[Maria-discuss] Clarification about have_ssl and have_openssl variables
MySQL documentation states https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_... simply states "This variable is an alias for have_ssl.". I checked with a few Oracle/MySQL installations that the two variables have identical values. But this is not the case on MariaDB (I checked my local Windows installs of 10.1 and 10.2). have_openssl is NO - have_ssl is YES|DISABLED. We believe that this is the reason for a newly reported problem to us: SSL-connections is not possibe to MariaDB on Amazon RDS. We verified the problem with a fresh RDS instance with MariaDB 10.2 and running with SSL enabled. The 3 different 'mysql' CLI's give results: *MariaDB 10.2.6 version:* - without ssl, gives 'Access denied error' - with ssl, it gives Error No. 2026: SSl Connection error: Certificate signature check failed *using MySQL 5.7.x version:* it connects to the server irrespective of the ssl parameter passed or not (but we don't know if SSL is actually used. It may silently connect without SSL if SSL is not possible) *MariaDB 10.1.22 version:* without ssl: it gives 'Access denied error' with ssl (Works as expected) Any thoughts on this? What can we do? We are affected as we use MariaDB Connector/C 2.33 currently -- Peter -- Webyog
Hi, Peter! On Feb 08, Peter Laursen wrote:
MySQL documentation states https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_... simply states "This variable is an alias for have_ssl.". I checked with a few Oracle/MySQL installations that the two variables have identical values.
But this is not the case on MariaDB (I checked my local Windows installs of 10.1 and 10.2). have_openssl is NO - have_ssl is YES|DISABLED.
Yes, it was changed about five years ago. "have_ssl" in MariaDB says whether SSL support is available, while "have_openssl" says, specifically, whether OpenSSL is compiled in. So, if you have MariaDB built with YaSSL, have_ssl will be YES, while have_openssl will be NO. While MySQL will lie that have_openssl=YES, even if no OpenSSL is present. This is documented both in the KB: https://mariadb.com/kb/en/ssltls-system-variables/#have_openssl and in the server itself: SELECT * FROM INFORMATION_SCHEMA.SYSTEM_VARIABLES WHERE VARIABLE_NAME='have_openssl';
Any thoughts on this? What can we do? We are affected as we use MariaDB Connector/C 2.33 currently
Use the variable that corresponds to the question you want to ask. If you just want to know if any SSL support is present, check have_ssl, if you're looking for OpenSSL in particular (for example, if you want to know whether TLSv1.2 or some newer ciphers are possible ), check have_openssl or version_ssl_library. Regards, Sergei Chief Architect MariaDB and security@mariadb.org
participants (2)
-
Peter Laursen -
Sergei Golubchik