Securing MySQL 5.7 with SSL: Setup Guide and Performance Impact

Background

MySQL versions prior to 5.7 often suffered from weak default security, such as empty root passwords and open test databases, leaving databases vulnerable. MySQL 5.7 addresses these issues and introduces built‑in SSL support, which encrypts client‑server communication by default.

SSL Overview

SSL (Secure Socket Layer) provides confidentiality, authentication, and message integrity for TCP‑based applications. Without SSL, data travels in clear text and can be intercepted, so enabling SSL for database connections is essential for protecting sensitive information.

MySQL 5.7 SSL Configuration

During the installation of MySQL 5.7, an additional step appears to initialize SSL. After completing the installation, several .pem files are generated in the data_dir directory, which are required for SSL operation.

Enable SSL during installation – the installer creates the necessary certificates automatically.

Run mysql_ssl_rsa_setup if not executed

Stop the MySQL service.

Execute mysql_ssl_rsa_setup.

Adjust file ownership: chown -R mysql.mysql *.pem in data_dir.

Restart the MySQL service.

Force a user to use SSL – set the user’s REQUIRE SSL option; connections without SSL will be rejected, as shown in the screenshot of the error message.

Security Test: SSL vs. No SSL

Using tshark on the server, the author captured traffic while inserting data from a client. When SSL was disabled ( --ssl-mode=DISABLED), the plaintext query was visible in the capture, confirming the security risk. With SSL enabled ( --ssl-mode=REQUIRED), the query was encrypted and not captured, demonstrating the protection SSL provides.

Performance Test (QPS)

Test environment: 32‑core CPU, 128 GB RAM, SSD storage. Queries were executed entirely in memory to isolate connection overhead. Concurrency levels of 1, 4, 8, 16, 24, 32, and 64 threads were measured.

The results show an average QPS reduction of about 23 % when SSL is enabled. The overhead mainly stems from the TLS handshake, encryption, and decryption performed during connection establishment, which impacts short‑lived connections more severely.

Conclusion & Recommendations

MySQL 5.7 enables SSL by default; if you force users to require SSL, application code must specify the appropriate SSL parameters, otherwise connections will fail.

SSL greatly improves security but incurs a noticeable performance penalty (≈23 % QPS drop). Use SSL for highly sensitive data or workloads with low traffic. For latency‑critical, short‑connection workloads, consider disabling SSL or using connection pooling/long‑lived connections.