# Zero-Configuration SSL {% hint style="info" %} This feature is available from MariaDB 11.4. {% endhint %} ## Zero-Configuration SSL (TLS) Zero-Configuration SSL is a feature that makes encrypted connections the default standard without requiring manual certificate management. This allows for secure, MitM[^1]-resistant connections "out of the box", by automating server certificate generation and client-side verification. ## Overview Traditionally, enabling SSL/TLS required manual steps: generating private keys, creating Certificate Signing Requests (CSRs), and managing a Certificate Authority (CA). Because of this complexity, many deployments remained unencrypted. Zero-Configuration SSL eliminates these barriers: 1. Automatic Server Setup: The server automatically generates a self-signed certificate if no certificate is configured. 2. Zero-trust validation: Clients verify the server’s identity using the existing account password as a shared secret, rather than relying on a trusted CA. ## Requirements and Defaults * MariaDB Version: Server and Client must be version 11.4 or higher. * Default Behavior: SSL is enabled and verified by default. The client has `--ssl-verify-server-cert` enabled by default. * Supported Authentication Plugins: This feature works with [mysql\_native\_password](/docs/server/reference/plugins/authentication-plugins/authentication-plugin-mysql_native_password.md), [ed25519](/docs/server/reference/plugins/authentication-plugins/authentication-plugin-ed25519.md), and [parsec](/docs/server/reference/plugins/authentication-plugins/authentication-plugin-parsec.md) (that are MitM-proof even without SSL). ## Configuration Options While designed to work automatically, the following options allow for manual control: | Option | Description | | ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--disable-ssl` | Disables SSL entirely (not recommended). | | `--skip-ssl-verify-server-cert` | A verified certificate is not required, the client will accept unverified certificates or even a completely unencrypted connection. This is not MitM-safe, even if the server uses SSL. | ## Limitations Authentication plugins such as PAM, GSSAPI, and `cached_sha2_plugin` are not MitM-proof without SSL, they require SSL to be secure and thus cannot be used to verify SSL itself. One should use traditional CA-based verification with these plugins. ## Verification To verify that Zero-Configuration SSL is being used, connect via TCP/IP (not via UNIX socket, because in that case the certificate is automatically trusted), and look at the status output: {% code overflow="wrap" %} ```bash mariadb -h 127.0.0.1 -u -p ... MariaDB [(none)]> status -------------- mariadb from 12.2.2-MariaDB, client 15.2 for osx10.20 (arm64) using EditLine wrapper ... Current user: stefan@localhost SSL: Cipher in use is TLS_AES_256_GCM_SHA384, cert is OK ... Connection: 127.0.0.1 via TCP/IP ... TCP port: 3306 ... ``` {% endcode %} Check if the server has automatically generated its own certificates by querying the session variables: {% code overflow="wrap" %} ```sql MariaDB [(none)]> SHOW SESSION STATUS LIKE 'Ssl_cipher'; SHOW SESSION STATUS LIKE 'Ssl_version'; +---------------+------------------------+ | Variable_name | Value | +---------------+------------------------+ | Ssl_cipher | TLS_AES_256_GCM_SHA384 | +---------------+------------------------+ ... +---------------+---------+ | Variable_name | Value | +---------------+---------+ | Ssl_version | TLSv1.3 | +---------------+---------+ ``` {% endcode %} Run the following to see the server's certificate details: {% code overflow="wrap" %} ```bash $ openssl s_client -starttls mysql 127.0.0.1:3306 Connecting to 127.0.0.1 CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN=MariaDB Server verify error:num=18:self-signed certificate verify return:1 depth=0 CN=MariaDB Server verify return:1 --- Certificate chain 0 s:CN=MariaDB Server i:CN=MariaDB Server a:PKEY: RSA, 4096 (bit); sigalg: sha256WithRSAEncryption v:NotBefore: Mar 2 16:19:15 2026 GMT; NotAfter: Feb 28 16:19:15 2036 GMT ... ``` {% endcode %} ## How it Works The core mechanism of Zero-Configuration SSL is the use of the user password as a shared secret to verify the server’s identity without a Certificate Authority (CA). 1. Connection Establishment: The client connects and establishes a TLS connection using the server's self-signed certificate. 2. Fingerprint Calculation: The client calculates the SHA256 fingerprint of the server’s certificate. 3. Signature Generation: * The client creates a signature based on the certificate fingerprint and the user’s password. * The server performs the same calculation. 4. Verification: By comparing these values, the client confirms it is communicating with the intended server. This prevents Man-in-the-Middle (MitM) attacks because an attacker would present a different certificate, resulting in a fingerprint mismatch that they cannot resolve without knowing the user's password. [^1]: Man-in-the-Middle (MitM): A cyberattack where an unauthorized third party secretly intercepts, and potentially alters, the communication between two parties (such as a client and a server) who believe they are talking directly to each other. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption/zero-configuration-ssl.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.