The Ultimate Guide to High Availability with MariaDB

SSL/TLS Status Variables

Contents

  1. Variables
    1. Ssl_accept_renegotiates
    2. Ssl_accepts
    3. Ssl_callback_cache_hits
    4. Ssl_cipher
    5. Ssl_cipher_list
    6. Ssl_client_connects
    7. Ssl_connect_renegotiates
    8. Ssl_ctx_verify_depth
    9. Ssl_ctx_verify_mode
    10. Ssl_default_timeout
    11. Ssl_finished_accepts
    12. Ssl_finished_connects
    13. Ssl_server_not_after
    14. Ssl_server_not_before
    15. Ssl_session_cache_hits
    16. Ssl_session_cache_misses
    17. Ssl_session_cache_mode
    18. Ssl_session_cache_overflows
    19. Ssl_session_cache_size
    20. Ssl_session_cache_timeouts
    21. Ssl_sessions_reused
    22. Ssl_used_session_cache_entries
    23. Ssl_verify_depth
    24. Ssl_verify_mode
    25. Ssl_version
  2. See Also

The status variables listed on this page relate to encrypting data during transfer with the Transport Layer Security (TLS) protocol. Often, the term Secure Socket Layer (SSL) is used interchangeably with TLS, although strictly speaking, the SSL protocol is a predecessor to TLS and is no longer considered secure.

For compatibility reasons, the TLS status variables in MariaDB still use the Ssl_ prefix, but MariaDB only supports its more secure successors. For more information on SSL/TLS in MariaDB, see Secure Connections Overview.

Some of these status values are not under the control of the server, but are reporting back settings of the underlying SSL library used by the server.

Variables

Ssl_accept_renegotiates

  • Description: Number of negotiations needed to establish the TLS connection. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_accepts

  • Description: Number of accepted TLS handshakes. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_callback_cache_hits

  • Description: Number of sessions retrieved from the session cache. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_cipher

  • Description: The TLS cipher currently in use.
  • Scope: Global, Session
  • Data Type: string

Ssl_cipher_list

  • Description: List of the available TLS ciphers. This is not necessarily the list of ciphers the MariaDB server can actually accept, but rather the list of ciphers supported by the underlying SSL library in general. E.g. some of these may not be compatible with the servers SSL certificate and so can't be used to connect to that server.
  • Scope: Global, Session
  • Data Type: string

Ssl_client_connects

  • Description: Number of TLS handshakes started in client mode. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_connect_renegotiates

  • Description: Number of negotiations needed to establish the connection to a TLS-enabled master. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_ctx_verify_depth

  • Description: Number of tested TLS certificates in the chain. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_ctx_verify_mode

  • Description: Mode used for TLS context verification.The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_default_timeout

  • Description: Default timeout for TLS, in seconds.
  • Scope: Global, Session
  • Data Type: numeric

Ssl_finished_accepts

  • Description: Number of successful TLS sessions in server mode. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_finished_connects

  • Description: Number of successful TLS sessions in client mode. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_server_not_after

  • Description: Last valid date for the server TLS certificate.
  • Scope: Global, Session
  • Data Type: numeric
  • Introduced: MariaDB 10.0

Ssl_server_not_before

  • Description: First valid date for the server TLS certificate.
  • Scope: Global, Session
  • Data Type: numeric
  • Introduced: MariaDB 10.0

Ssl_session_cache_hits

  • Description: Number of TLS sessions found in the session cache. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_session_cache_misses

  • Description: Number of TLS sessions not found in the session cache. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_session_cache_mode

  • Description: Mode used for TLS caching by the server.
  • Scope: Global
  • Data Type: string

Ssl_session_cache_overflows

  • Description: Number of sessions removed from the session cache because it was full. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_session_cache_size

  • Description: Size of the session cache. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_session_cache_timeouts

  • Description: Number of sessions which have timed out. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_sessions_reused

  • Description: Number of sessions reused. The global value can be flushed by FLUSH STATUS.
  • Scope: Global, Session
  • Data Type: numeric

Ssl_used_session_cache_entries

  • Description: Current number of sessions in the session cache. The global value can be flushed by FLUSH STATUS.
  • Scope: Global
  • Data Type: numeric

Ssl_verify_depth

  • Description: TLS verification depth. How many levels within the certificate signing chain the verification should cover. This is not set by the server itself but by the OpenSSL configuration, and will typically show a very large number like 18446744073709551615, basically meaning "always verify the full signing chain up to the root CA"
  • Scope: Global, Session
  • Data Type: numeric

Ssl_verify_mode

  • Description: TLS verification mode.

The OpenSSL verification mode flags in effect on the server side.

The value so far is always 5 when OpenSSL encryption is in effect, and 0 when not using encryption, or when the server is compiled against WolfSSL.

The value 5 is a combination of the SSL_VERIFY_PEER and SSL_VERIFY_CLIENT_ONCE flags, meaning that the client may send a certificate of its own connect, but will not be asked to send one again later for the duration of the encrypted connection.

The SSL_VERIFY_FAIL_IF_NO_PEER_CERT is not used at this point to enforce that the client sends a certificate if the database user was created with REQUIRE X509, REQUIRE ISSUER or REQUIRE SUBJECT, whether a client certificate was indeed sent, and whether it fits additional REQUIRE conditions, is checked by the server itself at a later state.

See also https://docs.openssl.org/master/man3/SSL_CTX_set_verify/#notes for a description of the OpenSSL verify mode flags.

  • Scope: Global, Session
  • Data Type: numeric

Ssl_version

  • Description: TLS version in use by the current session, possible values are TLSv1.0, TLSv1.1, TLSv1.2 and TLSv1.3
  • Scope: Global, Session
  • Data Type: string

See Also

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.