Documentation Home
MySQL 9.3 Reference Manual
Related Documentation Download this Manual
PDF (US Ltr) - 40.8Mb
PDF (A4) - 40.9Mb
Man Pages (TGZ) - 261.1Kb
Man Pages (Zip) - 368.3Kb
Info (Gzip) - 4.1Mb
Info (Zip) - 4.1Mb


MySQL 9.3 Reference Manual  / ...  / MySQL Programs  / Using MySQL Programs  /  Command Options for Connecting to the Server

6.2.3 Command Options for Connecting to the Server

This section describes options supported by most MySQL client programs that control how client programs establish connections to the server, whether connections are encrypted, and whether connections are compressed. These options can be given on the command line or in an option file.

Command Options for Connection Establishment

This section describes options that control how client programs establish connections to the server. For additional information and examples showing how to use them, seeSection 6.2.4, “Connecting to the MySQL Server Using Command Options”.

Table 6.4 Connection-Establishment Option Summary

Option NameDescription
--default-authAuthentication plugin to use
--hostHost on which MySQL server is located
--passwordPassword to use when connecting to server
--password1First multifactor authentication password to use when connecting to server
--password2Second multifactor authentication password to use when connecting to server
--password3Third multifactor authentication password to use when connecting to server
--pipeConnect to server using named pipe (Windows only)
--plugin-dirDirectory where plugins are installed
--portTCP/IP port number for connection
--protocolTransport protocol to use
--shared-memory-base-nameShared-memory name for shared-memory connections (Windows only)
--socketUnix socket file or Windows named pipe to use
--userMySQL user name to use when connecting to server

  • --default-auth=plugin

    Command-Line Format--default-auth=plugin
    TypeString

    A hint about which client-side authentication plugin to use. SeeSection 8.2.17, “Pluggable Authentication”.

  • --host=host_name,-hhost_name

    Command-Line Format--host=host_name
    TypeString
    Default Valuelocalhost

    The host on which the MySQL server is running. The value can be a host name, IPv4 address, or IPv6 address. The default value islocalhost.

  • --password[=pass_val],-p[pass_val]

    Command-Line Format--password[=password]
    TypeString
    Default Value[none]

    The password of the MySQL account used for connecting to the server. The password value is optional. If not given, the client program prompts for one. If given, there must beno space between--password= or-p and the password following it. If no password option is specified, the default is to send no password.

    Specifying a password on the command line should be considered insecure. To avoid giving the password on the command line, use an option file. SeeSection 8.1.2.1, “End-User Guidelines for Password Security”.

    To explicitly specify that there is no password and that the client program should not prompt for one, use the--skip-password option.

  • --password1[=pass_val]

    Command-Line Format--password1[=password]
    TypeString

    The password for multifactor authentication factor 1 of the MySQL account used for connecting to the server. The password value is optional. If not given, the client program prompts for one. If given, there must beno space between--password1= and the password following it. If no password option is specified, the default is to send no password.

    Specifying a password on the command line should be considered insecure. To avoid giving the password on the command line, use an option file. SeeSection 8.1.2.1, “End-User Guidelines for Password Security”.

    To explicitly specify that there is no password and that the client program should not prompt for one, use the--skip-password1 option.

    --password1 and--password are synonymous, as are--skip-password1 and--skip-password.

  • --password2[=pass_val]

    Command-Line Format--password2[=password]
    TypeString

    The password for multifactor authentication factor 2 of the MySQL account used for connecting to the server. The semantics of this option are similar to the semantics for--password1; see the description of that option for details.

  • --password3[=pass_val]

    Command-Line Format--password3[=password]
    TypeString

    The password for multifactor authentication factor 3 of the MySQL account used for connecting to the server. The semantics of this option are similar to the semantics for--password1; see the description of that option for details.

  • --pipe,-W

    Command-Line Format--pipe
    TypeString

    On Windows, connect to the server using a named pipe. This option applies only if the server was started with thenamed_pipe system variable enabled to support named-pipe connections. In addition, the user making the connection must be a member of the Windows group specified by thenamed_pipe_full_access_group system variable.

  • --plugin-dir=dir_name

    Command-Line Format--plugin-dir=dir_name
    TypeDirectory name

    The directory in which to look for plugins. Specify this option if the--default-auth option is used to specify an authentication plugin but the client program does not find it. SeeSection 8.2.17, “Pluggable Authentication”.

