TLS and Cryptography Libraries Used by MariaDB

When MariaDB is compiled with TLS and cryptography support, it is usually either statically linked with MariaDB's bundled yaSSL library or dynamically linked with the system's TLS and cryptography library, which might be OpenSSL or Schannel.

Dynamically linking MariaDB to the system's TLS and cryptography library can often be beneficial, since this allows you to fix bugs in the system's TLS and cryptography library independently of MariaDB. For example, when information on the Heartbleed Bug in OpenSSL was released in 2014, the bug could be mitigated by simply updating your system to use a fixed version of the OpenSSL library, and then restarting the MariaDB Server.

You can verify that mysqld is in fact dynamically linked to the OpenSSL shared library on your system by using the ldd command:

$ ldd $(which mysqld) | grep -E '(libssl|libcrypto)'
        libssl.so.10 => /lib64/libssl.so.10 (0x00007f8736386000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f8735f25000)

If the command does not return any results, then either your mysqld is statically linked to the TLS and cryptography library on your system or your mysqld is not built with TLS and cryptography support at all.

In MariaDB 10.0 and later, if you aren't sure whether your server is linked with OpenSSL or yaSSL, then you can check the value of the have_openssl system variable. For example:

SHOW GLOBAL VARIABLES LIKE 'have_openssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl  | YES   |
+---------------+-------+

In MariaDB 10.1 and later, if you want to see what version of OpenSSL your server is using, then you can check the value of the version_ssl_library system variable. For example:

SHOW GLOBAL VARIABLES LIKE 'version_ssl_library';
+---------------------+---------------------------------+
| Variable_name       | Value                           |
+---------------------+---------------------------------+
| version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013 |
+---------------------+---------------------------------+

Note that the version returned by this system variable does not always necessarily correspond to the exact version of the OpenSSL package installed on the system. OpenSSL shared libraries tend to contain interfaces for multiple versions at once to allow for backward compatibility. Therefore, if the OpenSSL package installed on the system is newer than the OpenSSL version that the MariaDB Server binary was built with, then the MariaDB Server binary might use one of the interfaces for an older version. See MDEV-15848 for more information. For example:

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
$ rpm -q openssl
openssl-1.0.2k-12.el7.x86_64
$ mysql -u root --batch --execute="SHOW GLOBAL VARIABLES LIKE 'version_ssl_library';"
Variable_name   Value
version_ssl_library     OpenSSL 1.0.1e-fips 11 Feb 2013
$ ldd $(which mysqld) | grep libcrypto
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f3dd3482000)
$ readelf -a /lib64/libcrypto.so.10 | grep SSLeay_version
  1374: 000000000006f5d0    21 FUNC    GLOBAL DEFAULT   13 SSLeay_version@libcrypto.so.10
  1375: 000000000006f5f0    21 FUNC    GLOBAL DEFAULT   13 SSLeay_version@OPENSSL_1.0.1
  1377: 000000000006f580    70 FUNC    GLOBAL DEFAULT   13 SSLeay_version@@OPENSSL_1.0.2

MariaDB Server TLS Libraries

MariaDB Server TLS Libraries on Windows

MariaDB Server is statically linked with the bundled yaSSL libraries in MSI and ZIP packages on Windows.

MariaDB Server TLS Libraries on Linux

MariaDB Server TLS Libraries in Binary Tarballs

MariaDB Server is statically linked with the bundled yaSSL libraries in binary tarballs on Linux.

MariaDB Server TLS Libraries in DEB Packages

MariaDB Server is dynamically linked with the system's OpenSSL libraries in .deb packages provided by MariaDB Foundation and MariaDB Corporation.

MariaDB Server is statically linked with the bundled yaSSL libraries in .deb packages provided by Debian's and Ubuntu's default repositories.

MariaDB Server TLS Libraries in RPM Packages

MariaDB Server is dynamically linked with the system's OpenSSL libraries in .rpm packages.

MariaDB Client TLS Libraries

In MariaDB 10.2 and later, MariaDB Connector/C has been included with MariaDB Server. On some platforms, MariaDB Connector/C and the client utilities linked with it may use a different TLS library than MariaDB Server and libmysqlclient.

MariaDB Client TLS Libraries on Windows

In all versions up to MariaDB 10.1, MariaDB's clients and utilities and libmysqlclient are statically linked with the bundled yaSSL libraries in MSI and ZIP packages on Windows.

In MariaDB 10.2 and later, MariaDB's clients and utilities and MariaDB Connector/C are are dynamically linked with the system's Schannel libraries in MSI and ZIP packages on Windows. libmysqlclient is still statically linked with the bundled yaSSL libraries.

MariaDB Client TLS Libraries on Linux

MariaDB Client TLS Libraries in Binary Tarballs

MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are statically linked with the bundled yaSSL libraries in binary tarballs on Linux.

MariaDB Client TLS Libraries in DEB Packages

MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are dynamically linked with the system's OpenSSL libraries in .deb packages provided by MariaDB Foundation's and MariaDB Corporation's repositories.

MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are statically linked with the bundled yaSSL libraries in .deb packages provided by Debian's and Ubuntu's default repositories.

MariaDB Client TLS Libraries in RPM Packages

MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are dynamically linked with the system's OpenSSL libraries in .rpm packages.