SQL MASTER_SSL_VERIFY_SERVER_CERT

MASTER_SSL_VERIFY_SERVER_CERT is an option of the CHANGE MASTER TO statement used in MySQL replication. When set to 1 (ON), the replica validates the server certificate presented by the master against the certificate authority (CA) file defined in MASTER_SSL_CA. A value of 0 (OFF) disables that verification, allowing the connection even if the certificate is self-signed or untrusted. Enabling verification hardens security by preventing man-in-the-middle attacks. The option was introduced in MySQL 5.1 and deprecated in MySQL 5.7.11 when MASTER_SSL_MODE replaced it. It was removed in MySQL 8.0; use MASTER_SSL_MODE='VERIFY_IDENTITY' instead. The setting is stored in the replication metadata repositories (mysql.slave_master_info and relay log index) and persists across restarts until explicitly changed.Important caveats:- Requires SSL to be enabled (MASTER_SSL=1 or MASTER_SSL_MODE not equal to DISABLED).- The replica must have access to a valid CA certificate file.- If verification fails, START SLAVE (START REPLICA) aborts with an SSL error.

• MASTER_SSL_VERIFY_SERVER_CERT - integer (0 or 1)
• 0 - Do not verify the master’s SSL certificate.
• 1 - Verify the master’s SSL certificate.

• CHANGE MASTER TO updates the replica’s connection metadata
• START SLAVE then attempts to connect
• If verification succeeds, replication starts; otherwise, it stops with an SSL verification error

• Enforcing strict SSL security between geographically separated master and replica.
• Meeting compliance requirements (PCI-DSS, HIPAA) that mandate certificate validation.
• Protecting replication traffic over untrusted networks such as the public internet.

• Forgetting to supply MASTER_SSL_CA, causing the connection to fail.
• Enabling verification while using a self-signed master certificate not present in the CA file.
• Assuming the option still exists in MySQL 8.0 (use MASTER_SSL_MODE instead).