您想对"安全进行窃听或中间人攻击"有什么用?您的密码还是您的数据?

What is it that you want to be "safe to eavesdropping or even man-in-the-middle attacks"? Your password, or your data?

您的问题的标题专门指身份验证. MySQL做了合理的工作来保护您的密码免遭窃听(它不会以明文形式发送，并且使用nonce可以克服重放攻击).引用 MySQL协议内部:

The title of your question refers specifically to authentication. MySQL does a reasonable job of protecting your password from eavesdroppers (it is not sent plaintext, and the use of a nonce defeats replay attacks). Citing MySQL protocol internals:

MySQL 4.1及更高版本

MySQL 4.1 and later

请记住，mysql.user.Password存储SHA1(SHA1(password))

Remember that mysql.user.Password stores SHA1(SHA1(password))

• 服务器向客户端发送随机字符串(加扰)
客户计算:
• stage1_hash = SHA1(密码)，使用用户输入的密码.
• 令牌= SHA1(加扰+ SHA1(stage1_hash))XOR stage1_hash
• The server sends a random string (scramble) to the client
• the client calculates:
  • stage1_hash = SHA1(password), using the password that the user has entered.
  • token = SHA1(scramble + SHA1(stage1_hash)) XOR stage1_hash
  • stage1_hash'=令牌XOR SHA1(加扰+ mysql.user.Password)

  (注意SHA1(A + B)是A与B并置的SHA1.)

  (Note SHA1(A+B) is the SHA1 of the concatenation of A with B.)

  此协议可修复旧协议的缺陷，而不会监听 wire或mysql.user.Password都足以成功 连接.但是当同时拥有mysql.user.Password和 在电线上截获到数据后，他有足够的信息可以连接.

  This protocol fixes the flaw of the old one, neither snooping on the wire nor mysql.user.Password are sufficient for a successful connection. But when one has both mysql.user.Password and the intercepted data on the wire, he has enough information to connect.

  但是，经过身份验证的会话将以纯文本继续:窃听者将能够看到所有查询和结果； MITM可以对其进行更改.如手册所述:

  However, authenticated sessions continue in plaintext: an eavesdropper will be able to see all queries and results; and a MITM would be able to make alterations to the same. As stated in the manual:

  默认情况下，MySQL在客户端和服务器之间使用未加密的连接.这意味着可以访问网络的人可以监视您的所有流量，并查看正在发送或接收的数据.他们甚至可以在客户端和服务器之间传输数据时更改数据.

  By default, MySQL uses unencrypted connections between the client and the server. This means that someone with access to the network could watch all your traffic and look at the data being sent or received. They could even change the data while it is in transit between client and server.

  虽然您可能不喜欢答案，但SSL是工具，旨在防止数据窃听(如何对通信进行加密?)和MITM攻击(任何一方可以通过另一方验证其安全性)同行是谁以为是谁?).确实，如果仅mysql客户端-服务器协议就克服了这些威胁，那么就没有理由在SSL上使用mysql(因此，不太可能成为受支持的配置).

  Whilst you may not like the answer, SSL is the tool designed to defeat both data eavesdropping (how else can the communications be encrypted?) and MITM attacks (how else can either party verify that its peer is who it thinks it is?). Indeed, if the mysql client-server protocol alone defeated these threats then there would be no reason to use mysql over SSL (and thus it would be unlikely to be a supported configuration).