Last updated: 2026-06-25

MariaDB TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for MariaDB to encrypt connections between clients and the database server. While MariaDB originated as a MySQL fork, its TLS configuration has diverged in several areas, particularly around system variables and TLS library support.

Prerequisites

  • MariaDB 10.11 LTS or later
  • OpenSSL 1.1.1 or later (MariaDB can also use wolfSSL or yaSSL, but OpenSSL is recommended)
  • SSL certificates (server certificate, private key, and CA certificate)

Server Configuration

Add the following settings to your MariaDB configuration file under the [mariadbd] section.

Path note: Debian/Ubuntu: /etc/mysql/mariadb.conf.d/50-server.cnf. RHEL: /etc/my.cnf.d/server.cnf. SLES: /etc/my.cnf.d/mariadb-server.cnf.

Certificate Files

[mariadbd]
ssl_cert = /etc/mysql/ssl/server-cert.pem
ssl_key = /etc/mysql/ssl/server-key.pem
ssl_ca = /etc/mysql/ssl/ca.pem

Protocol Versions

Use tls_version to restrict allowed TLS versions:

[mariadbd]
tls_version = TLSv1.2,TLSv1.3

Cipher Suites

Configure strong cipher suites for TLS 1.2:

[mariadbd]
ssl_cipher = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

Require Encrypted Connections

Force all client connections to use TLS:

[mariadbd]
require_secure_transport = ON

Without this, clients can still connect unencrypted unless individual user accounts require SSL.

Complete Server Configuration

[mariadbd]
# Certificate files
ssl_cert = /etc/mysql/ssl/server-cert.pem
ssl_key = /etc/mysql/ssl/server-key.pem
ssl_ca = /etc/mysql/ssl/ca.pem

# Protocol versions
tls_version = TLSv1.2,TLSv1.3

# TLS 1.2 cipher suites
ssl_cipher = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

# Require encrypted connections
require_secure_transport = ON

Differences from MySQL

MariaDB's TLS configuration differs from MySQL in several ways:

  • Section name: MariaDB uses [mariadbd] instead of MySQL's [mysqld]. The [mysqld] section still works but [mariadbd] is preferred.
  • No tls_ciphersuites: MariaDB does not have a separate variable for TLS 1.3 cipher suites. TLS 1.3 ciphers are managed by the TLS library (OpenSSL) automatically.
  • TLS library: MariaDB can use OpenSSL, wolfSSL, or the bundled yaSSL/GnuTLS. OpenSSL is recommended for full TLS 1.3 support and modern cipher coverage.
  • No mysql_ssl_rsa_setup: MariaDB does not include this utility. Generate certificates manually or use your CA.

Client Configuration

Add TLS settings to the [client-mariadb] or [client] section:

[client-mariadb]
ssl
ssl-ca = /etc/mysql/ssl/ca.pem
ssl-verify-server-cert
  • ssl enables TLS for the connection.
  • ssl-verify-server-cert verifies the server certificate against the CA (equivalent to MySQL's ssl_mode=VERIFY_IDENTITY).

Connection String

mariadb -h db.example.com -u appuser -p --ssl --ssl-ca=/etc/mysql/ssl/ca.pem --ssl-verify-server-cert

You can also use --ssl-mode:

mariadb -h db.example.com -u appuser -p --ssl-mode=VERIFY_IDENTITY --ssl-ca=/etc/mysql/ssl/ca.pem

Per-User TLS Requirements

Require specific users to connect with TLS:

ALTER USER 'appuser'@'%' REQUIRE SSL;

For stricter requirements, require a specific certificate:

ALTER USER 'appuser'@'%' REQUIRE X509;

Require a specific subject or issuer:

ALTER USER 'appuser'@'%' REQUIRE SUBJECT '/CN=appuser'
    AND ISSUER '/CN=My Internal CA';

See RFC 8446 ยง4.3.2 for the TLS Certificate Request specification, and Wikipedia: Mutual authentication for a general overview.

Replication TLS

To encrypt replication traffic between primary and replica servers, configure the replica to use TLS:

CHANGE MASTER TO
    MASTER_SSL = 1,
    MASTER_SSL_CA = '/etc/mysql/ssl/ca.pem',
    MASTER_SSL_CERT = '/etc/mysql/ssl/client-cert.pem',
    MASTER_SSL_KEY = '/etc/mysql/ssl/client-key.pem',
    MASTER_SSL_VERIFY_SERVER_CERT = 1;

Note: Unlike MySQL, MariaDB continues to use CHANGE MASTER TO syntax in all current versions (including 10.11+ and 11.x). MariaDB has not adopted MySQL's CHANGE REPLICATION SOURCE TO syntax.

