You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+13-5Lines changed: 13 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -444,16 +444,17 @@ The `tls` parameter selects which CA certificates to use:
444
444
-`tls=skip-verify`: Accept any certificate (insecure)
445
445
-`tls=preferred`: Attempt TLS, fall back to plaintext (insecure)
446
446
447
-
The `tls-verify` parameter controls how certificates are verified (works with both `tls=true` and custom configs):
447
+
The `tls-verify` parameter controls how certificates are verified:
448
448
-`tls-verify=identity` (default): Verifies CA and hostname - Most secure, equivalent to MySQL's VERIFY_IDENTITY
449
449
-`tls-verify=ca`: Verifies CA only, skips hostname check - Equivalent to MySQL's VERIFY_CA mode
450
450
451
+
**IMPORTANT:** The `tls-verify=ca` parameter **only works with custom TLS configs**, not with `tls=true` (system CAs). The combination `tls=true&tls-verify=ca` is explicitly rejected because it provides minimal security benefit - attackers can obtain valid certificates from any public CA, making CA-only verification ineffective. This matches MySQL CLI behavior, which requires `--ssl-ca` or `--ssl-capath` when using VERIFY_CA mode.
452
+
451
453
**Examples:**
452
454
```text
453
455
?tls=true - System CA with full verification (default behavior)
454
-
?tls=true&tls-verify=ca - System CA with CA-only verification
455
456
?tls=custom - Custom CA with full verification (default behavior)
456
-
?tls=custom&tls-verify=ca - Custom CA with CA-only verification
457
+
?tls=custom&tls-verify=ca - Custom CA with CA-only verification (VERIFY_CA mode)
457
458
```
458
459
459
460
##### `tls-verify`
@@ -464,11 +465,18 @@ Valid Values: identity, ca
464
465
Default: identity
465
466
```
466
467
467
-
Controls the TLS certificate verification level. This parameter works with the `tls` parameter:
468
+
Controls the TLS certificate verification level:
468
469
-`identity`: Full verification including hostname (default, most secure)
469
470
-`ca`: CA verification only, without hostname checking (MySQL VERIFY_CA equivalent)
470
471
471
-
This parameter only applies when `tls=true` or `tls=<custom-config>`. It has no effect with `tls=skip-verify` or `tls=preferred`.
472
+
**IMPORTANT:** The `tls-verify=ca` option **only works with custom TLS configs** (e.g., `tls=<custom-config>`), not with `tls=true`.
473
+
474
+
Use `tls-verify=ca` when:
475
+
- You have a private CA with specific trusted certificates
476
+
- Connecting to servers via IP addresses or dynamic hostnames
477
+
- Working in environments where certificates don't include matching hostname/IP SANs
478
+
479
+
This parameter has no effect with `tls=skip-verify` or `tls=preferred`.
0 commit comments