Oct 22, 2018

How to connect securely to a MySQL server that supports secure connections

The options that a client must specify depend on the encryption requirements of the MySQL account used by the client

Suppose that you want to connect using an account that has no special encryption requirements or was created using a GRANT statement that includes the REQUIRE SSL option. As a recommended set of secure-connection options, start the server with at least --ssl-cert and --ssl-key, and invoke the client with --ssl-ca. A client can connect securely like this:
shell> mysql --ssl-ca=ca.pem  
To require that a client certificate also be specified, create the account using the REQUIRE X509 option. Then the client must also specify the proper client key and certificate files or the server will reject the connection:
shell> mysql --ssl-ca=ca.pem \         --ssl-cert=client-cert.pem \         --ssl-key=client-key.pem  
To prevent use of encryption and override other --ssl-xxx options, invoke the client program with --ssl=0 or a synonym (--skip-ssl, --disable-ssl):
shell> mysql --ssl=0