Ensuring continuity and open collaboration

The State of SSL in MariaDB

Usually when one says “SSL” or “TLS” it means not a specific protocol but a family of protocols. Wikipedia article has the details, but in short — SSL 2.0 and SSL 3.0 are deprecated and should not be used anymore (the well-known POODLE vulnerability exploits the flaw in SSL 3.0). TLS 1.0 is sixteen years old and while it’s still being used, new security standards (for example PCI DSS v3.1) require TLS 1.1 or, preferably, TLS 1.2.

MySQL used to support TLS 1.0 since 2001. Which means MariaDB supported it from the day one, and never supported weaker SSL 2.0 or SSL 3.0. Since the MariaDB 5.5.41 (released 21 Dec 2014) and MariaDB 10.0.15 (25 Nov 2014) we also support TLS 1.1 and TLS 1.2. For example, you can select only TLS 1.2 ciphers with


in the my.cnf file. This works only when MariaDB is compiled with OpenSSL, though — that is in all MariaDB packages from MariaDB.org repositories but not in binary tarballs (they are compiled with YaSSL).

Note that if you’re serious about using SSL in MariaDB, you should enable the server certificate verification in all clients. For example, with


Without it your connection is open to man-in-the-middle attacks, and anyone with a possibility to hijack the connection can replace the certificate and read all your encrypted data or even disable SSL completely (this is called the BACKRONYM vulnerability and its page is hilarious). This option existed in MariaDB since the day one but it was further hardened to reject servers with no SSL support in MariaDB 5.5.44 (released 11 Jun 2015) and MariaDB 10.0.20 (18 Jun 2015) and a bug in the the underlying hostname validation was fixed in MariaDB 5.5.47 (released 10 Dec 2015), MariaDB 10.0.23 (released 18 Dec 2015), and MariaDB 10.1.10 (released 24 Dec 2015🎄).

Stay secure!


  1. Meirav Rath Meirav Rath

    I installed a 10.1.14 version and cannot form an ssl connection to it via a client. I’ve added all the necessary fields to my my.cnf file (though in my version, all the information is in the my.cnf.backup file, for some reason) but to no avail. Adding ssl-verify-server-cert does not work.

No Pings Yet

  1. The State of SSL in MariaDB | Dinesh Ram Kali. on 2015-12-24 at 13:53
  2. The State of SSL in MariaDB | InsideMySQL on 2015-12-24 at 23:21
  3. Log Buffer #455: A Carnival of the Vanities for DBAs | InsideMySQL on 2015-12-31 at 04:02
  4. New in MariaDB Connector/C 3.0 - Part I: SSL - MariaDB.org on 2016-01-05 at 09:30
  5. Firefox OS auf TVs und Version Tokens in MySQL on 2016-01-07 at 09:19
  6. What's new in MariaDB Connector/C 3.0 - Part I: SSL - MariaDB.org on 2016-01-20 at 17:49
  7. MariaDB itself is NOT affected by the DROWN vulnerability - MariaDB.org on 2016-03-02 at 16:28

Leave a Reply

Your email address will not be published. Required fields are marked *


MariaDB Foundation sponsors

Tweets by @mariadb

Code statistics