SQL Keywords

SQL SSL

What is SQL SSL?

SQL SSL obligates a client to establish an encrypted TLS-protected session before it can authenticate to the MySQL server.
Sign up to get up to date news on SQL keywords
Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)
Oops! Something went wrong while submitting the form.

Compatible dialects for SQL SSL:

SQL SSL Full Explanation

SSL (nowadays implemented as TLS) is not part of the ANSI SQL standard, but MySQL (and MariaDB) expose the SSL keyword inside GRANT, CREATE USER, and ALTER USER statements. When an account definition contains REQUIRE SSL, the server will refuse any connection attempt that does not negotiate TLS during the handshake. The keyword changes only authentication rules; it does not create certificates or start encryption on its own. The server must already be compiled and started with SSL support and valid certificates (ca.pem, server-cert.pem, server-key.pem). On the client side, SSL parameters (for example --ssl-mode=REQUIRED or --ssl-cert) must be supplied, or the client library auto-negotiation must succeed. If either side cannot negotiate TLS, the connection fails with ER_SECURE_TRANSPORT_REQUIRED. MySQL treats SSL, TLSv1.2, TLSv1.3, and future protocol versions identically for the purpose of the REQUIRE SSL clause. To enforce stronger validation, administrators can use REQUIRE X509 or add CIPHER, ISSUER, and SUBJECT sub-clauses. Removing the requirement is done with ALTER USER ... REQUIRE NONE. Because SSL requirements are stored in mysql.user, backups of that table or full logical dumps will carry the rule forward to restores. Administrators should test REQUIRE SSL in staging first because legacy scripts or drivers may lack TLS support.

SQL SSL Syntax 

-- Create a new account that must use SSL
CREATE USER 'app_user'@'%' IDENTIFIED BY 'S3cure!' REQUIRE SSL;

-- Change an existing account to enforce SSL
ALTER USER 'bi_reader'@'10.%' REQUIRE SSL;

-- Grant privileges and require SSL in one step
GRANT SELECT ON reports.* TO 'report_bot'@'%' REQUIRE SSL;

SQL SSL Parameters

Example Queries Using SQL SSL

-- Example 1: create and enforce SSL
CREATE USER 'analyst'@'%' IDENTIFIED BY 'SecureP@ss1' REQUIRE SSL;

-- Example 2: retrofit SSL on an existing account
ALTER USER 'legacy_app'@'%' REQUIRE SSL;

-- Example 3: verify enforcement by attempting a non-SSL login (will fail)
mysql --user=analyst --password=SecureP@ss1 --ssl-mode=DISABLED

Expected Output Using SQL SSL

  • The CREATE or ALTER statement returns OK and sets mysql
  • user
  • ssl_type to 'ANY'
  • Subsequent non-encrypted connection attempts by the specified account fail with error: "ERROR 1045 (28000): Client with insecure transport disabled"

Use Cases with SQL SSL

  • Enforce encryption in transit to meet compliance standards such as HIPAA, PCI-DSS, GDPR
  • Protect credentials and result sets from network sniffing inside untrusted or multi-tenant networks
  • Gradually phase out legacy plain-text connections by applying REQUIRE SSL per account
  • Simplify security audits by proving every privileged account uses TLS

Common Mistakes with SQL SSL

  • Assuming REQUIRE SSL also validates client certificates (use REQUIRE X509 for that)
  • Forgetting to configure server certificates before adding REQUIRE SSL, which locks out all affected users
  • Using old client libraries that silently ignore TLS options and fail to connect after enforcement
  • Confusing REQUIRE SSL with --require_secure_transport server option (the latter is global, not per account)

Related Topics

First Introduced In

MySQL 4.1

Frequently Asked Questions

What does REQUIRE SSL do in MySQL?

It forces the client to establish a TLS-encrypted channel before authentication. Plain connections are refused.

How do I verify that my session is using SSL?

Execute SHOW STATUS LIKE 'Ssl_cipher'; A non-empty result confirms encryption is active.

Can I weaken enforcement later?

Yes. Run ALTER USER 'name'@'host' REQUIRE NONE; to permit both encrypted and unencrypted sessions.

Is SSL the same as TLS in this context?

MySQL uses the keyword SSL historically, but the implementation negotiates modern TLS protocols under the hood.

Sign up to get up to date news on SQL keywords
Welcome to the Galaxy, Guardian!
You'll be receiving a confirmation email

Follow us on twitter :)
Oops! Something went wrong while submitting the form.
Trusted by top engineers on high-velocity teams
Aryeo Logo
Assort Health
Curri
Rubie Logo
Bauhealth Logo
Truvideo Logo

Check out other commonly used SQL Keywords!

SQL SEPARATOR

SQL TINYINT

SQL BEGIN

Company
BlogFeaturesPricingAboutCareersFeature Requests
Resources
Resource LibraryDocsSupportBrand Kit
FeaturesAI CopilotSQL EditorCollaborationIntegrations
Use CasesSoftware DevelopersData EngineersAnalytics EngineersData ScientistsData AnalystsProduct Managers
Explore
Product TourFounder Jam!Data Job BoardRecruitersConsultantsStartup ToolsMemesSQL FormatterQuestions
Learn
Learn SQLBeginner ResourcesData ToolsSQL Interview PrepCommon ErrorsSQL OptimizationSQL In Other LanguagesKeywordsGlossary
Comparisons
DatagripTablePlusDBeaverBeekeeper StudiopgAdminPosticoNao LabsCursorMCP
HexPopSQLSherloq
© 2025 Intergalactic Data Labs, Inc.
hello@getgalaxy.io
Terms of ServicePrivacy PolicySecurity
Product Hunt IconTwitter / X IconLinkedIn Icon