SSL/TLS System Variables
You are viewing an old version of this article. View
the current version here.
Contents
The system variables listed on this page are all related to encrypting data during transfer with the Transport Layer Security (TLS) protocol. The term SSL (Secure Sockets Layer) is often used interchangeably with TLS, although strictly-speaking the SSL protocol is a predecessor, and is no longer considered secure. The variables listed below still use the ssl prefix for compatibility reasons, although MariaDB only supports its secure successors. See Secure Connections Overview for more.
Variables
have_openssl
- Description: Before MariaDB 10.0.1,
have_openssl
was an alias for have_ssl. Since MariaDB 10.0.1, comparinghave_openssl
withhave_ssl
will indicate whether YaSSL or openssl was used. If YaSSL,have_ssl
will be ON, buthave_openssl
will be OFF. - Scope: Global
- Dynamic: No
have_ssl
- Description: If the server supports secure connections, will be set to
YES
, otherwise will be set toNO
. If set toDISABLED
, the server was compiled with TLS support, but was not started with TLS support (see the mysqld options). See also have_openssl. - Scope: Global
- Dynamic: No
ssl_ca
- Description: Path to a PEM file containing list of trusted TLS certificate authorities. If this and ssl_capath are both unspecified, the client will not authenticate the server certificate. The server still verifies the client using any
--ssl-ca
and --ssl-capath values given to it at startup, or based on any requirements established from GRANT statements. Implies--ssl
. - Commandline:
--ssl-ca=file_name
- Scope: Global
- Dynamic: No
- Data Type:
file name
ssl_capath
- Description: Path to the directory containing trusted TLS authority certificates, in PEM format. If this and ssl_ca are both unspecified, the client will not authenticate the server certificate. The server still verifies the client using any --ssl-capath and -ssl-ca values given to it at startup, or based on any requirements established from GRANT statements. MariaDB distributions built with OpenSSL support --ssl-capath, while those built with yaSSL do not normally, since yaSSL wants all components of the CA certificate to be contained within a single certificate tree, and each certificate in the file give a unique SubjectName value. To get around this, create a new file containing concatenated individual certificate files in the tree, and specify this new file as the
--ssl-capath
option. Implies--ssl
. - Commandline:
--ssl-capath=directory_name
- Scope: Global
- Dynamic: No
- Data Type:
directory name
ssl_cert
- Description: Name of the TLS certificate file used to establish a secure TLS connection. Implies
--ssl
. - Commandline:
--ssl-cert=name
- Scope: Global
- Dynamic: No
- Data Type:
file name
- Default Value: None
ssl_cipher
- Description: List of permitted ciphers to use for TLS encryption. Implies
--ssl
. MariaDB has supported the TLSv1.2 protocol since 10.0.15. Limit MariaDB to TLSv1.2 ciphers only with--ssl_cipher=TLSv1.2
and to SSLv3 ciphers with--ssl-cipher=SSLv3
. - Commandline:
--ssl-cipher=name
- Scope: Global
- Dynamic: No
- Data Type:
file name
- Default Value: None
ssl_crl
- Description: Path to certificate revocation lists file, in PEM format. These work for distributions compiled against OpenSSL, not yaSSL.
- Commandline:
--ssl-crl=name
- Scope: Global
- Dynamic: No
- Data Type:
file name
- Default Value: None
- Introduced: MariaDB 10.0.0
ssl_crlpath
- Description: Path to directory containing certificate revocation lists files, in PEM format. These work for distributions compiled against OpenSSL, not yaSSL.
- Commandline:
--ssl-crlpath=name
- Scope: Global
- Dynamic: No
- Data Type:
directory name
- Default Value: None
- Introduced: MariaDB 10.0.0
ssl_key
- Description: The TLS key file used to establish a secure TLS connection. Implies
--ssl
. - Commandline:
--ssl-key=name
- Scope: Global
- Dynamic: No
- Data Type:
string
- Default Value: None
version_ssl_library
- Description: Version of the used TLS library.
- Scope: Global
- Dynamic: No
- Data Type:
string
- Default Value: None
- Introduced: MariaDB 10.1.3
See also
- System Variables for a complete list of system variables and instructions on setting them.
- Full list of MariaDB options, system and status variables
Comments
Comments loading...
Content reproduced on this site is the property of its respective owners,
and this content is not reviewed in advance by MariaDB. The views, information and opinions
expressed by this content do not necessarily represent those of MariaDB or any other party.