Is the specification of ssl-cipher enough to secure a MySQL client connection to a SSL Enabled MySQL Server

Question

I have successfully setup my MySQL server to support SSL connections I'm just wondering if I need to copy client certs to each other server I want to connect to it OR if I can get away with just specifying:

[client]

ssl-cipher = DHE-RSA-AES256-SHA:AES128-SHA

All I need to do is encrypt the traffic between servers (sitting in EC2) and the MySQL server elsewhere, so I don't think I need to send certs out left, right and centre... Or am I wrong?

If I can get away with doing this, what are the implications of not going the whole hog and specifying the client certs too? Is there any reasonable real-world risk to NOT specifying a full set of client certs to the mysql client program?

Answer 1

It appears that specification of JUST the ssl-cipher option is enough to secure the connection between a client and an SSL enabled MySQL Server (If anyone else out there knows any different please let me know).

Tests using TCPdump to monitor traffic show clear text commands being sent as expected when a user not requiring SSL connects to the server, but once the server is setup to accept SSL connections, if you connect with a user that requires SSL specifiying only ssl-cipher these plain text commands are encrypted within the packets i.e. they can't be seen.