The MySQL service connector processes connection requests to a MySQL database.

To secure connections, we support common MySQL SSL options. For details, see sslmode.


Unlike other clients, the default sslmode for Secretless is require since most use cases require TLS. If your environment does not use TLS, turn it off if you can do so safely.

Configure the service connector

Configure the Secretless Broker to specify where to find your database connection details in the credentials section of the yaml file. This includes where to find the host, port, username, and password of your database, as well as the sslmode details, such as the location of any relevant certificates and revocation lists, if applicable.

The options are as follows:





The host name of the MySQL server.



The port of the MySQL server.


(Default setting is 3306)


The username of the MySQL account.



The password of the MySQL account.



This option determines if the connection between Secretless Broker and your database is protected by SSL.

For details on the supported values of this parameter, see SSL Modes.


(Default setting is require)


The content of this parameter specifies the client SSL certificate in PEM format. This parameter is ignored if an SSL connection is not made. Corresponds to ssl-cert.



The content of this parameter specifies the SSL certificate authority (CA) certificate(s) in PEM format. If present, the server’s certificate will be verified to be signed by one of these authorities. Corresponds to ssl-ca.



The content of this parameter specifies the secret key used for the client certificate. This parameter is ignored if an SSL connection is not made. Corresponds to ssl-key.



You must supply a valid value for port in the MySQL service connector configuration. A missing or invalid port causes the Secretless Broker to error. For details, see Troubleshoot Secretless Service Connectors.

The MySQL documentation website provides detail on the levels of protection provided by different values for the sslmode parameter.

Secretless supports the following SSL modes:




Corresponds to DISABLED. Try only a non-SSL connection.



Corresponds to REQUIRED. Try only an SSL connection. As is the MySQL standard, if a root CA file is present in this mode, no verification of the server certificate is done, despite a CA certificate option being specified.


Corresponds to VERIFY_CA. Try only an SSL connection, and verify that the server certificate is issued by a trusted certificate authority (CA).


Corresponds to VERIFY_IDENTITY. Try only an SSL connection, and verify the server certificate against the configured CA certificates (provided in the Secretless configuration via sslrootcert). In addition, the verify-full SSL mode option helps prevent man-in-the-middle attacks by performing a host name identity verification.

Secretless checks the host name the client uses for connecting to the server against the identity provided in the certificate the server sends to the client. The connection fails if the host name does not match the certificate Common Name.

Secretless uses the value of the host parameter in the Secretless configuration to perform the host name identity verification. If desired, you can override this value for the purpose of the certificate check by providing a value for the sslhost configuration parameter.


Secretless does not currently support the MySQL PREFERRED or VERIFY_IDENTITY modes, and does not yet support providing an SSL certificate revocation list (eg ssl-crl). Please see our GitHub issues for more information on our plans to add support for these modes.

When sslmode is set to require or verify-ca, the optional SSL configuration parameters sslcert, sslkey, and sslrootcert may be necessary. The particular values needed depend on your use case; more information on these parameters can be found in the MySQL documentation.


See also

Troubleshoot Secretless Service Connectors