|
| 1 | +# SSL |
| 2 | + |
| 3 | +As part of the connection options, you can specify the `ssl` object property or a string containing the SSL profile content (**deprecated**). |
| 4 | + |
| 5 | +```ts |
| 6 | +ssl?: string | SslOptions; |
| 7 | +``` |
| 8 | + |
| 9 | +See full list of [SslOptions](https://github.com/sidorares/node-mysql2/blob/master/typings/mysql/lib/Connection.d.ts#L24-L80), which are in the same format as [tls.createSecureContext](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options). |
| 10 | + |
| 11 | +## SSL Options |
| 12 | + |
| 13 | +To enable SSL without manually providing certificates and assuming they are already trusted by the host machine, you can specify an empty object, for example: |
| 14 | + |
| 15 | +```ts |
| 16 | +const connection = await mysql.createConnection({ |
| 17 | + host: 'localhost', |
| 18 | + ssl: {}, |
| 19 | +}); |
| 20 | +``` |
| 21 | + |
| 22 | +You can also specify custom certificate(s) as an individual string or array of strings. Please note the arguments expect a string of the certificate, not a file name to the certificate: |
| 23 | + |
| 24 | +```ts |
| 25 | +import fs from 'node:fs'; |
| 26 | + |
| 27 | +const connection = await mysql.createConnection({ |
| 28 | + host: 'localhost', |
| 29 | + ssl: { |
| 30 | + ca: fs.readFileSync(__dirname + '/mysql-ca.crt'), |
| 31 | + }, |
| 32 | +}); |
| 33 | +``` |
| 34 | + |
| 35 | +When a certificate is read from an environment variable, it's recommended to replace escaped `\n` characters with proper new line characters, for example: |
| 36 | + |
| 37 | +```ts |
| 38 | +const connection = await mysql.createConnection({ |
| 39 | + host: 'localhost', |
| 40 | + ssl: { |
| 41 | + ca: process.env.DB_SSL_CA?.replace(/\\n/gm, '\n'), |
| 42 | + }, |
| 43 | +}); |
| 44 | +``` |
| 45 | + |
| 46 | +## SSL Certificate Bundle |
| 47 | + |
| 48 | +Alternatively, you can use a bundle with CA certificates. For example for Amazon RDS you could use: |
| 49 | + |
| 50 | +```ts |
| 51 | +import awsCaBundle from 'aws-ssl-profiles'; |
| 52 | + |
| 53 | +const connection = await mysql.createConnection({ |
| 54 | + host: 'db.id.ap-southeast-2.rds.amazonaws.com', |
| 55 | + ssl: awsCaBundle, |
| 56 | +}); |
| 57 | +``` |
| 58 | + |
| 59 | +For detailed instructions, please follow [aws-ssl-profiles](https://github.com/mysqljs/aws-ssl-profiles) documentation. |
| 60 | + |
| 61 | +## SSL Profile (deprecated) |
| 62 | + |
| 63 | +There is also a **deprecated option** allowing to specify a string containing name of SSL profile: |
| 64 | + |
| 65 | +```ts |
| 66 | +const connection = await mysql.createConnection({ |
| 67 | + host: 'localhost', |
| 68 | + ssl: 'Amazon RDS', |
| 69 | +}); |
| 70 | +``` |
| 71 | + |
| 72 | +Following profiles are included in the package: |
| 73 | + |
| 74 | +- `Amazon RDS` - in this case https://s3.amazonaws.com/rds-downloads/mysql-ssl-ca-cert.pem CA cert is used |
| 75 | + |
| 76 | +## Ignoring Unauthorized SSL Errors |
| 77 | + |
| 78 | +You can also connect to a MySQL server without providing an appropriate CA to trust. **This is highly discouraged** as being insecure. |
| 79 | + |
| 80 | +```ts |
| 81 | +const connection = await mysql.createConnection({ |
| 82 | + host: 'localhost', |
| 83 | + ssl: { |
| 84 | + // Beware, set `rejectUnauthorized` as `false` is strongly discouraged for security reasons: |
| 85 | + rejectUnauthorized: false, |
| 86 | + }, |
| 87 | +}); |
| 88 | +``` |
0 commit comments