2

When using SequelPro, I have to check "Connect using SSL" option to connect to a remote mysql database server, but without providing "Key File", "Certificate" or "CA Cert", which is shown as the screenshot below:

SequelPro connect with SSL

Is there an equivalent way to do it in mycli? Or just plain mysql command?

Bruce Sun
  • 631
  • 1
  • 10
  • 26

1 Answers1

0

It's the --ssl option, which means "Enable encrypted connection".

mysql --ssl

A full list of command-line flags for MySQL CLI (mysql) can be found here:

https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-options.html

I don't believe that that checkbox does anything as fancy as verifying certificates (i.e. it does not pass in the --ssl-verify-server-cert option).

Birchlabs
  • 7,437
  • 5
  • 35
  • 54
  • 1
    Thank you for your answer, but do you know if [mycli](https://github.com/dbcli/mycli) has an equivalent option of `--ssl`? – Bruce Sun Sep 01 '17 at 07:37
  • has [these flags](https://github.com/dbcli/mycli/blob/27cbf6b87b1cfb3d20ddc2d9d6e0323ef99b047e/mycli/main.py#L901-L912). invokes `pymysql.connect()`. [passes those in](https://github.com/PyMySQL/PyMySQL/blob/4b7e9c98c0441449352d732f6a2453e4c868505c/pymysql/connections.py#L554-L556) to [`mysql-ssl-set()`](https://dev.mysql.com/doc/refman/5.7/en/mysql-ssl-set.html). no explicit "encryption" flag. _by default, MySQL programs attempt to connect using encryption if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established_ – Birchlabs Sep 01 '17 at 10:40
  • 1
    If you wanted to force encryption, maybe you could explicitly specify an `--ssl-cipher`? But actually what you really need is --ssl-mode (i.e. `MYSQL_OPT_SSL_MODE`). That's not configurable via the `mysql-ssl-set()` convenience function; it's exposed instead via `mysql-options()`. you'd need to check whether pymysql exposes access to `mysql-options()` anywhere (and then whether `mycli` exposes access to that). – Birchlabs Sep 01 '17 at 10:41
  • Thanks for your detailed explanation. Unfortunately company IT doesn't provide any SSL cipher, so looks like no other option but to dig into mycli code. – Bruce Sun Sep 04 '17 at 02:25
  • Given that _MySQL programs attempt to connect using encryption if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established_: maybe you don't need to do anything? if you wanted to be super sure that SSL was in use, you could force your user to require it: `GRANT USAGE ON *.* TO 'user-here'@'%' REQUIRE SSL;` – Birchlabs Sep 04 '17 at 11:04