mysql sslMode

By default, network connections are SSL encrypted; this property permits secure connections to be turned off, or a different levels of security to be chosen.

The following values are allowed:

• 'DISABLED' - Establish unencrypted connections;
• 'PREFERRED' - (default) Establish encrypted connections if the server enabled them, otherwise fall back to unencrypted connections;
• 'REQUIRED' - Establish secure connections if the server enabled them, fail otherwise;
• 'VERIFY_CA' - Like 'REQUIRED' but additionally verify the server TLS certificate against the configured Certificate Authority (CA) certificates;
• 'VERIFY_IDENTITY' - Like 'VERIFY_CA', but additionally verify that the server certificate matches the host to which the connection is attempted.

This property replaced the deprecated legacy properties 'useSSL', 'requireSSL', and 'verifyServerCertificate', which are still accepted but translated into a value for 'sslMode' if 'sslMode' is not explicitly set:

• 'useSSL=false' is translated to 'sslMode=DISABLED';
• {'useSSL=true', 'requireSSL=false', 'verifyServerCertificate=false'} is translated to 'sslMode=PREFERRED';
• {'useSSL=true', 'requireSSL=true', 'verifyServerCertificate=false'} is translated to 'sslMode=REQUIRED';
• {'useSSL=true' AND 'verifyServerCertificate=true'} is translated to 'sslMode=VERIFY_CA'.
• There is no equivalent legacy settings for 'sslMode=VERIFY_IDENTITY'.

Note that, for ALL server versions, the default setting of 'sslMode' is 'PREFERRED', and it is equivalent to the legacy settings of 'useSSL=true', 'requireSSL=false', and 'verifyServerCertificate=false', which are different from their default settings for Connector/J 8.0.12 and earlier in some situations.

Applications that continue to use the legacy properties and rely on their old default settings should be reviewed. The legacy properties are ignored if 'sslMode' is set explicitly. If none of 'sslMode' or 'useSSL' is set explicitly, the default setting of 'sslMode=PREFERRED' applies.