I implemented SSL successfully just a couple of weeks ago on 5.1.30, and
I too found some aspects confusing. Here's my answers from my own
experience so please forgive me if they're inaccurate.
1) On the server side, I believe ssl-ca, ssl-cert and ssl-key are all
required to establish the server's identity. On the client side, I
believe a user can still login without encryption/SSL unless REQUIRE SSL
is set on their account. From what I can tell, a client can also login
using SSL with just ssl-ca (the server's certification authority
certificate.) To verify that the client is who they say they are, then
you set REQUIRE X509 on their account, and the client has to connect
using ssl-ca, ssl-cert and ssl-key with a valid certificate and private key.
2) I also don't understand all concepts of SSL - I'm used to just
providing a certificate request to a trusted partner (e.g. Verisign) and
for them to send me back my certificate. However I presume that the
trusted CA certificates (e.g. Verisign, Thawte etc) are present on all
browsers/e-mail clients and that's why we don't need to worry about it
for these types of applications. I believe that MySQL is allowing you
to effectively issue your own certificates, and as such the client needs
the CA certificate to verify the server's issuing authority (yourself.)
The first step the MySQL manual takes you through is creating a private
key and a certificate which will become your CA certificate (and is the
file needed for ssl-ca/ssl-capath.) This is a different private key and
certificate to both the server's and the client's (unless your
server/client is the same box, then they can share the same
certificate/key but will be different from the CA cert/key.)
3) I followed the instructions in the manual to the letter and I had no
issues whatsoever. In my client (Navicat) I do get an "SSL connection
error - invalid parameter" if one of the certificates are missing, but
that may be coming from Navicat not the MySQL library. It'll be
interesting to see what happens in some situations, for example, what
happens when the client certificate or the CA certificate expires?
Interestingly I can also still connect using SSL when the CA certificate
is invalid (ie. non-existent or a private key file instead of a
Hope this helps some! I do agree it wasn't the clearest of things to
get my head around.
Seth Willits wrote:
> I've read through all of the MySQL docs on SSL and I just need a brief
> overview of a few things to understand some things that aren't crystal
> clear to me since I'm not very familiar with SSL.
> 1) Which SSL options are *required*?
> It seems that only ssl-key is _always_ required for the client to
> connect to the server. If REQUIRE X509 is set, then ssl-cert is
> required as well in order to authenticate who the actual client is,
> 2) The options I don't understand are ssl-ca/ssl-capath. Why would the
> client specify a certificate authority? Is this the authority (or
> authorities) that's used to authenticate the server's certificate? Is
> there a platform default for this value? I'm not used to having to
> specify a list of authorities for other programs to validate
> certificates (such as with email).
> 3) How does I know if the server/client authentication (validating the
> certificate against given authorities) failed? Do I just get a vague
> "SSL connection error" back from MySQL and that's it?
> I think that's mostly it.
> Seth Willits