Changes in MySQL 5.6.30 (2016-04-11, General Availability)
Security Notes
-
The linked OpenSSL library for the MySQL Commercial Server has been updated to version 1.0.1s. For a description of issues fixed in this version, see http://www.openssl.org/news/vulnerabilities.html.
This change does not affect the Oracle-produced MySQL Community build of MySQL Server, which uses the yaSSL library instead. (Bug #22685885, Bug #22923458)
-
MySQL client programs now support an
--ssl-mode
option that enables you to specify the security state of the connection to the server. If the option is not specified, the default value isDISABLED
(establish an unencrypted connection).--ssl-mode=REQUIRED
can be specified to require an encrypted connection, or fail if an encrypted connection cannot be obtained.These clients support
--ssl-mode
: mysql, mysqladmin, mysqlcheck, mysqldump, mysqlimport, mysqlshow, mysqlpump, mysqlslap, mysqltest, mysql_upgrade.For more information, see Command Options for Encrypted Connections.
NoteIn MySQL 5.7 and higher, the C client library provides native support for requiring encrypted connections: call the
mysql_options()
C API function, passing theMYSQL_OPT_SSL_MODE
option with a value ofSSL_MODE_REQUIRED
. In MySQL 5.6, the client library provides no such support because doing so would break binary compatibility with previous library versions within the series. Clients that require encrypted connections must implement the logic themselves.To require encrypted connections in MySQL 5.6, the standard MySQL client programs use this technique: If
--ssl-mode=REQUIRED
was specified, the client program turns on SSL, connects to the server, and checks whether the resulting connection is encrypted. If not, the client exits with an error. Third-party applications that must be able to require encrypted connections can use the same technique. For details, see mysql_ssl_set().