By default, data is not encrypted when it is transferred to and from the database server, so it could potentially be viewed by someone monitoring the network.

To prevent this, data can be encrypted during transfer using the Transport Layer Security (TLS) protocol. The term SSL (Secure Sockets Layer) is often used interchangeably with TLS, although strictly-speaking the SSL protocol is a predecessor, and is now considered insecure. TLS-related variables still use the ssl prefix for compatibility reasons, and the term is used in much of the documentation, although MariaDB only supports its secure successors.

MariaDB usually comes with TLS-support compiled in, but it is disabled by default. You can verify this by examining the have_ssl system variable:

SHOW VARIABLES LIKE 'have_ssl';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_ssl      | DISABLED |
+---------------+----------+

If the server supports secure connections, the value will be set to YES. If TLS-support was not compiled in, the value will be set to NO. DISABLED means that the server was compiled with TLS support, but was not started with TLS support, which is usually the default situation.

To enable TLS, start the server with the --ssl option. There are a number of other TLS options you can set, such as the name of the certificate, or the list of ciphers, etc. (see SSL/TLS System Variables). MariaDB has supported the TLSv1.2 protocol since 10.0.15 - use ssl-cipher to limit MariaDB to TLSv1.2 ciphers only.

The server is almost always dynamically linked with the TLS library. Windows binaries (as well as Debian and Ubuntu when installed from the packages) use yaSSL, while other platforms use OpenSSL. Since the server is dynamically linked, in the case of a vulnerability in the underlying library (such as the Heartbleed Bug of April 2014), you simply need to install the patched TLS library, and do not need to reinstall MariaDB. You do need to restart the server after upgrading the TLS library though, to get it to load the new library.

You can verify that your TLS library is dynamically linked, for example:

ldd `which mysqld` | grep ssl
	libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fd36ba4a000)

Encryption is handled per connection, and can be mandatory or optional. The GRANT statement can be used to reject connections from an account if it does not use TLS. Further requirements can be set for the TLS connections from that account, for example a valid certificate from a certain Certificate Authority can be required.

See also

Comments

Comments loading...