SSL/TLS Status Variables
Contents
- Variables
- Ssl_accept_renegotiates
- Ssl_accepts
- Ssl_callback_cache_hits
- Ssl_cipher
- Ssl_cipher_list
- Ssl_client_connects
- Ssl_connect_renegotiates
- Ssl_ctx_verify_depth
- Ssl_ctx_verify_mode
- Ssl_default_timeout
- Ssl_finished_accepts
- Ssl_finished_connects
- Ssl_server_not_after
- Ssl_server_not_before
- Ssl_session_cache_hits
- Ssl_session_cache_misses
- Ssl_session_cache_mode
- Ssl_session_cache_overflows
- Ssl_session_cache_size
- Ssl_session_cache_timeouts
- Ssl_sessions_reused
- Ssl_used_session_cache_entries
- Ssl_verify_depth
- Ssl_verify_mode
- Ssl_version
- See Also
The status variables listed on this page relate to encrypting data during transfer with the Transport Layer Security (TLS) protocol. Often, the term Secure Socket Layer (SSL) is used interchangeably with TLS, although strictly speaking, the SSL protocol is a predecessor to TLS and is no longer considered secure.
For compatibility reasons, the TLS status variables in MariaDB still use the Ssl_
prefix, but MariaDB only supports its more secure successors. For more information on SSL/TLS in MariaDB, see Secure Connections Overview.
Some of these status values are not under the control of the server, but are reporting back settings of the underlying SSL library used by the server.
Variables
Ssl_accept_renegotiates
- Description: Number of negotiations needed to establish the TLS connection. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_accepts
- Description: Number of accepted TLS handshakes. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_callback_cache_hits
- Description: Number of sessions retrieved from the session cache. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_cipher
- Description: The TLS cipher currently in use.
- Scope: Global, Session
- Data Type:
string
Ssl_cipher_list
- Description: List of the available TLS ciphers. This is not necessarily the list of ciphers the MariaDB server can actually accept, but rather the list of ciphers supported by the underlying SSL library in general. E.g. some of these may not be compatible with the servers SSL certificate and so can't be used to connect to that server.
- Scope: Global, Session
- Data Type:
string
Ssl_client_connects
- Description: Number of TLS handshakes started in client mode. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_connect_renegotiates
- Description: Number of negotiations needed to establish the connection to a TLS-enabled master. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_ctx_verify_depth
- Description: Number of tested TLS certificates in the chain. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_ctx_verify_mode
- Description: Mode used for TLS context verification.The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_default_timeout
- Description: Default timeout for TLS, in seconds.
- Scope: Global, Session
- Data Type:
numeric
Ssl_finished_accepts
- Description: Number of successful TLS sessions in server mode. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_finished_connects
- Description: Number of successful TLS sessions in client mode. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_server_not_after
- Description: Last valid date for the server TLS certificate.
- Scope: Global, Session
- Data Type:
numeric
- Introduced:
MariaDB 10.0
Ssl_server_not_before
- Description: First valid date for the server TLS certificate.
- Scope: Global, Session
- Data Type:
numeric
- Introduced:
MariaDB 10.0
Ssl_session_cache_hits
- Description: Number of TLS sessions found in the session cache. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_session_cache_misses
- Description: Number of TLS sessions not found in the session cache. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_session_cache_mode
- Description: Mode used for TLS caching by the server.
- Scope: Global
- Data Type:
string
Ssl_session_cache_overflows
- Description: Number of sessions removed from the session cache because it was full. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_session_cache_size
- Description: Size of the session cache. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_session_cache_timeouts
- Description: Number of sessions which have timed out. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_sessions_reused
- Description: Number of sessions reused. The global value can be flushed by
FLUSH STATUS
. - Scope: Global, Session
- Data Type:
numeric
Ssl_used_session_cache_entries
- Description: Current number of sessions in the session cache. The global value can be flushed by
FLUSH STATUS
. - Scope: Global
- Data Type:
numeric
Ssl_verify_depth
- Description: TLS verification depth. How many levels within the certificate signing chain the verification should cover. This is not set by the server itself but by the OpenSSL configuration, and will typically show a very large number like 18446744073709551615, basically meaning "always verify the full signing chain up to the root CA"
- Scope: Global, Session
- Data Type:
numeric
Ssl_verify_mode
- Description: TLS verification mode.
The OpenSSL verification mode flags in effect on the server side.
The value so far is always 5 when OpenSSL encryption is in effect, and 0 when not using encryption, or when the server is compiled against WolfSSL.
The value 5 is a combination of the SSL_VERIFY_PEER
and SSL_VERIFY_CLIENT_ONCE
flags, meaning that the client may send a certificate of its own connect, but will not be asked to send one again later for the duration of the encrypted connection.
The SSL_VERIFY_FAIL_IF_NO_PEER_CERT
is not used at this point to enforce that the client sends a certificate if the database user was created with REQUIRE X509
, REQUIRE ISSUER
or REQUIRE SUBJECT
, whether a client certificate was indeed sent, and whether it fits additional REQUIRE
conditions, is checked by the server itself at a later state.
See also https://docs.openssl.org/master/man3/SSL_CTX_set_verify/#notes for a description of the OpenSSL verify mode flags.
- Scope: Global, Session
- Data Type:
numeric
Ssl_version
- Description: TLS version in use by the current session, possible values are
TLSv1.0
,TLSv1.1
,TLSv1.2
andTLSv1.3
- Scope: Global, Session
- Data Type:
string
See Also
- Server Status Variables - complete list of status variables.
- Full list of MariaDB options, system and status variables