Connecting using SSL Encryption

What Is SSL?

The Acronym SSL stands for "Secure Socket Layer". If enabled on both sides when two programs communicate it will encrypt and decrypt every piece of information that is transmitted. The SSL client code that is compiled into SQLyog ensure that it can communicate with a MySQL server using SSL, if the server also supports SSL.

Not every MySQL server does. When the server is compiled there is an option to compile with or without SSL. Some of the binaries distributed by MySQL have SSL others have not - depending on the version and for what platform it is compiled. Also on some Linux/Unix 'flavours' it is common that the System Administrator compiles the server on the computer itself where is shall run. He may then or may then not compile with or without SSL support.

Note that SSL-connections are not TUNNELING. No other program than SQLyog, no other server than the MySQL server and no other port, than what MySQL is configured to use, is needed for the connection.

To find out if you can connect to your server with SSL, you must check the Server system variable 'have_openssl'. If it is "YES" you can use SSL connections, if it is "DISABLED", SSL is available but not enabled in the Server configuration, and if it is "NO", the server binary that you use does not support SSL.

If the 'have_openssl' system variable is "YES" you will still need to create a user for the SSL connection. The same user must use SSL connections only or not at all - he cannot use both! Simply because the login information is also encrypted by the SSL layer before it is sent to the server! To create such user use the "GRANT .... REQUIRE SSL" syntax . For instance,

GRANT ALL ON *.* TO 'root'@'%' REQUIRE SSL WITH GRANT OPTION

... will create a remote ROOT user that can only connect with SSL and has privileges similar to 'root'@'localhost

In the Connections Manager's SSL tab a valid path and file for the ca-certificate is required, all other values are optional. 'Cipher' must be either "DHE","RSA","AES256" or "SHA". If omitted the system will 'pick one'. The 'Client key' and 'Client Certificate' must match similar Server Certificates (on the server itself). You should ask your System Administrator for those files. If you are administering your own Linux/Unix server there most likely is a program available for generation of all the files. Also note that SSL-certificates will expire and will need to be renewed from time to time.


Note: This feature is available in SQLyog Professional, Enterprise and Ultimate.