Today I embarked into the adventure of setting up SSL connections for MySQL replication and got side-tracked by some pretty bad (or possibly just outdated) documentation out there. I won't actually detail how to do things here, but rather just point out that you should use steps documented in the official documentation, especially if you're creating your own self-signed CA cert and a pair of client/server certs signed by that CA.

Documentation for CA + pair of self-signed certificates:

Documentation for replication setup:

Some tricks are actually really handy to test your setup:

  • To verify whether your current connection is encrypted or not:

    mysql> \s

    mysql Ver 14.14 Distrib 5.5.35, for debian-linux-gnu (i686) using readline 6.2

    Connection id: 29220 Current database:
    Current user: SSL: Cipher in use is DHE-RSA-AES256-SHA [...]

  • To connect to a server via ssl (supposing the certificate files exist -- the client certificate/key pair must be signed by the same CA as the server's):

    mysql --ssl-ca=/etc/ssl/local/ --ssl-cert=/etc/ssl/local/mysql-client.crt --ssl-key=/etc/ssl/local/mysql-client.key -h -u test -p

  • To verify whether SSL configuration was successful in mysql:

    mysql> show variables like '%ssl%'; +---------------+---------------------------------+ | Variable_name | Value | +---------------+---------------------------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | /etc/ssl/local/ | | ssl_capath | | | ssl_cert | /etc/ssl/local/mysql-server.crt | | ssl_cipher | | | ssl_key | /etc/ssl/local/mysql-server.key | +---------------+---------------------------------+ 7 rows in set (0.02 sec)