  • --port=port_num,-Pport_num

    Command-Line Format--port=port_num
    TypeNumeric
    Default Value3306

    For TCP/IP connections, the port number to use. The default port number is 3306.

  • --protocol={TCP|SOCKET|PIPE|MEMORY}

    Command-Line Format--protocol=type
    TypeString
    Default Value[see text]
    Valid Values

    TCP

    SOCKET

    PIPE

    MEMORY

    This option explicitly specifies which transport protocol to use for connecting to the server. It is useful when other connection parameters normally result in use of a protocol other than the one you want. For example, connections on Unix tolocalhost are made using a Unix socket file by default:

    mysql --host=localhost

    To force TCP/IP transport to be used instead, specify a--protocol option:

    mysql --host=localhost --protocol=TCP

    The following table shows the permissible--protocol option values and indicates the applicable platforms for each value. The values are not case-sensitive.

    --protocol ValueTransport Protocol UsedApplicable Platforms
    TCPTCP/IP transport to local or remote serverAll
    SOCKETUnix socket-file transport to local serverUnix and Unix-like systems
    PIPENamed-pipe transport to local serverWindows
    MEMORYShared-memory transport to local serverWindows

    See alsoSection 6.2.7, “Connection Transport Protocols”

  • --shared-memory-base-name=name

    Command-Line Format--shared-memory-base-name=name
    Platform SpecificWindows

    On Windows, the shared-memory name to use for connections made using shared memory to a local server. The default value isMYSQL. The shared-memory name is case-sensitive.

    This option applies only if the server was started with theshared_memory system variable enabled to support shared-memory connections.

  • --socket=path,-Spath

    Command-Line Format--socket={file_name|pipe_name}
    TypeString

    On Unix, the name of the Unix socket file to use for connections made using a named pipe to a local server. The default Unix socket file name is/tmp/mysql.sock.

    On Windows, the name of the named pipe to use for connections to a local server. The default Windows pipe name isMySQL. The pipe name is not case-sensitive.

    On Windows, this option applies only if the server was started with thenamed_pipe system variable enabled to support named-pipe connections. In addition, the user making the connection must be a member of the Windows group specified by thenamed_pipe_full_access_group system variable.

  • --user=user_name,-uuser_name

    Command-Line Format--user=user_name
    TypeString

    The user name of the MySQL account to use for connecting to the server. The default user name isODBC on Windows or your Unix login name on Unix.

Command Options for Encrypted Connections

This section describes options for client programs that specify whether to use encrypted connections to the server, the names of certificate and key files, and other parameters related to encrypted-connection support. For examples of suggested use and how to check whether a connection is encrypted, seeSection 8.3.1, “Configuring MySQL to Use Encrypted Connections”.

Note

These options have an effect only for connections that use a transport protocol subject to encryption; that is, TCP/IP and Unix socket-file connections. SeeSection 6.2.7, “Connection Transport Protocols”

For information about using encrypted connections from the MySQL C API, seeSupport for Encrypted Connections.

Table 6.5 Connection-Encryption Option Summary

Option NameDescription
--get-server-public-keyRequest RSA public key from server
--server-public-key-pathPath name to file containing RSA public key
--ssl-caFile that contains list of trusted SSL Certificate Authorities
--ssl-capathDirectory that contains trusted SSL Certificate Authority certificate files
--ssl-certFile that contains X.509 certificate
--ssl-cipherPermissible ciphers for connection encryption
--ssl-crlFile that contains certificate revocation lists
--ssl-crlpathDirectory that contains certificate revocation-list files
--ssl-fips-modeWhether to enable FIPS mode on client side
--ssl-keyFile that contains X.509 key
--ssl-modeDesired security state of connection to server
--ssl-session-dataFile that contains SSL session data
--ssl-session-data-continue-on-failed-reuseWhether to establish connections if session reuse fails
--tls-ciphersuitesPermissible TLSv1.3 ciphersuites for encrypted connections
--tls-versionPermissible TLS protocols for encrypted connections

  • --get-server-public-key

    Command-Line Format--get-server-public-key
    TypeBoolean

    Request from the server the public key required for RSA key pair-based password exchange. This option applies to clients that authenticate with thecaching_sha2_password authentication plugin. For that plugin, the server does not send the public key unless requested. This option is ignored for accounts that do not authenticate with that plugin. It is also ignored if RSA-based password exchange is not used, as is the case when the client connects to the server using a secure connection.

    If--server-public-key-path=file_name is given and specifies a valid public key file, it takes precedence over--get-server-public-key.

