TLS and Cryptography Libraries Used by MariaDB
When MariaDB is compiled with TLS and cryptography support, it is usually either statically linked with MariaDB's bundled yaSSL library or dynamically linked with the system's TLS and cryptography library, which might be OpenSSL or Schannel.
Dynamically linking MariaDB to the system's TLS and cryptography library can often be beneficial, since this allows you to fix bugs in the system's TLS and cryptography library independently of MariaDB. For example, when information on the Heartbleed Bug in OpenSSL was released in 2014, the bug could be mitigated by simply updating your system to use a fixed version of the OpenSSL library, and then restarting the MariaDB Server.
You can verify that mysqld
is in fact dynamically linked to the OpenSSL shared library on your system by using the ldd
command:
$ ldd $(which mysqld) | grep -E '(libssl|libcrypto)' libssl.so.10 => /lib64/libssl.so.10 (0x00007f8736386000) libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f8735f25000)
If the command does not return any results, then either your mysqld
is statically linked to the TLS and cryptography library on your system or your mysqld
is not built with TLS and cryptography support at all.
In MariaDB 10.0 and later, if you aren't sure whether your server is linked with OpenSSL or yaSSL, then you can check the value of the have_openssl
system variable. For example:
SHOW GLOBAL VARIABLES LIKE 'have_openssl'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | have_openssl | YES | +---------------+-------+
In MariaDB 10.1 and later, if you want to see what version of OpenSSL your server is using, then you can check the value of the version_ssl_library
system variable. For example:
SHOW GLOBAL VARIABLES LIKE 'version_ssl_library'; +---------------------+---------------------------------+ | Variable_name | Value | +---------------------+---------------------------------+ | version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013 | +---------------------+---------------------------------+
Note that the version returned by this system variable does not always necessarily correspond to the exact version of the OpenSSL package installed on the system. OpenSSL shared libraries tend to contain interfaces for multiple versions at once to allow for backward compatibility. Therefore, if the OpenSSL package installed on the system is newer than the OpenSSL version that the MariaDB Server binary was built with, then the MariaDB Server binary might use one of the interfaces for an older version. See MDEV-15848 for more information. For example:
$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.5 (Maipo) $ rpm -q openssl openssl-1.0.2k-12.el7.x86_64 $ mysql -u root --batch --execute="SHOW GLOBAL VARIABLES LIKE 'version_ssl_library';" Variable_name Value version_ssl_library OpenSSL 1.0.1e-fips 11 Feb 2013 $ ldd $(which mysqld) | grep libcrypto libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f3dd3482000) $ readelf -a /lib64/libcrypto.so.10 | grep SSLeay_version 1374: 000000000006f5d0 21 FUNC GLOBAL DEFAULT 13 SSLeay_version@libcrypto.so.10 1375: 000000000006f5f0 21 FUNC GLOBAL DEFAULT 13 SSLeay_version@OPENSSL_1.0.1 1377: 000000000006f580 70 FUNC GLOBAL DEFAULT 13 SSLeay_version@@OPENSSL_1.0.2
MariaDB Server TLS Libraries
MariaDB Server TLS Libraries on Windows
MariaDB Server is statically linked with the bundled yaSSL libraries in MSI and ZIP packages on Windows.
MariaDB Server TLS Libraries on Linux
MariaDB Server TLS Libraries in Binary Tarballs
MariaDB Server is statically linked with the bundled yaSSL libraries in binary tarballs on Linux.
MariaDB Server TLS Libraries in DEB Packages
MariaDB Server is dynamically linked with the system's OpenSSL libraries in .deb
packages provided by MariaDB Foundation and MariaDB Corporation.
MariaDB Server is statically linked with the bundled yaSSL libraries in .deb
packages provided by Debian's and Ubuntu's default repositories.
MariaDB Server TLS Libraries in RPM Packages
MariaDB Server is dynamically linked with the system's OpenSSL libraries in .rpm
packages.
MariaDB Client TLS Libraries
In MariaDB 10.2 and later, MariaDB Connector/C has been included with MariaDB Server. On some platforms, MariaDB Connector/C and the client utilities linked with it may use a different TLS library than MariaDB Server and libmysqlclient.
MariaDB Client TLS Libraries on Windows
In all versions up to MariaDB 10.1, MariaDB's clients and utilities and libmysqlclient are statically linked with the bundled yaSSL libraries in MSI and ZIP packages on Windows.
In MariaDB 10.2 and later, MariaDB's clients and utilities and MariaDB Connector/C are are dynamically linked with the system's Schannel libraries in MSI and ZIP packages on Windows. libmysqlclient is still statically linked with the bundled yaSSL libraries.
MariaDB Client TLS Libraries on Linux
MariaDB Client TLS Libraries in Binary Tarballs
MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are statically linked with the bundled yaSSL libraries in binary tarballs on Linux.
MariaDB Client TLS Libraries in DEB Packages
MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are dynamically linked with the system's OpenSSL libraries in .deb
packages provided by MariaDB Foundation's and MariaDB Corporation's repositories.
MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are statically linked with the bundled yaSSL libraries in .deb
packages provided by Debian's and Ubuntu's default repositories.
MariaDB Client TLS Libraries in RPM Packages
MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are dynamically linked with the system's OpenSSL libraries in .rpm
packages.