SSL/TLS System Variables

The system variables listed on this page relate to encrypting data during transfer between servers and clients using the Transport Layer Security (TLS) protocol. Often, the term Secure Sockets Layer (SSL) is used interchangeably with TLS, although strictly speaking the SSL protocol is the predecessor of TLS and is no longer considered secure.

For compatibility reasons, the TLS system variables in MariaDB still use the ssl_ prefix, but MariaDB only supports its more secure successors. For more information on SSL/TLS in MariaDB, see Secure Connections Overview.

Variables

have_openssl


have_ssl

  • Description: This variable shows whether the server supports using TLS to secure connections.
    • If the value is YES, then the server supports TLS, and TLS is enabled.
    • If the value is DISABLED, then the server supports TLS, but TLS is not enabled.
    • If the value is NO, then the server was not compiled with TLS support, so TLS cannot be enabled.
    • When TLS is supported, check the have_openssl system variable to determine whether the server is using OpenSSL or MariaDB's bundled TLS library. See TLS and Cryptography Libraries Used by MariaDB for more information about which libraries are used on which platforms.
  • Scope: Global
  • Dynamic: No

ssl_ca

  • Description: Defines a path to a PEM file that should contain one or more X509 certificates for trusted Certificate Authorities (CAs) to use for TLS. This system variable requires that you use the absolute path, not a relative path. This system variable implies the ssl option.
  • Commandline: --ssl-ca=file_name
  • Scope: Global
  • Dynamic: No
  • Data Type: file name

ssl_capath

  • Description: Defines a path to a directory that contains one or more PEM files that should each contain one X509 certificate for a trusted Certificate Authority (CA) to use for TLS. This system variable requires that you use the absolute path, not a relative path. The directory specified by this variable needs to be run through the openssl rehash command. This system variable implies the ssl option.
  • Commandline: --ssl-capath=directory_name
  • Scope: Global
  • Dynamic: No
  • Data Type: directory name

ssl_cert

  • Description: Defines a path to the X509 certificate file to use for TLS. This system variable requires that you use the absolute path, not a relative path. This system variable implies the ssl option.
  • Commandline: --ssl-cert=name
  • Scope: Global
  • Dynamic: No
  • Data Type: file name
  • Default Value: None

ssl_cipher

  • Description: List of permitted ciphers or cipher suites to use for TLS. Besides cipher names, if MariaDB was compiled with OpenSSL, this variable could be set to "SSLv3" or "TLSv1.2" to allow all SSLv3 or all TLSv1.2 ciphers. Note that the TLSv1.3 ciphers cannot be excluded when using OpenSSL, even by using this system variable. See Using TLSv1.3 for details. This system variable implies the ssl option.
  • Commandline: --ssl-cipher=name
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value: None

ssl_crl

  • Description: Defines a path to a PEM file that should contain one or more revoked X509 certificates to use for TLS. This system variable requires that you use the absolute path, not a relative path.
  • Commandline: --ssl-crl=name
  • Scope: Global
  • Dynamic: No
  • Data Type: file name
  • Default Value: None

ssl_crlpath

  • Description: Defines a path to a directory that contains one or more PEM files that should each contain one revoked X509 certificate to use for TLS. This system variable requires that you use the absolute path, not a relative path. The directory specified by this variable needs to be run through the openssl rehash command.
  • Commandline: --ssl-crlpath=name
  • Scope: Global
  • Dynamic: No
  • Data Type: directory name
  • Default Value: None

ssl_key

  • Description: Defines a path to a private key file to use for TLS. This system variable requires that you use the absolute path, not a relative path. This system variable implies the ssl option.
  • Commandline: --ssl-key=name
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value: None

tls_version


version_ssl_library

  • Description: The version of the TLS library that is being used. Note that the version returned by this system variable does not always necessarily correspond to the exact version of the OpenSSL package installed on the system. OpenSSL shared libraries tend to contain interfaces for multiple versions at once to allow for backward compatibility. Therefore, if the OpenSSL package installed on the system is newer than the OpenSSL version that the MariaDB server binary was built with, then the MariaDB server binary might use one of the interfaces for an older version.
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value: None

See Also

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.