 'Ssl_cipher'; -- Should return a cipher name if SSL is used
If it’s empty, SSL is not active.
Security Tips
- Keep private keys (
*.key) secure and restrict file permissions (chmod 600). - Use strong ciphers (MySQL uses secure defaults).
- Rotate certificates before expiration.
- In production, use CA-signed certificates.
- Monitor logs for SSL-related errors.
Basically, enabling SSL in MySQL involves generating proper certificates, configuring the server to use them, and ensuring clients connect securely. It’s not complex, but attention to file paths and permissions is crucial.
The above is the detailed content of How to configure MySQL for SSL/TLS connections?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
How to use PHP to develop a Q&A community platform Detailed explanation of PHP interactive community monetization model
Jul 23, 2025 pm 07:21 PM
1. The first choice for the Laravel MySQL Vue/React combination in the PHP development question and answer community is the first choice for Laravel MySQL Vue/React combination, due to its maturity in the ecosystem and high development efficiency; 2. High performance requires dependence on cache (Redis), database optimization, CDN and asynchronous queues; 3. Security must be done with input filtering, CSRF protection, HTTPS, password encryption and permission control; 4. Money optional advertising, member subscription, rewards, commissions, knowledge payment and other models, the core is to match community tone and user needs.
Automating MySQL Deployments with Infrastructure as Code
Jul 20, 2025 am 01:49 AM
To achieve MySQL deployment automation, the key is to use Terraform to define resources, Ansible management configuration, Git for version control, and strengthen security and permission management. 1. Use Terraform to define MySQL instances, such as the version, type, access control and other resource attributes of AWSRDS; 2. Use AnsiblePlaybook to realize detailed configurations such as database user creation, permission settings, etc.; 3. All configuration files are included in Git management, support change tracking and collaborative development; 4. Avoid hard-coded sensitive information, use Vault or AnsibleVault to manage passwords, and set access control and minimum permission principles.
How to set environment variables in PHP environment Description of adding PHP running environment variables
Jul 25, 2025 pm 08:33 PM
There are three main ways to set environment variables in PHP: 1. Global configuration through php.ini; 2. Passed through a web server (such as SetEnv of Apache or fastcgi_param of Nginx); 3. Use putenv() function in PHP scripts. Among them, php.ini is suitable for global and infrequently changing configurations, web server configuration is suitable for scenarios that need to be isolated, and putenv() is suitable for temporary variables. Persistence policies include configuration files (such as php.ini or web server configuration), .env files are loaded with dotenv library, and dynamic injection of variables in CI/CD processes. Security management sensitive information should be avoided hard-coded, and it is recommended to use.en
How to use PHP to develop product recommendation module PHP recommendation algorithm and user behavior analysis
Jul 23, 2025 pm 07:00 PM
To collect user behavior data, you need to record browsing, search, purchase and other information into the database through PHP, and clean and analyze it to explore interest preferences; 2. The selection of recommendation algorithms should be determined based on data characteristics: based on content, collaborative filtering, rules or mixed recommendations; 3. Collaborative filtering can be implemented in PHP to calculate user cosine similarity, select K nearest neighbors, weighted prediction scores and recommend high-scoring products; 4. Performance evaluation uses accuracy, recall, F1 value and CTR, conversion rate and verify the effect through A/B tests; 5. Cold start problems can be alleviated through product attributes, user registration information, popular recommendations and expert evaluations; 6. Performance optimization methods include cached recommendation results, asynchronous processing, distributed computing and SQL query optimization, thereby improving recommendation efficiency and user experience.
Securing MySQL Connections with SSL/TLS Encryption
Jul 21, 2025 am 02:08 AM
Why do I need SSL/TLS encryption MySQL connection? Because unencrypted connections may cause sensitive data to be intercepted, enabling SSL/TLS can prevent man-in-the-middle attacks and meet compliance requirements; 2. How to configure SSL/TLS for MySQL? You need to generate a certificate and a private key, modify the configuration file to specify the ssl-ca, ssl-cert and ssl-key paths and restart the service; 3. How to force SSL when the client connects? Implemented by specifying REQUIRESSL or REQUIREX509 when creating a user; 4. Details that are easily overlooked in SSL configuration include certificate path permissions, certificate expiration issues, and client configuration requirements.
How to develop AI intelligent form system with PHP PHP intelligent form design and analysis
Jul 25, 2025 pm 05:54 PM
When choosing a suitable PHP framework, you need to consider comprehensively according to project needs: Laravel is suitable for rapid development and provides EloquentORM and Blade template engines, which are convenient for database operation and dynamic form rendering; Symfony is more flexible and suitable for complex systems; CodeIgniter is lightweight and suitable for simple applications with high performance requirements. 2. To ensure the accuracy of AI models, we need to start with high-quality data training, reasonable selection of evaluation indicators (such as accuracy, recall, F1 value), regular performance evaluation and model tuning, and ensure code quality through unit testing and integration testing, while continuously monitoring the input data to prevent data drift. 3. Many measures are required to protect user privacy: encrypt and store sensitive data (such as AES
How to build an online customer service robot with PHP. PHP intelligent customer service implementation technology
Jul 25, 2025 pm 06:57 PM
PHP plays the role of connector and brain center in intelligent customer service, responsible for connecting front-end input, database storage and external AI services; 2. When implementing it, it is necessary to build a multi-layer architecture: the front-end receives user messages, the PHP back-end preprocesses and routes requests, first matches the local knowledge base, and misses, call external AI services such as OpenAI or Dialogflow to obtain intelligent reply; 3. Session management is written to MySQL and other databases by PHP to ensure context continuity; 4. Integrated AI services need to use Guzzle to send HTTP requests, safely store APIKeys, and do a good job of error handling and response analysis; 5. Database design must include sessions, messages, knowledge bases, and user tables, reasonably build indexes, ensure security and performance, and support robot memory
How to make PHP container support automatic construction? Continuously integrated CI configuration method of PHP environment
Jul 25, 2025 pm 08:54 PM
To enable PHP containers to support automatic construction, the core lies in configuring the continuous integration (CI) process. 1. Use Dockerfile to define the PHP environment, including basic image, extension installation, dependency management and permission settings; 2. Configure CI/CD tools such as GitLabCI, and define the build, test and deployment stages through the .gitlab-ci.yml file to achieve automatic construction, testing and deployment; 3. Integrate test frameworks such as PHPUnit to ensure that tests are automatically run after code changes; 4. Use automated deployment strategies such as Kubernetes to define deployment configuration through the deployment.yaml file; 5. Optimize Dockerfile and adopt multi-stage construction