    For information about thecaching_sha2_password plugin, seeSection 8.4.1.1, “Caching SHA-2 Pluggable Authentication”.

  • --server-public-key-path=file_name

    Command-Line Format--server-public-key-path=file_name
    TypeFile name

    The path name to a file in PEM format containing a client-side copy of the public key required by the server for RSA key pair-based password exchange. This option applies to clients that authenticate with thesha256_password (deprecated) orcaching_sha2_password authentication plugin. This option is ignored for accounts that do not authenticate with one of those plugins. It is also ignored if RSA-based password exchange is not used, as is the case when the client connects to the server using a secure connection.

    If--server-public-key-path=file_name is given and specifies a valid public key file, it takes precedence over--get-server-public-key.

    This option is available only if MySQL was built using OpenSSL.

    For information about thesha256_password (deprecated) andcaching_sha2_password plugins, seeSection 8.4.1.2, “SHA-256 Pluggable Authentication”, andSection 8.4.1.1, “Caching SHA-2 Pluggable Authentication”.

  • --ssl-ca=file_name

    Command-Line Format--ssl-ca=file_name
    TypeFile name

    The path name of the Certificate Authority (CA) certificate file in PEM format. The file contains a list of trusted SSL Certificate Authorities.

    To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither--ssl-ca nor--ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses anyssl_ca orssl_capath system variable values specified on the server side.

    To specify the CA file for the server, set thessl_ca system variable.

  • --ssl-capath=dir_name

    Command-Line Format--ssl-capath=dir_name
    TypeDirectory name

    The path name of the directory that contains trusted SSL certificate authority (CA) certificate files in PEM format.

    To tell the client not to authenticate the server certificate when establishing an encrypted connection to the server, specify neither--ssl-ca nor--ssl-capath. The server still verifies the client according to any applicable requirements established for the client account, and it still uses anyssl_ca orssl_capath system variable values specified on the server side.

    To specify the CA directory for the server, set thessl_capath system variable.

  • --ssl-cert=file_name

    Command-Line Format--ssl-cert=file_name
    TypeFile name

    The path name of the client SSL public key certificate file in PEM format. Chained SSL certificates are supported.

    To specify the server SSL public key certificate file, set thessl_cert system variable.

  • --ssl-cipher=cipher_list

    Command-Line Format--ssl-cipher=name
    TypeString

    The list of permissible encryption ciphers for connections that use TLSv1.2. If no cipher in the list is supported, encrypted connections that use these TLS protocols do not work.

    For greatest portability,cipher_list should be a list of one or more cipher names, separated by colons. Examples:

    --ssl-cipher=AES128-SHA--ssl-cipher=DHE-RSA-AES128-GCM-SHA256:AES128-SHA

    OpenSSL supports the syntax for specifying ciphers described in the OpenSSL documentation athttps://www.openssl.org/docs/manmaster/man1/ciphers.html.

    For information about which encryption ciphers MySQL supports, seeSection 8.3.2, “Encrypted Connection TLS Protocols and Ciphers”.

    To specify the encryption ciphers for the server, set thessl_cipher system variable.

  • --ssl-crl=file_name

    Command-Line Format--ssl-crl=file_name
    TypeFile name

    The path name of the file containing certificate revocation lists in PEM format.

    If neither--ssl-crl nor--ssl-crlpath is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.

    To specify the revocation-list file for the server, set thessl_crl system variable.

  • --ssl-crlpath=dir_name

    Command-Line Format--ssl-crlpath=dir_name
    TypeDirectory name

    The path name of the directory that contains certificate revocation-list files in PEM format.

    If neither--ssl-crl nor--ssl-crlpath is given, no CRL checks are performed, even if the CA path contains certificate revocation lists.

    To specify the revocation-list directory for the server, set thessl_crlpath system variable.

  • --ssl-fips-mode={OFF|ON|STRICT}

    Command-Line Format--ssl-fips-mode={OFF|ON|STRICT}
    DeprecatedYes
    TypeEnumeration
    Default ValueOFF
    Valid Values

    OFF

    ON

    STRICT

    Controls whether to enable FIPS mode on the client side. The--ssl-fips-mode option differs from other--ssl-xxx options in that it is not used to establish encrypted connections, but rather to affect which cryptographic operations to permit. SeeSection 8.8, “FIPS Support”.

    These--ssl-fips-mode values are permissible:

    • OFF: Disable FIPS mode.

    • ON: Enable FIPS mode.

