SSL/TLS System Variables

You are viewing an old version of this article. View the current version here.

The system variables listed on this page are all related to encrypting data during transfer with the Transport Layer Security (TLS) protocol. The term SSL (Secure Sockets Layer) is often used interchangeably with TLS, although strictly-speaking the SSL protocol is a predecessor, and is no longer considered secure. The variables listed below still use the ssl prefix for compatibility reasons, although MariaDB only supports its secure successors. See Secure Connections Overview for more.

Variables

have_openssl

  • Description: Before MariaDB 10.0.1, have_openssl was an alias for have_ssl. Since MariaDB 10.0.1, comparing have_openssl with have_ssl will indicate whether YaSSL or openssl was used. If YaSSL, have_ssl will be ON, but have_openssl will be OFF.
  • Scope: Global
  • Dynamic: No

have_ssl

  • Description: If the server supports secure connections, will be set to YES, otherwise will be set to NO. If set to DISABLED, the server was compiled with TLS support, but was not started with TLS support (see the mysqld options). See also have_openssl.
  • Scope: Global
  • Dynamic: No

ssl_ca

  • Description: Path to a PEM file containing list of trusted TLS certificate authorities. If this and ssl_capath are both unspecified, the client will not authenticate the server certificate. The server still verifies the client using any --ssl-ca and --ssl-capath values given to it at startup, or based on any requirements established from GRANT statements. Implies --ssl.
  • Commandline: --ssl-ca=file_name
  • Scope: Global
  • Dynamic: No
  • Data Type: file name

ssl_capath

  • Description: Path to the directory containing trusted TLS authority certificates, in PEM format. If this and ssl_ca are both unspecified, the client will not authenticate the server certificate. The server still verifies the client using any --ssl-capath and -ssl-ca values given to it at startup, or based on any requirements established from GRANT statements. MariaDB distributions built with OpenSSL support --ssl-capath, while those built with yaSSL do not normally, since yaSSL wants all components of the CA certificate to be contained within a single certificate tree, and each certificate in the file give a unique SubjectName value. To get around this, create a new file containing concatenated individual certificate files in the tree, and specify this new file as the --ssl-capath option. Implies --ssl.
  • Commandline: --ssl-capath=directory_name
  • Scope: Global
  • Dynamic: No
  • Data Type: directory name

ssl_cert

  • Description: Name of the TLS certificate file used to establish a secure TLS connection. Implies --ssl.
  • Commandline: --ssl-cert=name
  • Scope: Global
  • Dynamic: No
  • Data Type: file name
  • Default Value: None

ssl_cipher

  • Description: List of permitted ciphers to use for TLS encryption. Implies --ssl. MariaDB has supported the TLSv1.2 protocol since 10.0.15. Limit MariaDB to TLSv1.2 ciphers only with --ssl_cipher=TLSv1.2 and to SSLv3 ciphers with --ssl-cipher=SSLv3.
  • Commandline: --ssl-cipher=name
  • Scope: Global
  • Dynamic: No
  • Data Type: file name
  • Default Value: None

ssl_crl

  • Description: Path to certificate revocation lists file, in PEM format. These work for distributions compiled against OpenSSL, not yaSSL.
  • Commandline: --ssl-crl=name
  • Scope: Global
  • Dynamic: No
  • Data Type: file name
  • Default Value: None
  • Introduced: MariaDB 10.0.0

ssl_crlpath

  • Description: Path to directory containing certificate revocation lists files, in PEM format. These work for distributions compiled against OpenSSL, not yaSSL.
  • Commandline: --ssl-crlpath=name
  • Scope: Global
  • Dynamic: No
  • Data Type: directory name
  • Default Value: None
  • Introduced: MariaDB 10.0.0

ssl_key

  • Description: The TLS key file used to establish a secure TLS connection. Implies --ssl.
  • Commandline: --ssl-key=name
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value: None

version_ssl_library

  • Description: Version of the used TLS library.
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value: None
  • Introduced: MariaDB 10.1.3

See also

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.