Last updated: 2026-02-11

MySQL TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for MySQL to encrypt connections between clients and the database server. Encrypting database traffic prevents eavesdropping and man-in-the-middle attacks on sensitive data.

Prerequisites

• MySQL 8.0.16 or later (for TLS 1.3 support)
• OpenSSL 1.1.1 or later
• SSL certificates (server certificate, private key, and CA certificate)

MySQL 8.0 and later ships with TLS support enabled by default and can auto-generate certificates on first startup. However, these self-signed certificates should be replaced with properly issued certificates for production use.

Generating Certificates

If you don't already have certificates, you can use mysql_ssl_rsa_setup for testing, or obtain certificates from a trusted CA for production:

mysql_ssl_rsa_setup --datadir=/etc/mysql/ssl

MySQL 8.4 LTS and later: The mysql_ssl_rsa_setup utility was removed. On 8.4+, MySQL automatically generates certificates on first startup. To generate certificates manually, use openssl commands instead.

For production, use certificates from a CA such as Let's Encrypt, or your organization's internal CA.

Server Configuration

Add the following settings to your MySQL configuration file under the [mysqld] section.

Path note: Debian/Ubuntu: /etc/mysql/mysql.conf.d/mysqld.cnf. RHEL/CentOS: /etc/my.cnf.d/mysql-server.cnf (MySQL Community) or /etc/my.cnf. The main config (/etc/mysql/my.cnf or /etc/my.cnf) includes drop-in directories.

Protocol Versions

Restrict connections to TLS 1.2 and TLS 1.3 only:

[mysqld]
tls_version=TLSv1.2,TLSv1.3

Cipher Suites

Configure strong cipher suites for TLS 1.2:

[mysqld]
ssl_cipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

For TLS 1.3 cipher suites (MySQL 8.0.16+):

[mysqld]
tls_ciphersuites=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

Certificate Files

[mysqld]
ssl_ca=/etc/mysql/ssl/ca.pem
ssl_cert=/etc/mysql/ssl/server-cert.pem
ssl_key=/etc/mysql/ssl/server-key.pem

Require Encrypted Connections

Force all client connections to use TLS. Without this, clients can still connect without encryption:

[mysqld]
require_secure_transport=ON

Complete Server Configuration

[mysqld]
# TLS protocol versions
tls_version=TLSv1.2,TLSv1.3

# TLS 1.2 cipher suites
ssl_cipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

# TLS 1.3 cipher suites
tls_ciphersuites=TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

# Certificate files
ssl_ca=/etc/mysql/ssl/ca.pem
ssl_cert=/etc/mysql/ssl/server-cert.pem
ssl_key=/etc/mysql/ssl/server-key.pem

# Require encrypted connections
require_secure_transport=ON

Client Configuration

Configure MySQL clients to use TLS by adding settings to the [client] section:

[client]
ssl_mode=REQUIRED
ssl_ca=/etc/mysql/ssl/ca.pem

Available ssl_mode values:

• REQUIRED -- Connect with encryption, but don't verify the server certificate
• VERIFY_CA -- Connect with encryption and verify the server certificate against the CA
• VERIFY_IDENTITY -- Connect with encryption, verify the CA, and verify the server hostname matches the certificate (recommended)

For maximum security, use VERIFY_IDENTITY:

[client]
ssl_mode=VERIFY_IDENTITY
ssl_ca=/etc/mysql/ssl/ca.pem

Per-User TLS Requirements

You can require specific users to connect with TLS:

ALTER USER 'appuser'@'%' REQUIRE SSL;

For stricter requirements, require a specific certificate:

ALTER USER 'appuser'@'%' REQUIRE X509;

Replication TLS

To encrypt replication traffic between primary and replica servers, configure the replica to use TLS.

On MySQL 8.0.23+:

CHANGE REPLICATION SOURCE TO
    SOURCE_SSL = 1,
    SOURCE_SSL_CA = '/etc/mysql/ssl/ca.pem',
    SOURCE_SSL_CERT = '/etc/mysql/ssl/client-cert.pem',
    SOURCE_SSL_KEY = '/etc/mysql/ssl/client-key.pem',
    SOURCE_SSL_VERIFY_SERVER_CERT = 1;

On MySQL 8.0.0--8.0.22:

CHANGE MASTER TO
    MASTER_SSL = 1,
    MASTER_SSL_CA = '/etc/mysql/ssl/ca.pem',
    MASTER_SSL_CERT = '/etc/mysql/ssl/client-cert.pem',
    MASTER_SSL_KEY = '/etc/mysql/ssl/client-key.pem',
    MASTER_SSL_VERIFY_SERVER_CERT = 1;

MySQL 8.4 LTS: CHANGE MASTER TO is fully removed. Use CHANGE REPLICATION SOURCE TO exclusively.

Verification

After restarting MySQL, verify TLS is active:

mysql -u root -p -e "SHOW VARIABLES LIKE '%ssl%';"
mysql -u root -p -e "SHOW VARIABLES LIKE 'tls_version';"

Check the current connection's encryption status:

mysql -u root -p -e "SHOW SESSION STATUS LIKE 'Ssl_cipher';"

This should return a cipher name like TLS_AES_256_GCM_SHA384 confirming the connection is encrypted.