Secure Connections Overview
By default, MariaDB transmits data between the server and clients unencrypted. This is generally acceptable when the server and client run on the same host, but in secure environments and especially in cases where the server and client exist on separate hosts it does introduce security concerns as a malicious actor could potential monitor data passing through the network between them.
To mitigate this concern, MariaDB allows you to encrypt data during transfer between the server and clients using the Transport Layer Security (TLS) protocol. TLS is sometimes used interchangeably with Secure Socket Layer (SSL), but strictly speaking the SSL protocol is a predecessor to TLS and is not considered insecure.
The documentation still uses the term SSL often and for compatibility reasons TLS-related server system and status variables still use the prefix ssl_
, but internally, MariaDB only supports its secure successors.
TLS Support
In order for MariaDB to use TLS the server needs to be compiled with the relevant SSL build options. Most of the time this is done for you, as distributions and operating systems tend to compile MariaDB binaries with TLS support. In the event that you aren't sure whether your server has TLS support, you can check it using the have_ssl
system variable:
SHOW VARIABLES LIKE 'have_ssl'; +---------------+----------+ | Variable_name | Value | +---------------+----------+ | have_ssl | DISABLED | +---------------+----------+
When the statement returns a value of DISABLED
, it means that the server was compiled with TLS support, but started with it turned off. A value of YES
means that it was compiled with the support and started with TLS enabled. A value of NO
means that the server build does not support TLS.
In order to enable TLS on a MariaDB server that was compiled with support, you need to start the server with either the ssl
system variable or the --ssl
option. There are a number of other system variables that you also need to set, such as the path to the certificate, CA file, the cipher you want to use, and so on. For more information on these, see SSL/TLS system variables.
TLS Libraries
MariaDB has supported TLSv1.2 protocol since MariaDB 10.0.15. If you want to limit MariaDB to only use TLSv1.2, use the ssl_cipher
system variable.
In most cases the MariaDB Server is dynamically linked with the relevant TLS library. With Windows binaries and with Debian and Ubuntu when installed from packages, the specific library is yaSSL. On other platforms, the library is OpenSSL. Being dynamically linked means that you can update the library without recompiling MariaDB. So, if OpenSSL encounters an issue, (like the Heartbleed Bug in 2014, for instance), you can mitigate it by installing the patched TLS library then restarting the MariaDB Server.
You can verify that the TLS library is in fact dynamically linked on your system using the ldd
command:
$ ldd `which mysqld` | grep ssl libssl.so.1.1 => /usr/lib/libssl.so.1.1 (0x00007fd36ba4a000)
Using TLS
Encryption is handled per connection. It can be made mandatory or optional. You can use the GRANT
statement to reject connections from accounts that don't use TLS. Also, you can set further requirements for the TLS connections from that account, such as requiring a valid certificate from a particular Certificate Authority.
See also
- Encryption (for encrypting the data during storage)
- Cyberciti tutorial: How to setup MariaDB SSL and secure connections from clients