maria-discuss team mailing list archive

Thread
Date

Re: Clarification about have_ssl and have_openssl variables

To: Peter Laursen <peter_laursen@xxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Sun, 11 Feb 2018 18:04:25 +0100
Cc: Maria Discuss <maria-discuss@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAFa9YRAr91f+c8Fx+-QW8P90tPHuRPnLpYhH7aDkkwjuvsSpKQ@mail.gmail.com>
User-agent: Mutt/1.7.2 (2016-11-26)

Hi, Peter!

On Feb 08, Peter Laursen wrote:
> MySQL documentation states
> https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_have_openssl
> simply states "This variable is an alias for have_ssl.". I checked with a
> few Oracle/MySQL installations that the two variables have identical
> values.
> 
> But this is not the case on MariaDB (I checked my local Windows installs of
> 10.1 and 10.2). have_openssl is NO - have_ssl is YES|DISABLED.

Yes, it was changed about five years ago. "have_ssl" in MariaDB says
whether SSL support is available, while "have_openssl" says,
specifically, whether OpenSSL is compiled in.

So, if you have MariaDB built with YaSSL, have_ssl will be YES, while
have_openssl will be NO. While MySQL will lie that have_openssl=YES,
even if no OpenSSL is present.

This is documented both in the KB:
https://mariadb.com/kb/en/ssltls-system-variables/#have_openssl
and in the server itself:
SELECT * FROM INFORMATION_SCHEMA.SYSTEM_VARIABLES WHERE VARIABLE_NAME='have_openssl';

> Any thoughts on this? What can we do? We are affected as we use MariaDB
> Connector/C 2.33 currently

Use the variable that corresponds to the question you want to ask.
If you just want to know if any SSL support is present, check have_ssl,
if you're looking for OpenSSL in particular (for example, if you want to
know whether TLSv1.2 or some newer ciphers are possible ), check
have_openssl or version_ssl_library.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

References

Clarification about have_ssl and have_openssl variables
From: Peter Laursen, 2018-02-08