With an unencrypted connection between the MySQL client and the server, someone with access to the network could watch all your traffic and inspect the data being sent or received between client and server.通过MySQL客户端和服务器之间的未加密连接,可以访问网络的人可以监视您的所有流量,并检查客户端和服务器间发送或接收的数据。
When you must move information over a network in a secure fashion, an unencrypted connection is unacceptable. 当您必须以安全的方式在网络上移动信息时,未加密的连接是不可接受的。To make any kind of data unreadable, use encryption. Encryption algorithms must include security elements to resist many kinds of known attacks such as changing the order of encrypted messages or replaying data twice.要使任何类型的数据不可读,请使用加密。加密算法必须包含安全元素,以抵御多种已知的攻击,如更改加密消息的顺序或两次重放数据。
MySQL supports encrypted connections between clients and the server using the TLS (Transport Layer Security) protocol. TLS is sometimes referred to as SSL (Secure Sockets Layer) but MySQL does not actually use the SSL protocol for encrypted connections because its encryption is weak (see Section 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”).MySQL支持使用TLS(传输层安全)协议在客户端和服务器之间进行加密连接。TLS有时被称为SSL(安全套接字层),但MySQL实际上并没有将SSL协议用于加密连接,因为它的加密很弱(参阅第6.3.2节,“加密连接TLS协议和密码”)。
TLS uses encryption algorithms to ensure that data received over a public network can be trusted. It has mechanisms to detect data change, loss, or replay. TLS also incorporates algorithms that provide identity verification using the X.509 standard.TLS使用加密算法来确保通过公共网络接收到的数据是可信的。它具有检测数据更改、丢失或重放的机制。TLS还包含使用X.509标准提供身份验证的算法。
X.509 makes it possible to identify someone on the Internet. X.509使得在互联网上识别某人成为可能。In basic terms, there should be some entity called a “Certificate Authority” (or CA) that assigns electronic certificates to anyone who needs them. 简而言之,应该有一个名为“证书颁发机构”(或CA)的实体,为任何需要电子证书的人分配电子证书。Certificates rely on asymmetric encryption algorithms that have two encryption keys (a public key and a secret key). A certificate owner can present the certificate to another party as proof of identity. 证书依赖于具有两个加密密钥(公钥和私钥)的非对称加密算法。证书所有者可以向另一方出示证书作为身份证明。A certificate consists of its owner's public key. Any data encrypted using this public key can be decrypted only using the corresponding secret key, which is held by the owner of the certificate.证书由其所有者的公钥组成。使用此公钥加密的任何数据只能使用证书所有者持有的相应密钥进行解密。
Support for encrypted connections in MySQL is provided using OpenSSL. For information about the encryption protocols and ciphers that OpenSSL supports, see Section 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”.MySQL中对加密连接的支持是使用OpenSSL提供的。有关OpenSSL支持的加密协议和密码的信息,请参阅第6.3.2节,“加密连接TLS协议和密码”。
From MySQL 8.0.11 to 8.0.17, it was possible to compile MySQL using wolfSSL as an alternative to OpenSSL. As of MySQL 8.0.18, support for wolfSSL is removed and all MySQL builds use OpenSSL.从MySQL 8.0.11到8.0.17,可以使用wolfSSL作为OpenSSL的替代品来编译MySQL。从MySQL 8.0.18开始,对wolfSSL的支持被删除,所有MySQL版本都使用OpenSSL。
By default, MySQL programs attempt to connect using encryption if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. 默认情况下,如果服务器支持加密连接,MySQL程序会尝试使用加密连接,如果无法建立加密连接,则会回退到未加密连接。For information about options that affect use of encrypted connections, see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections” and Command Options for Encrypted Connections.有关影响加密连接使用的选项的信息,请参阅第6.3.1节,“配置MySQL以使用加密连接”和加密连接的命令选项。
MySQL performs encryption on a per-connection basis, and use of encryption for a given user can be optional or mandatory. MySQL在每个连接的基础上执行加密,对给定用户使用加密可以是可选的或强制性的。This enables you to choose an encrypted or unencrypted connection according to the requirements of individual applications. 这使您能够根据各个应用程序的要求选择加密或未加密的连接。For information on how to require users to use encrypted connections, see the discussion of the 有关如何要求用户使用加密连接的信息,请参阅第13.7.1.3节,“CREATE USER语句”中REQUIRE clause of the CREATE USER statement in Section 13.7.1.3, “CREATE USER Statement”. CREATE USER语句的REQUIRE子句的讨论。See also the description of the 另请参阅第5.1.8节,“服务器系统变量”中require_secure_transport system variable at Section 5.1.8, “Server System Variables”require_secure_transport系统变量的描述
Encrypted connections can be used between source and replica servers. See Section 17.3.1, “Setting Up Replication to Use Encrypted Connections”.源服务器和副本服务器之间可以使用加密连接。请参阅第17.3.1节,“设置复制以使用加密连接”。
For information about using encrypted connections from the MySQL C API, see Support for Encrypted Connections.有关使用MySQL C API加密连接的信息,请参阅对加密连接的支持。
It is also possible to connect using encryption from within an SSH connection to the MySQL server host. For an example, see Section 6.3.4, “Connecting to MySQL Remotely from Windows with SSH”.也可以从SSH连接中使用加密连接到MySQL服务器主机。例如,请参阅第6.3.4节,“使用SSH从Windows远程连接MySQL”。