By default, MariaDB transmits data between the server and clients unencrypted. This is generally acceptable when the server and client run on the same host, but in secure environments and especially in cases where the server and client exist on separate hosts it does introduce security concerns as a malicious actor could potential monitor data passing through the network between them.

To mitigate this concern, MariaDB allows you to encrypt data during transfer between the server and clients using the Transport Layer Security (TLS) protocol. TLS is sometimes used interchangeably with Secure Socket Layer (SSL), but strictly speaking the SSL protocol is a predecessor to TLS and is now considered insecure. The documentation still uses the term SSL often and for compatibility reasons TLS-related server system and status variables still use the prefix ssl_, but internally, MariaDB only supports its secure successors.

TLS Support

In order for MariaDB to use TLS the server needs to be compiled with the relevant SSL build options. Most of the time this is done for you, as distributions and operating systems tend to compile MariaDB binaries with TLS support. In the event that you aren't sure whether your server has TLS support, you can check it using the have_ssl system variable:

SHOW VARIABLES LIKE 'have_ssl';

+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_ssl      | DISABLED |
+---------------+----------+

When the statement returns a value of DISABLED, it means that the server was compiled with TLS support, but started with it turned off. A value of YES means that it was compiled with the support and started with TLS enabled. A value of NO means that the server build does not support TLS.

In order to enable TLS on a MariaDB server that was compiled with support, you need to start the server with either the ssl system variable or the --ssl option. There are a number of other system variables that you also need to set, such as the path to the certificate, CA file, the cipher you want to use, and so on. For more information on these, see SSL/TLS system variables.

TLS Libraries

MariaDB has supported TLSv1.2 protocol since MariaDB 10.0.15. If you want to limit MariaDB to only use TLSv1.2, use the ssl_cipher system variable.

In most cases the MariaDB Server is dynamically linked with the relevant TLS library. With Windows binaries and with Debian and Ubuntu when installed from packages, the specific library is yaSSL. On other platforms, the library is OpenSSL. Being dynamically linked means that you can update the library without recompiling MariaDB. So, if OpenSSL encounters an issue, (like the Heartbleed Bug in 2014, for instance), you can mitigate it by installing the patched TLS library then restarting the MariaDB Server.

You can verify that the TLS library is in fact dynamically linked on your system using the ldd command:

$ ldd `which mysqld` | grep ssl
	libssl.so.1.1 => /usr/lib/libssl.so.1.1 (0x00007fd36ba4a000)

Also see Using TLSv1.3.

Using TLS

Encryption is handled per connection. It can be made mandatory or optional. You can use the GRANT statement to reject connections from accounts that don't use TLS. Also, you can set further requirements for the TLS connections from that account, such as requiring a valid certificate from a particular Certificate Authority.

See Also

Comments

Comments loading...