Today I embarked into the adventure of setting up SSL connections for MySQL replication and got side-tracked by some pretty bad (or possibly just outdated) documentation out there. I won't actually detail how to do things here, but rather just point out that you should use steps documented in the official documentation, especially if you're creating your own self-signed CA cert and a pair of client/server certs signed by that CA.

Documentation for CA + pair of self-signed certificates:

https://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html

Documentation for replication setup:

https://dev.mysql.com/doc/refman/5.5/en/replication-solutions-ssl.html

Some tricks are actually really handy to test your setup:

• To verify whether your current connection is encrypted or not:

  mysql> \s

  mysql Ver 14.14 Distrib 5.5.35, for debian-linux-gnu (i686) using readline 6.2

  Connection id: 29220 Current database:
  Current user: test@your.server.com SSL: Cipher in use is DHE-RSA-AES256-SHA [...]

• To connect to a server via ssl (supposing the certificate files exist -- the client certificate/key pair must be signed by the same CA as the server's):

  mysql --ssl-ca=/etc/ssl/local/mysql.ca.crt --ssl-cert=/etc/ssl/local/mysql-client.crt --ssl-key=/etc/ssl/local/mysql-client.key -h your.server.com -u test -p

• To verify whether SSL configuration was successful in mysql:

  mysql> show variables like '%ssl%'; +---------------+---------------------------------+ | Variable_name | Value | +---------------+---------------------------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | /etc/ssl/local/mysql.ca.crt | | ssl_capath | | | ssl_cert | /etc/ssl/local/mysql-server.crt | | ssl_cipher | | | ssl_key | /etc/ssl/local/mysql-server.key | +---------------+---------------------------------+ 7 rows in set (0.02 sec)