circle-info
Live Webinar | From Strategy to Execution: Your Practical MySQL to MariaDB Migration Plan
Register Nowarrow-up-right
search
Download MariaDBContact Us

Using TLSv1.3

Information about TLSv1.3 support in MariaDB (available with OpenSSL 1.1.1+), noting that the ssl_cipher variable does not affect TLSv1.3 cipher suites.

OpenSSL 1.1.1 introduced support for TLSv1.3. TLSv1.3 is a major rewrite of the TLS protocol. (Some even argued it should've been called TLSv2.0.) Among other things,

  • it introduces a new set of cipher suites that only work with TLSv1.3,

  • and TLSv1.3 does not support cipher suites from previous TLS protocol versions.

This incompatible change had a non-obvious consequence. If you specified particular cipher suites to disable old and obsolete TLS protocol version, you might have inadvertently prevented TLSv1.3 from working, if the TLSv1.3 cipher suites were not added to their cipher list. After upgrading to OpenSSL 1.1.1, this might give the impression that you are using TLSv1.3, when their existing cipher suite configuration might prevent it.

To avoid this problem, OpenSSL developers decided that TLSv1.3 cipher suites should not be affected by the normal cipher-selecting API. This means that the ssl_cipher system variable had no effect on the TLSv1.3 cipher suites. This has been fixed in MariaDB, though – you can use the ssl_cipher variable just like before that change.

circle-exclamation

You cannot specify both TLSv1.2 and TLSv1.3 at the same time when MariaDB is built against OpenSSL 1.1.1.

See this OpenSSL blog postarrow-up-right and GitHub issuearrow-up-right for more information.

hashtag
See Also

This page is licensed: CC BY-SA / Gnu FDL

spinner
PreviousSSL/TLS System VariablesNextData-at-Rest Encryption

Last updated

Was this helpful?