The Ultimate Guide to High Availability with MariaDB

SSL/TLS System Variables

You are viewing an old version of this article. View the current version here.

Contents

  1. Variables
    1. have_openssl
    2. have_ssl
    3. ssl_ca
    4. ssl_capath
    5. ssl_cert
    6. ssl_cipher
    7. ssl_crl
    8. ssl_crlpath
    9. ssl_key
    10. version_ssl_library
  2. See Also

The system variables listed on this page relate to encrypting data during transfer between servers and clients using the Transport Layer Security (TLS) protocol. Often, the term Secure Sockets Layer (SSL) is used interchangeably with TLS, although strictly speaking the SSL protocol is the predecessor of TLS and is no longer considered secure.

For compatibility reasons, the TLS system variables in MariaDB still use the ssl_ prefix, but MariaDB only supports its more secure successors. For more information on SSL/TLS in MariaDB, see Secure Connections Overview.

Variables

have_openssl

  • Description: Whether MariaDB uses OpenSSL rather than yaSSL. If the have_ssl system variable shows YES and this variable shows NO, the server is using yaSSL instead of OpenSSL. Generally, Windows binaries and official packages from Debian and Ubuntu use yaSSL, while other platforms use OpenSSL. Note: Before MariaDB 10.0.1, this variable was an alias for the have_ssl system variable.
  • Scope: Global
  • Dynamic: No

have_ssl

  • Description: Whether the server supports secure connections. A value of YES indicates that it does. A value of DISABLED indicates that the server was compiled with TLS support, but that it was started without the --ssl option to enable it. A value of NO indicates that the server does not support TLS and that it was not compiled with the support. Check the have_openssl system variable to determine whether it's using OpenSSL or yaSSL.
  • Scope: Global
  • Dynamic: No

ssl_ca

  • Description: Path to PEM file containing the list of trusted TLS Certificate Authorities. When this and the ssl_capath system variables are both unspecified, the client doesn't authenticate server certificates. The server still verifies the client using the --ssl-ca and --ssl-capath options set on server startup, or based on the requirements set by GRANT statements for the account. This variable requires that you set the full path. It implies the --ssl option.
  • Commandline: --ssl-ca=file_name
  • Scope: Global
  • Dynamic: No
  • Data Type: file name

ssl_capath

  • Description: Path to directory containing trusted TLS authority certificates, in PEM format. When this and the ssl_ca system variables are both unspecified, the client doesn't authenticate server certificates. The server still verifies the client using the --ssl-ca and --ssl-capath options set on server startup, or based on the requirements set by the GRANT statements for the account.MariaDB distributions built with OpenSSL support this variable. Those built with yaSSL don't normally support it, since yaSSL prefers to have all components of the CA certificate contained within a single certificate tree and each certificate in a file given a unique SubjectName value. To get around this with yaSSL, create a new file containing the concatenated individual certificate files in the tree, and specify this new file using this variable or the --ssl-capath option. It implies the --ssl option.
  • Commandline: --ssl-capath=directory_name
  • Scope: Global
  • Dynamic: No
  • Data Type: directory name

ssl_cert

  • Description: Name of the TLS certificate file used to establish a secure TLS connection. It implies the --ssl option.
  • Commandline: --ssl-cert=name
  • Scope: Global
  • Dynamic: No
  • Data Type: file name
  • Default Value: None

ssl_cipher

  • Description: List of permitted ciphers to use for TLS encryption.

The server has supported the TLSv1.2 protocol when compiled with OpenSSL since MariaDB 10.0.15. You can limit MariaDB to TLSv1.2 by setting TLSv1.2 on this variable and limit it to SSLv3 using the value SSLv3. Note: TLS version 1.2 is only supported when MariaDB is compiled with OpenSSL, not yaSSL. Check the have_openssl system variable to confirm. This variable implies the --ssl option.

  • Commandline: --ssl-cipher=name
  • Scope: Global
  • Dynamic: No
  • Data Type: file name
  • Default Value: None

ssl_crl

  • Description: Path to certificate revocation lists file, in PEM format. This variable is used by distributions of MariaDB compiled with OpenSSL, not yaSSL. If you're unsure of which your server uses, check the have_openssl system variable.
  • Commandline: --ssl-crl=name
  • Scope: Global
  • Dynamic: No
  • Data Type: file name
  • Default Value: None
  • Introduced: MariaDB 10.0.0

ssl_crlpath

  • Description: Path to directory containing certificate revocation lists files, in PEM format. This variable is used by distributions of MariaDB compiled with OpenSSL, not yaSSL. If you're unsure of which your server uses, check the have_openssl system variable.
  • Commandline: --ssl-crlpath=name
  • Scope: Global
  • Dynamic: No
  • Data Type: directory name
  • Default Value: None
  • Introduced: MariaDB 10.0.0

ssl_key

  • Description: TLS key file used to establish secure TLS connections. It implies the --ssl option.
  • Commandline: --ssl-key=name
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value: None

version_ssl_library

  • Description: Version of the TLS library used.
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value: None
  • Introduced: MariaDB 10.1.3

See Also

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.