    • STRICT: Enablestrict FIPS mode.

    Note

    If the OpenSSL FIPS Object Module is not available, the only permissible value for--ssl-fips-mode isOFF. In this case, setting--ssl-fips-mode toON orSTRICT causes the client to produce a warning at startup and to operate in non-FIPS mode.

    To specify the FIPS mode for the server, set thessl_fips_mode system variable.

  • --ssl-key=file_name

    Command-Line Format--ssl-key=file_name
    TypeFile name

    The path name of the client SSL private key file in PEM format. For better security, use a certificate with an RSA key size of at least 2048 bits.

    If the key file is protected by a passphrase, the client program prompts the user for the passphrase. The password must be given interactively; it cannot be stored in a file. If the passphrase is incorrect, the program continues as if it could not read the key.

    To specify the server SSL private key file, set thessl_key system variable.

  • --ssl-mode=mode

    Command-Line Format--ssl-mode=mode
    TypeEnumeration
    Default ValuePREFERRED
    Valid Values

    DISABLED

    PREFERRED

    REQUIRED

    VERIFY_CA

    VERIFY_IDENTITY

    This option specifies the desired security state of the connection to the server. These mode values are permissible, in order of increasing strictness:

    • DISABLED: Establish an unencrypted connection.

    • PREFERRED: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. This is the default if--ssl-mode is not specified.

      Connections over Unix socket files are not encrypted with a mode ofPREFERRED. To enforce encryption for Unix socket-file connections, use a mode ofREQUIRED or stricter. (However, socket-file transport is secure by default, so encrypting a socket-file connection makes it no more secure and increases CPU load.)

    • REQUIRED: Establish an encrypted connection if the server supports encrypted connections. The connection attempt fails if an encrypted connection cannot be established.

    • VERIFY_CA: LikeREQUIRED, but additionally verify the server Certificate Authority (CA) certificate against the configured CA certificates. The connection attempt fails if no valid matching CA certificates are found.

    • VERIFY_IDENTITY: LikeVERIFY_CA, but additionally perform host name identity verification by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client:

      • If the client uses OpenSSL 1.0.2 or higher, the client checks whether the host name that it uses for connecting matches either the Subject Alternative Name value or the Common Name value in the server certificate. Host name identity verification also works with certificates that specify the Common Name using wildcards.

      • Otherwise, the client checks whether the host name that it uses for connecting matches the Common Name value in the server certificate.

      The connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks.

      Note

      Host name identity verification withVERIFY_IDENTITY does not work with self-signed certificates that are created automatically by the server (seeSection 8.3.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”). Such self-signed certificates do not contain the server name as the Common Name value.

    Important

    The default setting,--ssl-mode=PREFERRED, produces an encrypted connection if the other default settings are unchanged. However, to help prevent sophisticated man-in-the-middle attacks, it is important for the client to verify the server’s identity. The settings--ssl-mode=VERIFY_CA and--ssl-mode=VERIFY_IDENTITY are a better choice than the default setting to help prevent this type of attack. To implement one of these settings, you must first ensure that the CA certificate for the server is reliably available to all the clients that use it in your environment, otherwise availability issues will result. For this reason, they are not the default setting.

    The--ssl-mode option interacts with CA certificate options as follows:

    To require use of encrypted connections by a MySQL account, useCREATE USER to create the account with aREQUIRE SSL clause, or useALTER USER for an existing account to add aREQUIRE SSL clause. This causes connection attempts by clients that use the account to be rejected unless MySQL supports encrypted connections and an encrypted connection can be established.

    TheREQUIRE clause permits other encryption-related options, which can be used to enforce security requirements stricter thanREQUIRE SSL. For additional details about which command options may or must be specified by clients that connect using accounts configured using the variousREQUIRE options, seeCREATE USER SSL/TLS Options.

  • --ssl-session-data=file_name

    Command-Line Format--ssl-session-data=file_name
    TypeFile name

    The path name of the client SSL session data file in PEM format for session reuse.

    When you invoke a MySQL client program with the--ssl-session-data option, the client attempts to deserialize session data from the file, if provided, and then use it to establish a new connection. If you supply a file, but the session is not reused, then the connection fails unless you also specified the--ssl-session-data-continue-on-failed-reuse option on the command line when you invoked the client program.

    Themysql command,ssl_session_data_print, generates the session data file (seeSection 6.5.1.2, “mysql Client Commands”).