Galera Cluster TLS

For MariaDB Galera Cluster, encrypt the replication traffic between nodes:

[mariadbd]
wsrep_provider_options = "socket.ssl_key=/etc/mysql/ssl/server-key.pem;socket.ssl_cert=/etc/mysql/ssl/server-cert.pem;socket.ssl_ca=/etc/mysql/ssl/ca.pem;socket.ssl_cipher=ECDHE-RSA-AES256-GCM-SHA384"

The SST (State Snapshot Transfer) method should also use encryption. For mariabackup (on 10.6+ mariadb-backup is the preferred name):

[sst]
ssl-ca = /etc/mysql/ssl/ca.pem
ssl-cert = /etc/mysql/ssl/server-cert.pem
ssl-key = /etc/mysql/ssl/server-key.pem
encrypt = 3

Security Notes

The cipher suite and protocol configuration in this guide addresses the following known TLS vulnerabilities:

  • POODLE (CVE-2014-3566, 2014): SSL 3.0 is disabled. TLS_FALLBACK_SCSV was added in OpenSSL 1.0.1j / 1.0.2 (October 2014); SSL 3.0 disabled by default in OpenSSL 1.1.0 (August 2016).
  • BEAST (CVE-2011-3389, 2011): Mitigated by recommending TLS 1.2 as the minimum; AEAD-only ciphers eliminate the CBC padding oracle.
  • CRIME (CVE-2012-4929, 2012): TLS compression is off by default in OpenSSL 1.1.0+; do not enable it.
  • Lucky13 (2013): AEAD-only cipher list eliminates CBC padding timing side-channels entirely.
  • FREAK (CVE-2015-0204, 2015): EXPORT-grade ciphers are excluded from the cipher string. Removed from OpenSSL 1.1.0 (August 2016).
  • LOGJAM (CVE-2015-4000, 2015): Short-key DHE is excluded; only ECDHE key exchange is recommended.
  • Sweet32 (CVE-2016-2183, 2016): 3DES is excluded from the cipher string.
  • ROBOT (2017): Static RSA key exchange is excluded; only ECDHE is recommended.
  • Downgrade attacks: TLS_FALLBACK_SCSV prevents protocol version rollback.
  • Renegotiation injection (CVE-2009-3555, 2009): Secure renegotiation is enforced by default in OpenSSL 0.9.8m+; TLS 1.3 removes renegotiation entirely.

The following are not addressable through TLS configuration alone:

  • Heartbleed (CVE-2014-0160, 2014): A memory disclosure bug in OpenSSL 1.0.1 through 1.0.1f. Fixed in OpenSSL 1.0.1g (April 7, 2014). Addressed by patching OpenSSL, not by TLS configuration.
  • BREACH (CVE-2013-3587, 2013): Not applicable. BREACH targets HTTP-level response compression; the MariaDB wire protocol does not involve HTTP.
  • DROWN (CVE-2016-0800, 2016): Requires SSLv2 to be enabled on any server sharing the same private key. Ensure SSLv2 is disabled on all services that use the same certificate and key pair.

Verification

Restart MariaDB and verify TLS is active:

systemctl restart mariadb

Check TLS status:

mariadb -u root -p -e "SHOW VARIABLES LIKE '%ssl%';"
mariadb -u root -p -e "SHOW VARIABLES LIKE 'tls_version';"

Check the current connection encryption:

mariadb -u root -p -e "SHOW SESSION STATUS LIKE 'Ssl_cipher';"
mariadb -u root -p -e "SHOW SESSION STATUS LIKE 'Ssl_version';"

A successful TLS connection will show a cipher name like TLS_AES_256_GCM_SHA384 and a version like TLSv1.3.

Related Guides

MySQL

Popular open-source relational database.

PostgreSQL

Advanced open-source relational database.

Redis

In-memory data store and cache.

View all Databases guides →

Configured TLS? Now Monitor It.

Generator Labs alerts you before certificates expire, get revoked, or fail chain validation, across HTTPS, SMTPS, IMAPS, LDAPS, and more.

Certificate Monitoring →