Configuring SSL Connections

If you are connecting to a MySQL server that has Secure Sockets Layer (SSL) enabled, then you can configure the connector to connect to an SSL-enabled socket and encrypt the connection. When connecting to a server over SSL, the connector supports identity verification between the client and the server.

You can set the connection properties described below in a connection string or in a DSN (in the odbc.ini file). Settings in the connection string take precedence over settings in the DSN.

Configuring an SSL Connection without Identity Verification

You can configure a connection that is encrypted by SSL but does not verify the identity of the client or the server.

To configure an SSL connection without verification:

  1. Enable SSL encryption by doing one of the following:
    • To use SSL encryption only if the server supports it, set the SSLMode property to 1.
    • Or, to require SSL encryption for the connection, set the SSLMode property to 2. If the server does not support SSL, the connection fails.
  2. Optionally, set the SSLCipher property to a comma-separated list of permitted ciphers for encrypting the connection.
  3. To specify the minimum version of SSL to use, set the Min_TLS property to the minimum version of SSL. Supported options include 1.0 for TLS 1.0, 1.1 for TLS 1.1, and 1.2 for TLS 1.2.

Configuring SSL Identity Verification

You can configure one-way verification so that the client verifies the identity of the MySQL server, or you can configure two-way verification so that the client and the sever both verify each other.

In both cases, you must provide a root certificate from a trusted certificate authority (CA) that the connector can use to check the server's certificate. If you are using two-way verification, then you must also provide a certificate that proves the identity of the client and a private key that encrypts the client certificate.

To configure SSL identity verification:

  1. Enable SSL encryption by doing one of the following:
    • To use SSL encryption and identity verification only if the server supports it, set the SSLMode property to 3.
    • Or, to require SSL encryption and identity verification for the connection, set the SSLMode property to 4. If the server does not support SSL or if identity verification fails, the connection fails.
  2. To specify one or more root certificates from trusted CAs that you want to use to verify the server certificate, do one of the following:
    • To use a specific root certificate, set the SSLCA property to the full path and name of the .pem file containing the certificate.
    • Or, to provide multiple root certificates, set the SSLCAPath property to the full path and name of the directory that contains the certificates. The connector uses the first valid certificate that it finds in the directory.
  3. If two-way identity verification is necessary, do the following:
    1. Set the SSLCert property to the full path and name of the .pem file containing the certificate used for proving the identity of the client.
    2. Set the SSLKey property to the full path and name of the file that contains the private key used for encrypting the client certificate.
  4. Optionally, set the SSLCipher property to a comma-separated list of permitted ciphers for encrypting the connection.
  5. To specify the minimum version of SSL to use, set the Min_TLS property to the minimum version of SSL. Supported options include 1.0 for TLS 1.0, 1.1 for TLS 1.1, and 1.2 for TLS 1.2.

Related topics