SSL/TLS System Variables
You are viewing an old version of this article. View
the current version here.
Contents
The system variables listed on this page relate to encrypting data during transfer between servers and clients using the Transport Layer Security (TLS) protocol. Often, the term Secure Sockets Layer (SSL) is used interchangeably with TLS, although strictly speaking the SSL protocol is the predecessor of TLS and is no longer considered secure.
For compatibility reasons, the TLS system variables in MariaDB still use the ssl_
prefix, but MariaDB only supports its more secure successors. For more information on SSL/TLS in MariaDB, see Secure Connections Overview.
Variables
have_openssl
- Description: Whether MariaDB uses OpenSSL rather than yaSSL. If the
have_ssl
system variable showsYES
and this variable showsNO
, the server is using yaSSL instead of OpenSSL. Generally, Windows binaries and official packages from Debian and Ubuntu use yaSSL, while other platforms use OpenSSL. Note: Before MariaDB 10.0.1, this variable was an alias for thehave_ssl
system variable. - Scope: Global
- Dynamic: No
have_ssl
- Description: Whether the server supports secure connections. A value of
YES
indicates that it does. A value ofDISABLED
indicates that the server was compiled with TLS support, but that it was started without the--ssl
option to enable it. A value ofNO
indicates that the server does not support TLS and that it was not compiled with the support. Check thehave_openssl
system variable to determine whether it's using OpenSSL or yaSSL. - Scope: Global
- Dynamic: No
ssl_ca
- Description: Path to PEM file containing the list of trusted TLS Certificate Authorities. When this and the
ssl_capath
system variables are both unspecified, the client doesn't authenticate server certificates. The server still verifies the client using the--ssl-ca
and--ssl-capath
options set on server startup, or based on the requirements set byGRANT
statements for the account. This variable requires that you set the full path. It implies the--ssl
option. - Commandline:
--ssl-ca=file_name
- Scope: Global
- Dynamic: No
- Data Type:
file name
ssl_capath
- Description: Path to directory containing trusted TLS authority certificates, in PEM format. When this and the
ssl_ca
system variables are both unspecified, the client doesn't authenticate server certificates. The server still verifies the client using the--ssl-ca
and--ssl-capath
options set on server startup, or based on the requirements set by theGRANT
statements for the account.MariaDB distributions built with OpenSSL support this variable. Those built with yaSSL don't normally support it, since yaSSL prefers to have all components of the CA certificate contained within a single certificate tree and each certificate in a file given a uniqueSubjectName
value. To get around this with yaSSL, create a new file containing the concatenated individual certificate files in the tree, and specify this new file using this variable or the--ssl-capath
option. It implies the--ssl
option. - Commandline:
--ssl-capath=directory_name
- Scope: Global
- Dynamic: No
- Data Type:
directory name
ssl_cert
- Description: Name of the TLS certificate file used to establish a secure TLS connection. It implies the
--ssl
option. - Commandline:
--ssl-cert=name
- Scope: Global
- Dynamic: No
- Data Type:
file name
- Default Value: None
ssl_cipher
- Description: List of permitted ciphers to use for TLS encryption. The server has supported the TLSv1.2 protocol when compiled with OpenSSL since MariaDB 10.0.15. You can limit MariaDB to TLSv1.2 by setting
TLSv1.2
on this variable and limit it to SSLv3 using the valueSSLv3
. Note: TLS version 1.2 is only supported when MariaDB is compiled with OpenSSL, not yaSSL. Check thehave_openssl
system variable to confirm. This variable implies the--ssl
option. - Commandline:
--ssl-cipher=name
- Scope: Global
- Dynamic: No
- Data Type:
file name
- Default Value: None
ssl_crl
- Description: Path to certificate revocation lists file, in PEM format. This variable is used by distributions of MariaDB compiled with OpenSSL, not yaSSL. If you're unsure of which your server uses, check the
have_openssl
system variable. - Commandline:
--ssl-crl=name
- Scope: Global
- Dynamic: No
- Data Type:
file name
- Default Value: None
- Introduced: MariaDB 10.0.0
ssl_crlpath
- Description: Path to directory containing certificate revocation lists files, in PEM format. This variable is used by distributions of MariaDB compiled with OpenSSL, not yaSSL. If you're unsure of which your server uses, check the
have_openssl
system variable. - Commandline:
--ssl-crlpath=name
- Scope: Global
- Dynamic: No
- Data Type:
directory name
- Default Value: None
- Introduced: MariaDB 10.0.0
ssl_key
- Description: TLS key file used to establish secure TLS connections. It implies the
--ssl
option. - Commandline:
--ssl-key=name
- Scope: Global
- Dynamic: No
- Data Type:
string
- Default Value: None
version_ssl_library
- Description: Version of the TLS library used.
- Scope: Global
- Dynamic: No
- Data Type:
string
- Default Value: None
- Introduced: MariaDB 10.1.3
See Also
- System Variables for a complete list of system variables and instructions on setting them.
- Full list of MariaDB options, system and status variables
Comments
Comments loading...
Content reproduced on this site is the property of its respective owners,
and this content is not reviewed in advance by MariaDB. The views, information and opinions
expressed by this content do not necessarily represent those of MariaDB or any other party.