When MariaDB Server is compiled with TLS and cryptography support, it is usually either statically linked with MariaDB's bundled TLS and cryptography library or dynamically linked with the system's OpenSSL library. MariaDB's bundled TLS library is either wolfSSL or yaSSL, depending on the server version.
When a MariaDB client or client library is compiled with TLS and cryptography support, it is usually either statically linked with MariaDB's bundled TLS and cryptography library or dynamically linked with the system's TLS and cryptography library, which might be OpenSSL, GnuTLS, or Schannel.
Dynamically linking MariaDB to the system's TLS and cryptography library can often be beneficial, since this allows you to fix bugs in the system's TLS and cryptography library independently of MariaDB. For example, when information on the Heartbleed Bug in OpenSSL was released in 2014, the bug could be mitigated by simply updating your system to use a fixed version of the OpenSSL library, and then restarting the MariaDB Server.
You can verify that mysqld
is in fact dynamically linked to the OpenSSL shared library on your system by using the ldd
command:
$ ldd $(which mysqld) | grep -E '(libssl|libcrypto)' libssl.so.10 => /lib64/libssl.so.10 (0x00007f8736386000) libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f8735f25000)
If the command does not return any results, then either your mysqld
is statically linked to the TLS and cryptography library on your system or your mysqld
is not built with TLS and cryptography support at all.
In MariaDB 10.0 and later, if you aren't sure whether your server is linked with OpenSSL or the bundled TLS library, then you can check the value of the have_openssl
system variable. For example:
SHOW GLOBAL VARIABLES LIKE 'have_openssl'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | have_openssl | YES | +---------------+-------+
In MariaDB 10.1 and later, if you want to see what version of OpenSSL your server is using, then you can check the value of the version_ssl_library
system variable. For example:
SHOW GLOBAL VARIABLES LIKE 'version_ssl_library'; +---------------------+---------------------------------+ | Variable_name | Value | +---------------------+---------------------------------+ | version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013 | +---------------------+---------------------------------+
Note that the version returned by this system variable does not always necessarily correspond to the exact version of the OpenSSL package installed on the system. OpenSSL shared libraries tend to contain interfaces for multiple versions at once to allow for backward compatibility. Therefore, if the OpenSSL package installed on the system is newer than the OpenSSL version that the MariaDB Server binary was built with, then the MariaDB Server binary might use one of the interfaces for an older version. See MDEV-15848 for more information. For example:
$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.5 (Maipo) $ rpm -q openssl openssl-1.0.2k-12.el7.x86_64 $ mysql -u root --batch --execute="SHOW GLOBAL VARIABLES LIKE 'version_ssl_library';" Variable_name Value version_ssl_library OpenSSL 1.0.1e-fips 11 Feb 2013 $ ldd $(which mysqld) | grep libcrypto libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f3dd3482000) $ readelf -a /lib64/libcrypto.so.10 | grep SSLeay_version 1374: 000000000006f5d0 21 FUNC GLOBAL DEFAULT 13 [email protected] 1375: 000000000006f5f0 21 FUNC GLOBAL DEFAULT 13 SSLeay_version@OPENSSL_1.0.1 1377: 000000000006f580 70 FUNC GLOBAL DEFAULT 13 SSLeay_version@@OPENSSL_1.0.2
Federal Information Processing Standards (FIPS) are standards published by the U.S. federal government that are used to establish requirements for various aspects of computer systems. FIPS 140-2 is a set of standards for security requirements for cryptographic modules.
This standard is relevant when discussing the TLS and cryptography libraries used by MariaDB. Some of these libraries have been certified to meet the standards set by FIPS 140-2.
The OpenSSL library has a special FIPS mode that has been certified to meet the FIPS 140-2 standard. In FIPS mode, only algorithms and key sizes that meet the FIPS 140-2 standard are enabled by the library.
MariaDB does not yet support enabling FIPS mode within the database server. See MDEV-20260 for more information. Therefore, if you would like to use OpenSSL's FIPS mode with MariaDB, then you would need to enable FIPS mode at the kernel level. See the following resources for more information on how to do that:
The standard version of the wolfSSL library has not been certified to meet the FIPS 140-2 standard, but a special "FIPS-ready" version has been certified. Unfortunately, the "FIPS-ready" version of wolfSSL uses a license that is incompatible with MariaDB's license, so it cannot be used with MariaDB.
The yaSSL library has not been certified to meet the FIPS 140-2 standard.
MariaDB Server is statically linked with the bundled wolfSSL library in MSI and ZIP packages on Windows.
MariaDB Server is statically linked with the bundled yaSSL library in MSI and ZIP packages on Windows.
In MariaDB 10.4.6 and later, MariaDB Server is statically linked with the bundled wolfSSL library in binary tarballs on Linux.
