The State of SSL in MariaDB

Usually when one says “SSL” or “TLS” it means not a specific protocol but a family of protocols. Wikipedia article has the details, but in short — SSL 2.0 and SSL 3.0 are deprecated and should not be used anymore (the well-known POODLE vulnerability exploits the flaw in SSL 3.0). TLS 1.0 is sixteen years old and while it’s still being used, new security standards (for example PCI DSS v3.1) require TLS 1.1 or, preferably, TLS 1.2.

MySQL used to support TLS 1.0 since 2001. Which means MariaDB supported it from the day one, and never supported weaker SSL 2.0 or SSL 3.0. Since the MariaDB 5.5.41 (released 21 Dec 2014) and MariaDB 10.0.15 (25 Nov 2014) we also support TLS 1.1 and TLS 1.2. For example, you can select only TLS 1.2 ciphers with

ssl-cipher=TLSv1.2

in the my.cnf file. This works only when MariaDB is compiled with OpenSSL, though — that is in all MariaDB packages from MariaDB.org repositories but not in binary tarballs (they are compiled with YaSSL).

Note that if you’re serious about using SSL in MariaDB, you should enable the server certificate verification in all clients. For example, with

[client]
ssl-verify-server-cert

Without it your connection is open to man-in-the-middle attacks, and anyone with a possibility to hijack the connection can replace the certificate and read all your encrypted data or even disable SSL completely (this is called the BACKRONYM vulnerability and its page is hilarious). This option existed in MariaDB since the day one but it was further hardened to reject servers with no SSL support in MariaDB 5.5.44 (released 11 Jun 2015) and MariaDB 10.0.20 (18 Jun 2015) and a bug in the the underlying hostname validation was fixed in MariaDB 5.5.47 (released 10 Dec 2015), MariaDB 10.0.23 (released 18 Dec 2015), and MariaDB 10.1.10 (released 24 Dec 2015?).

Stay secure!