TLS and Cryptography Libraries Used by MariaDB

When MariaDB Server is compiled with TLS and cryptography support, it is usually either statically linked with MariaDB's bundled yaSSL library or dynamically linked with OpenSSL.

When a MariaDB client or library is compiled with TLS and cryptography support, it is usually either statically linked with MariaDB's bundled yaSSL library or dynamically linked with the system's TLS and cryptography library, which might be OpenSSL, GnuTLS, or Schannel.

Checking Dynamically vs. Statically Linked

Dynamically linking MariaDB to the system's TLS and cryptography library can often be beneficial, since this allows you to fix bugs in the system's TLS and cryptography library independently of MariaDB. For example, when information on the Heartbleed Bug in OpenSSL was released in 2014, the bug could be mitigated by simply updating your system to use a fixed version of the OpenSSL library, and then restarting the MariaDB Server.

You can verify that mysqld is in fact dynamically linked to the OpenSSL shared library on your system by using the ldd command:

$ ldd $(which mysqld) | grep -E '(libssl|libcrypto)'
        libssl.so.10 => /lib64/libssl.so.10 (0x00007f8736386000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f8735f25000)

If the command does not return any results, then either your mysqld is statically linked to the TLS and cryptography library on your system or your mysqld is not built with TLS and cryptography support at all.

Checking OpenSSL vs. yaSSL

In MariaDB 10.0 and later, if you aren't sure whether your server is linked with OpenSSL or yaSSL, then you can check the value of the have_openssl system variable. For example:

SHOW GLOBAL VARIABLES LIKE 'have_openssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl  | YES   |
+---------------+-------+

Checking the Server's OpenSSL Version

In MariaDB 10.1 and later, if you want to see what version of OpenSSL your server is using, then you can check the value of the version_ssl_library system variable. For example:

SHOW GLOBAL VARIABLES LIKE 'version_ssl_library';
+---------------------+---------------------------------+
| Variable_name       | Value                           |
+---------------------+---------------------------------+
| version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013 |
+---------------------+---------------------------------+

Note that the version returned by this system variable does not always necessarily correspond to the exact version of the OpenSSL package installed on the system. OpenSSL shared libraries tend to contain interfaces for multiple versions at once to allow for backward compatibility. Therefore, if the OpenSSL package installed on the system is newer than the OpenSSL version that the MariaDB Server binary was built with, then the MariaDB Server binary might use one of the interfaces for an older version. See MDEV-15848 for more information. For example:

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
$ rpm -q openssl
openssl-1.0.2k-12.el7.x86_64
$ mysql -u root --batch --execute="SHOW GLOBAL VARIABLES LIKE 'version_ssl_library';"
Variable_name   Value
version_ssl_library     OpenSSL 1.0.1e-fips 11 Feb 2013
$ ldd $(which mysqld) | grep libcrypto
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f3dd3482000)
$ readelf -a /lib64/libcrypto.so.10 | grep SSLeay_version
  1374: 000000000006f5d0    21 FUNC    GLOBAL DEFAULT   13 SSLeay_version@libcrypto.so.10
  1375: 000000000006f5f0    21 FUNC    GLOBAL DEFAULT   13 SSLeay_version@OPENSSL_1.0.1
  1377: 000000000006f580    70 FUNC    GLOBAL DEFAULT   13 SSLeay_version@@OPENSSL_1.0.2

Libraries Used by Each Platform and Package

MariaDB Server

MariaDB Server on Windows

MariaDB Server is statically linked with the bundled yaSSL libraries in MSI and ZIP packages on Windows.

MariaDB Server on Linux

MariaDB Server in Binary Tarballs

MariaDB Server is statically linked with the bundled yaSSL libraries in binary tarballs on Linux.

MariaDB Server in DEB Packages

MariaDB Server is dynamically linked with the system's OpenSSL libraries in .deb packages provided by MariaDB Foundation and MariaDB Corporation.

MariaDB Server is statically linked with the bundled yaSSL libraries in .deb packages provided by Debian's and Ubuntu's default repositories.

MariaDB Server in RPM Packages

MariaDB Server is dynamically linked with the system's OpenSSL libraries in .rpm packages.

MariaDB Client

In MariaDB 10.2 and later, MariaDB Connector/C has been included with MariaDB Server. On some platforms, MariaDB Connector/C and the client utilities linked with it may use a different TLS library than MariaDB Server and libmysqlclient.

MariaDB Client on Windows

In MariaDB 10.1 and earlier, MariaDB's clients and utilities and libmysqlclient are statically linked with the bundled yaSSL libraries in MSI and ZIP packages on Windows.

In MariaDB 10.2 and later, MariaDB's clients and utilities and MariaDB Connector/C are are dynamically linked with the system's Schannel libraries in MSI and ZIP packages on Windows. libmysqlclient is still statically linked with the bundled yaSSL libraries.

MariaDB Client on Linux

MariaDB Client in Binary Tarballs

MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are statically linked with the bundled yaSSL libraries in binary tarballs on Linux.

MariaDB Client in DEB Packages

MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are dynamically linked with the system's OpenSSL libraries in .deb packages provided by MariaDB Foundation's and MariaDB Corporation's repositories.

In MariaDB 10.1 and earlier, MariaDB's clients and utilities and libmysqlclient are statically linked with the bundled yaSSL libraries in .deb packages provided by Debian's and Ubuntu's default repositories.

In MariaDB 10.2 and later, MariaDB's clients and utilities and MariaDB Connector/C are dynamically linked with the system's GnuTLS libraries in .deb packages provided by Debian's and Ubuntu's default repositories. libmysqlclient is still statically linked with the bundled yaSSL libraries.

MariaDB Client in RPM Packages

MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are dynamically linked with the system's OpenSSL libraries in .rpm packages.

Updating Dynamically Linked OpenSSL Libraries on Linux

When the MariaDB Server or clients and utilities are dynamically linked to the system's OpenSSL libraries, it makes it very easy to update the libraries. The information below will show how to update these libraries for each platform.

Updating Dynamically Linked OpenSSL Libraries with yum/dnf

On RHEL, CentOS, Fedora, and other similar Linux distributions, it is highly recommended to update the libraries using yum or dnf. Starting with RHEL 8 and Fedora 22, yum has been replaced by dnf, which is the next major version of yum. However, yum commands still work on many systems that use dnf. For example:

Update the package by executing the following command:

sudo yum update openssl

And then restart MariaDB server and any clients or applications that use the library.

Updating Dynamically Linked OpenSSL Libraries with apt-get

On Debian, Ubuntu, and other similar Linux distributions, it is highly recommended to recommended to update the libraries using apt-get. For example:

First update the package cache by executing the following command:

sudo apt update

And then update the package by executing the following command:

sudo apt-get update openssl

And then restart MariaDB server and any clients or applications that use the library.

Updating Dynamically Linked OpenSSL Libraries with zypper

On SLES, OpenSUSE, and other similar Linux distributions, it is highly recommended to recommended to update the libraries using zypper. For example:

Update the package by executing the following command:

sudo zypper update openssl

And then restart MariaDB server and any clients or applications that use the library.

Comments

Comments loading...