0

I copied the ca.pem from server (Percona default 5.7 Ubuntu deb) able to make a secure connection with

mysql  --ssl-ca=/var/lib/mysql/ca.pem -u root

I find that the options --ssl-cert and --ssl-key are actually no needed.

What are the drawbacks in doing so?

Ryan
  • 5,831
  • 24
  • 72
  • 91

1 Answers1

2

There is a discussion of this in this blog post, as things changed with 5.7.3: https://www.percona.com/blog/2017/06/27/ssl-connections-in-mysql-5-7/

The link in that post, though, has changed as I think the documentation may have been updated. This is a better page from the core manual to view (referenced from the CREATE USER syntax page): https://dev.mysql.com/doc/refman/5.7/en/encrypted-connections.html. From the manual:

As of MySQL 5.7.3, a client need specify only the --ssl option to obtain an encrypted connection. The connection attempt fails if an encrypted connection cannot be established. Before MySQL 5.7.3, the client must specify either the --ssl-ca option, or all three of the --ssl-ca, --ssl-key, and --ssl-cert options.

As you can see, before 5.7.3 the client must specify either --ssl-ca OR all three. There is a full discussion in the MySQL documentation.

Disclosure: I work for Percona

greenweeds
  • 241
  • 1
  • 5
  • So, after 5.7.3, I don't need to have any ca/cert/key files and I was able to make connection using SSL? (if I don't care the client identity) – Ryan Jan 03 '18 at 04:19
  • There is more explanation of the --ssl option here, as it depends on whether the connection is client or server side (and --ssl is deprecated client side from MySQL 8 in favour of --ssl-mode), but implies that yes. https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-options.html#option_general_ssl info on --ssl-mode https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-options.html#option_general_ssl – greenweeds Jan 04 '18 at 15:47