SSL and MariaDB/MySQL

With the recent Heartbleed bug, people are clearly more interested in their MariaDB/MySQL running with SSL and if they have problems. First up, you should read the advisory notes: MariaDB, Percona Server (blog), and MySQL (blog).

Next, when you install MariaDB (or a variant) you are usually dynamically linked to the OpenSSL library that the system provides. Typically on startup of MariaDB 10.0.10 on CentOS 6.5 (packages from the MariaDB repository), you can check what your status of SSL is.

MariaDB [(none)]> show variables like 'have_ssl';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_ssl      | DISABLED |
+---------------+----------+
1 row in set (0.00 sec)

This means that SSL options are compiled, but mysqld didn’t start with it. You can verify SSL is linked dynamically:

ldd `which mysqld` | grep ssl
	libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007ff82d1b1000)

If you are running with SSL enabled (some documentation at MySQL) you will have different options naturally. You can do this via: /etc/init.d/mysql start --ssl. Output now changes:

MariaDB [(none)]> show variables like 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl      | YES   |
+---------------+-------+
1 row in set (0.00 sec)

The value NO will be displayed if the server is not compiled with SSL support. See SSL Server System Variables for more.


i