diff --git a/lib/DBD/mysql.pm b/lib/DBD/mysql.pm index ec107a6..dc5eb06 100644 --- a/lib/DBD/mysql.pm +++ b/lib/DBD/mysql.pm @@ -1162,7 +1162,10 @@ location for the socket than that built into the client. A true value turns on the CLIENT_SSL flag when connecting to the MySQL database: - mysql_ssl=1 +When enabling SSL encryption you should set also other SSL options, +at least mysql_ssl_ca_file or mysql_ssl_ca_path. + + mysql_ssl=1 mysql_ssl_verify_server_cert=1 mysql_ssl_ca_file=/path/to/ca_cert.pem This means that your communication with the server will be encrypted. @@ -1170,21 +1173,54 @@ Please note that this can only work if you enabled SSL when compiling DBD::mysql; this is the default starting version 4.034. See L<DBD::mysql::INSTALL> for more details. -If you turn mysql_ssl on, you might also wish to use the following -flags: +=item mysql_ssl_ca_file + +The path to a file in PEM format that contains a list of trusted SSL +certificate authorities. + +When set MySQL server certificate is checked that it is signed by some +CA certificate in the list. Common Name value is not verified unless +C<mysql_ssl_verify_server_cert> is enabled. + +=item mysql_ssl_ca_path + +The path to a directory that contains trusted SSL certificate authority +certificates in PEM format. + +When set MySQL server certificate is checked that it is signed by some +CA certificate in the list. Common Name value is not verified unless +C<mysql_ssl_verify_server_cert> is enabled. + +Please note that this option is supported only if your MySQL client was +compiled with OpenSSL library, and not with default yaSSL library. + +=item mysql_ssl_verify_server_cert + +Checks the server's Common Name value in the certificate that the server +sends to the client. The client verifies that name against the host name +the client uses for connecting to the server, and the connection fails if +there is a mismatch. For encrypted connections, this option helps prevent +man-in-the-middle attacks. + +Verification of the host name is disabled by default. =item mysql_ssl_client_key -=item mysql_ssl_client_cert +The name of the SSL key file in PEM format to use for establishing +a secure connection. -=item mysql_ssl_ca_file +=item mysql_ssl_client_cert -=item mysql_ssl_ca_path +The name of the SSL certificate file in PEM format to use for +establishing a secure connection. =item mysql_ssl_cipher -These are used to specify the respective parameters of a call -to mysql_ssl_set, if mysql_ssl is turned on. +A list of permissible ciphers to use for connection encryption. If no +cipher in the list is supported, encrypted connections will not work. + + mysql_ssl_cipher=AES128-SHA + mysql_ssl_cipher=DHE-RSA-AES256-SHA:AES128-SHA =item mysql_local_infile