I'm seeking to clear some information up for myself involving remote SSL connections to MYSQL. Particularly, once I have MYSQL setup to enable SSL and have a remote user that requires SSL.

This is how I connect (commandline), remotely, to MYSQL with a user that requires SSL:

mysql -uMyUserName -p -h192.168.5.5 --ssl-ca /path/to/ca.pem

My question is: Why do I have to provide the ca.pem file as the client?

These are the steps I took to install mysql on the server and setup remote access (Ubuntu):

Steps to Enable SSL for MYSQL

1) Obtain my Certificate Authority cert, Database cert, Database key

• ca.pem (Certificate Authority cert)
• dbcert.pem (Database cert)
• dbkey.pem (Databse key)

2) Add the following lines to /etc/mysql/my.cnf under [mysqld]

ssl-ca=/path/to/ca.pem
ssl-cert=/path/to/dbcert.pem
ssl-key=/path/to/dbkey.pem

3) Restart mysql and confirm ssl enabled by logging in and typing following:

show variables like '%ssl%';

Configure Remote Connection Requiring SSL

1) Comment out the following lines in /etc/mysql/my.cnf

#bind-address
#skip-networking

2) Login to mysql and grant a user access to, in this case, every database

GRANT ALL PRIVILEGES ON . to 'USERNAME'@'%' IDENTIFIED BY 'PASSWORD' REQUIRE SSL

At this point, I have MYSQL setup to enable SSL && I have a remote user that will require SSL to login. I am able to login on a remote commandline, but i need to specify the --ssl-ca.

Why do I have to provide the ssl-ca from client? Is there a way to do this so that I don't have to?

I would really appreciate some insight here.

Thanks in advance.

Unlike your typical web browser, a commandline tool like mysql doesn't have a built-in list of certificate authorities. Browsers come with a built in list of certification authorities, and you implicitly trust them (whether you know it or not).

When you use mysql to log in to a MySQL server supporting encryption, that server will present you the public part of a certificate. To complete the secure handshake, your client needs to verify the server certificate is signed by a trusted certificate authority. Otherwise, it will have to say "hey, this looks like a well-formed certificate, but I never heard of the ca signing it."

For Hibernate / JDBC / TLS, a little bit of search-engine work turns up some useful suggestions. It's all about setting the right properties in your config.

http://razorsql.com/articles/mysql_ssl_jdbc.html

How can I configure Hibernate to use SSL to talk to the DB server?