The Ultimate Guide to High Availability with MariaDB

SSL Overview

You are viewing an old version of this article. View the current version here.

MariaDB usually comes with SSL-support compiled in, but it is disabled by default. You can verify this by examining the have_ssl system variable:

SHOW VARIABLES LIKE 'have_ssl';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_ssl      | DISABLED |
+---------------+----------+

If the server supports SSL connections, the value will be set to YES, otherwise, if SSL-support was not compiled in, the value will be set to NO. DISABLED means that the server was compiled with SSL support, but was not started with SSL support, which is usually the default situation.

To enable SSL, start the server with the --ssl option. There are a number of other SSL options you can set, such as the name of the certificate, or the list of ciphers, etc.

The server is almost always dynamically linked with the SSL library. Windows binaries use yaSSL, while other platforms use OpenSSL. Since the server is dynamically linked, in the case of a vulnerability in the underlying SSL library (such as the Heartbleed Bug of April 2014), you simply need to install the patched SSL library, and do not need to reinstall MariaDB.

You can verify that your SSL library is dynamically linked, for example:

ldd `which mysqld` | grep ssl
	libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fd36ba4a000)

The GRANT statement can be used to reject connections from an account if it does not use SSL. Further requirements can be set for the SSL connections from that account, for example a valid certificate from a certain Certificate Authority can be required.

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.