In MariaDB 10.4.5 and before, MariaDB Server is statically linked with the bundled yaSSL library in binary tarballs on Linux.
MariaDB Server is dynamically linked with the system's OpenSSL library in .deb
packages provided by MariaDB Foundation and MariaDB Corporation.
In MariaDB 10.4.6 and later, MariaDB Server is statically linked with the bundled wolfSSL library in .deb
packages provided by Debian's and Ubuntu's default repositories.
In MariaDB 10.4.5 and before, MariaDB Server is statically linked with the bundled yaSSL library in .deb
packages provided by Debian's and Ubuntu's default repositories.
See Differences in MariaDB in Debian (and Ubuntu) for more information.
MariaDB Server is dynamically linked with the system's OpenSSL library in .rpm
packages.
In MariaDB 10.2 and later, MariaDB Connector/C has been included with MariaDB Server, and the bundled and the clients and utilities are linked with it. On some platforms, MariaDB Connector/C and these clients and utilities may use a different TLS library than the one used by MariaDB Server and libmysqlclient.
In MariaDB 10.4.6 and later, MariaDB's clients and utilities and MariaDB Connector/C are are dynamically linked with the system's Schannel libraries in MSI and ZIP packages on Windows. libmysqlclient is still statically linked with the bundled wolfSSL library.
In MariaDB 10.2 and later, MariaDB's clients and utilities and MariaDB Connector/C are are dynamically linked with the system's Schannel libraries in MSI and ZIP packages on Windows. libmysqlclient is still statically linked with the bundled yaSSL library.
In MariaDB 10.1 and before, MariaDB's clients and utilities and libmysqlclient are statically linked with the bundled yaSSL library in MSI and ZIP packages on Windows.
In MariaDB 10.4.6 and later, MariaDB's clients and utilities and MariaDB Connector/C are statically linked with the GnuTLS library in binary tarballs on Linux. libmysqlclient is still statically linked with the bundled wolfSSL library.
In MariaDB 10.2 and later, MariaDB's clients and utilities and MariaDB Connector/C are statically linked with the GnuTLS library in binary tarballs on Linux. libmysqlclient is still statically linked with the bundled yaSSL library.
In MariaDB 10.1 and before, MariaDB's clients and utilities and libmysqlclient are statically linked with the bundled yaSSL library in binary tarballs on Linux.
MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are dynamically linked with the system's OpenSSL library in .deb
packages provided by MariaDB Foundation's and MariaDB Corporation's repositories.
In MariaDB 10.4.6 and later, MariaDB's clients and utilities and MariaDB Connector/C are dynamically linked with the system's GnuTLS library in .deb
packages provided by Debian's and Ubuntu's default repositories. libmysqlclient is still statically linked with the bundled wolfSSL libraries.
In MariaDB 10.2 and later, MariaDB's clients and utilities and MariaDB Connector/C are dynamically linked with the system's GnuTLS library in .deb
packages provided by Debian's and Ubuntu's default repositories. libmysqlclient is still statically linked with the bundled yaSSL libraries.
In MariaDB 10.1 and earlier, MariaDB's clients and utilities and libmysqlclient are statically linked with the bundled yaSSL library in .deb
packages provided by Debian's and Ubuntu's default repositories.
See Differences in MariaDB in Debian (and Ubuntu) for more information.
MariaDB's clients and utilities, libmysqlclient, and MariaDB Connector/C are dynamically linked with the system's OpenSSL library in .rpm
packages.
When the MariaDB Server or clients and utilities are dynamically linked to the system's OpenSSL library, it makes it very easy to update the libraries. The information below will show how to update these libraries for each platform.
On RHEL, CentOS, Fedora, and other similar Linux distributions, it is highly recommended to update the libraries using yum
or dnf
. Starting with RHEL 8 and Fedora 22, yum
has been replaced by dnf
, which is the next major version of yum
. However, yum
commands still work on many systems that use dnf
. For example:
Update the package by executing the following command:
sudo yum update openssl
And then restart MariaDB server and any clients or applications that use the library.
On Debian, Ubuntu, and other similar Linux distributions, it is highly recommended to recommended to update the libraries using apt-get
. For example:
First update the package cache by executing the following command:
sudo apt update
And then update the package by executing the following command:
sudo apt-get update openssl
And then restart MariaDB server and any clients or applications that use the library.
On SLES, OpenSUSE, and other similar Linux distributions, it is highly recommended to recommended to update the libraries using zypper
. For example:
Update the package by executing the following command:
sudo zypper update openssl
And then restart MariaDB server and any clients or applications that use the library.
© 2019 MariaDB
Licensed under the Creative Commons Attribution 3.0 Unported License and the GNU Free Documentation License.
https://mariadb.com/kb/en/tls-and-cryptography-libraries-used-by-mariadb/