SSL/TLS System Variables

The system variables listed on this page relate to encrypting data during transfer between servers and clients using the Transport Layer Security (TLS) protocol. Often, the term Secure Sockets Layer (SSL) is used interchangeably with TLS, although strictly speaking the SSL protocol is the predecessor of TLS and is no longer considered secure.

For compatibility reasons, the TLS system variables in MariaDB still use the ssl_ prefix, but MariaDB only supports its more secure successors. For more information on SSL/TLS in MariaDB, see Secure Connections Overview.

Variables

have_openssl

• Description: This variable shows whether the server is linked with rather than MariaDB's bundled TLS library, which might be or .

  • I this system variable shows YES, the server is linked with OpenSSL.

  • See for more information about which libraries are used on which platforms.

have_ssl

• Description: This variable shows whether the server supports using to secure connections.

  • If the value is YES, then the server supports TLS, and TLS is enabled.

  • If the value is DISABLED, then the server supports TLS, but TLS is not enabled.

ssl_ca

• Description: Defines a path to a PEM file that should contain one or more X509 certificates for trusted Certificate Authorities (CAs) to use for . This system variable requires that you use the absolute path, not a relative path. This system variable implies the option.

  • See for more information.

• Command line: --ssl-ca=file_name

ssl_capath

• Description: Defines a path to a directory that contains one or more PEM files that should each contain one X509 certificate for a trusted Certificate Authority (CA) to use for . This system variable requires that you use the absolute path, not a relative path. The directory specified by this variable needs to be run through the command. This system variable implies the option.

  • See for more information.

• Command line: --ssl-capath=directory_name

ssl_cert

• Description: Defines a path to the X509 certificate file to use for . This system variable requires that you use the absolute path, not a relative path. This system variable implies the option.

• Command line: --ssl-cert=name

• Scope: Global

• Dynamic: No

ssl_cipher

• Description: List of permitted ciphers or cipher suites to use for . Besides cipher names, if MariaDB was compiled with OpenSSL, this variable could be set to "SSLv3" or "TLSv1.2" to allow all SSLv3 or all TLSv1.2 ciphers. Note that the TLSv1.3 ciphers cannot be excluded when using OpenSSL, even by using this system variable. See for details. This system variable implies the option.

• Command line: --ssl-cipher=name

• Scope: Global

ssl_crl

• Description: Defines a path to a PEM file that should contain one or more revoked X509 certificates to use for . This system variable requires that you use the absolute path, not a relative path.

  • See for more information.

  • This variable is only valid if the server was built with OpenSSL. If the server was built with or , then this variable is not supported. See for more information about which libraries are used on which platforms.

ssl_crlpath

• Description: Defines a path to a directory that contains one or more PEM files that should each contain one revoked X509 certificate to use for . This system variable requires that you use the absolute path, not a relative path. The directory specified by this variable needs to be run through the command.

  • See for more information.

  • This variable is only supported if the server was built with OpenSSL. If the server was built with or , then this variable is not supported. See for more information about which libraries are used on which platforms.

ssl_key

• Description: Defines a path to a private key file to use for . This system variable requires that you use the absolute path, not a relative path. This system variable implies the option.

• Command line: --ssl-key=name

• Scope: Global

• Dynamic: No

ssl_passphrase

• Description: SSL certificate key passphrase. Works similarly to the --passout/--passin openssl command-line parameters. The pass phrase value can be formatted as follows:

  • pass:password — Provide the actual password.

  • env:

tls_version

• Description: This system variable accepts a comma-separated list (with no whitespaces) of TLS protocol versions. A TLS protocol version will only be enabled if it is present in this list. All other TLS protocol versions will not be permitted.

  • See for more information.

• Command line: --tls-version=value

version_ssl_library

• Description: The version of the library that is being used. Note that the version returned by this system variable does not always necessarily correspond to the exact version of the OpenSSL package installed on the system. OpenSSL shared libraries tend to contain interfaces for multiple versions at once to allow for backward compatibility. Therefore, if the OpenSSL package installed on the system is newer than the OpenSSL version that the MariaDB server binary was built with, then the MariaDB server binary might use one of the interfaces for an older version.

  • See for more information.

• Scope: Global

See Also

• for a complete list of system variables and instructions on setting them.

_{This page is licensed: CC BY-SA / Gnu FDL}