Requiring TLS on MariaDB Server
This page is part of MariaDB's Documentation.
The parent of this page is: Data-in-Transit Encryption for MariaDB Enterprise Server
Topics on this page:
Overview
MariaDB Enterprise Server and MariaDB Community Server support data-in-transit encryption, which secures data transmitted over the network. The server and the clients encrypt data using the Transport Layer Security (TLS) protocol, which is a newer version of the Secure Socket Layer (SSL) protocol.
TLS must be manually enabled on the server, and then the server can be configured to require it.
Requiring TLS
Acquire an X509 certificate and a private key for the server.
If you are performing testing, then self-signed certificates and keys might be sufficient.
Determine which system variables and options you need to configure.
Mandatory system variables and options for requiring TLS include:
System Variable/Option
Description
When this option is enabled, connections attempted using insecure transport will be rejected. Secure transports are SSL/TLS, Unix sockets, or named pipes.
X509 cert in PEM format
X509 key in PEM format
CA file in PEM format
Useful system variables and options for TLS include:
System Variable/Option
Description
CA directory
SSL cipher to use
CRL file in PEM format
CRL directory
TLS protocol version for secure connections.
Choose a configuration file in which to configure your system variables and options.
It is not recommended to make custom changes to one of the bundled configuration files. Instead, it is recommended to create a custom configuration file in one of the included directories. Configuration files in included directories are read in alphabetical order. If you want your custom configuration file to override the bundled configuration files, then it is a good idea to prefix the custom configuration file's name with a string that will be sorted last, such as
z-
.On RHEL, CentOS, Rocky Linux, and SLES, a good custom configuration file would be:
/etc/my.cnf.d/z-custom-my.cnf
On Debian and Ubuntu, a good custom configuration file would be:
/etc/mysql/mariadb.conf.d/z-custom-my.cnf
Set your system variables and options in the configuration file.
They need to be set in a group that will be read by MariaDB Server, such as
[mariadb]
or[server]
.For example:
[mariadb] ... ssl_cert = /certs/server-cert.pem ssl_key = /certs/server-key.pem ssl_ca = /certs/ca-cert.pem
Restart the server.
$ sudo systemctl restart mariadb
Connect to the server using MariaDB Client:
$ sudo mariadb
Confirm that TLS is enabled by confirming that the have_
ssl system variable isYES
with the SHOW GLOBAL VARIABLES statement:SHOW GLOBAL VARIABLES LIKE 'have_ssl';
+---------------+-------+ | Variable_name | Value | +---------------+-------+ | have_ssl | YES | +---------------+-------+
Confirm that TLS is required by confirming that the require_
secure_ system variable istransport ON
with the SHOW GLOBAL VARIABLES statement:SHOW GLOBAL VARIABLES LIKE 'require_secure_transport';
+--------------------------+-------+ | Variable_name | Value | +--------------------------+-------+ | require_secure_transport | ON | +--------------------------+-------+