  • ssl-session-data-continue-on-failed-reuse

    Command-Line Format--ssl-session-data-continue-on-failed-reuse
    TypeBoolean
    Default ValueOFF

    Controls whether a new connection is started to replace an attempted connection that tried but failed to reuse session data specified with the--ssl-session-data command-line option. By default, the--ssl-session-data-continue-on-failed-reuse command-line option is off, which causes a client program to return a connect failure when session data are supplied and not reused.

    To ensure that a new, unrelated connection opens after session reuse fails silently, invoke MySQL client programs with both the--ssl-session-data and--ssl-session-data-continue-on-failed-reuse command-line options.

  • --tls-ciphersuites=ciphersuite_list

    Command-Line Format--tls-ciphersuites=ciphersuite_list
    TypeString
    Default Valueempty string

    This option specifies which ciphersuites the client permits for encrypted connections that use TLSv1.3. The value is a list of zero or more colon-separated ciphersuite names. For example:

    mysql --tls-ciphersuites="suite1:suite2:suite3"

    The ciphersuites that can be named for this option depend on the SSL library used to compile MySQL. If this option is not set, the client permits the default set of ciphersuites. If the option is set to the empty string, no ciphersuites are enabled and encrypted connections cannot be established. For more information, seeSection 8.3.2, “Encrypted Connection TLS Protocols and Ciphers”.

    To specify which ciphersuites the server permits, set thetls_ciphersuites system variable.

  • --tls-version=protocol_list

    Command-Line Format--tls-version=protocol_list
    TypeString
    Default Value

    TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 (OpenSSL 1.1.1 or higher)

    TLSv1,TLSv1.1,TLSv1.2 (otherwise)

    This option specifies the TLS protocols the client permits for encrypted connections. The value is a list of one or more comma-separated protocol versions. For example:

    mysql --tls-version="TLSv1.2,TLSv1.3"

    The protocols that can be named for this option depend on the SSL library used to compile MySQL, and on the MySQL Server release.

    Important

    • Clients, including MySQL Shell, that support the--tls-version option cannot make a TLS/SSL connection with the protocol set to TLSv1 or TLSv1.1. If a client attempts to connect using these protocols, for TCP connections, the connection fails, and an error is returned to the client. For socket connections, if--ssl-mode is set toREQUIRED, the connection fails, otherwise the connection is made but with TLS/SSL disabled. SeeRemoval of Support for the TLSv1 and TLSv1.1 Protocols for more information.

    • Support for the TLSv1.3 protocol is available in MySQL Server, provided that MySQL Server was compiled using OpenSSL 1.1.1 or higher. The server checks the version of OpenSSL at startup, and if it is lower than 1.1.1, TLSv1.3 is removed from the default value for the server system variables relating to the TLS version (such as thetls_version system variable).

    Permitted protocols should be chosen such as not to leaveholes in the list. For example, these values do not have holes:

    --tls-version="TLSv1.2,TLSv1.3"--tls-version="TLSv1.3"

    For details, seeSection 8.3.2, “Encrypted Connection TLS Protocols and Ciphers”.

    To specify which TLS protocols the server permits, set thetls_version system variable.

Command Options for Connection Compression

This section describes options that enable client programs to control use of compression for connections to the server. For additional information and examples showing how to use them, seeSection 6.2.8, “Connection Compression Control”.

Table 6.6 Connection-Compression Option Summary

Option NameDescription
--compressCompress all information sent between client and server
--compression-algorithmsPermitted compression algorithms for connections to server
--zstd-compression-levelCompression level for connections to server that use zstd compression

  • --compress,-C

    Command-Line Format--compress[={OFF|ON}]
    DeprecatedYes
    TypeBoolean
    Default ValueOFF

    Compress all information sent between the client and the server if possible.

    This option is deprecated. Expect it to be removed in a future version of MySQL. SeeConfiguring Legacy Connection Compression.

  • --compression-algorithms=value

    Command-Line Format--compression-algorithms=value
    TypeSet
    Default Valueuncompressed
    Valid Values

    zlib

    zstd

    uncompressed

    The permitted compression algorithms for connections to the server. The available algorithms are the same as for theprotocol_compression_algorithms system variable. The default value isuncompressed.

  • --zstd-compression-level=level

    Command-Line Format--zstd-compression-level=#
    TypeInteger

    The compression level to use for connections to the server that use thezstd compression algorithm. The permitted levels are from 1 to 22, with larger values indicating increasing levels of compression. The defaultzstd compression level is 3. The compression level setting has no effect on connections that do not usezstd compression.