Last updated: 2026-02-11

MariaDB TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for MariaDB to encrypt connections between clients and the database server. While MariaDB originated as a MySQL fork, its TLS configuration has diverged in several areas, particularly around system variables and TLS library support.

Prerequisites

• MariaDB 10.4 or later (10.6+ recommended for TLS 1.3 support)
• OpenSSL 1.1.1 or later (MariaDB can also use wolfSSL or yaSSL, but OpenSSL is recommended)
• SSL certificates (server certificate, private key, and CA certificate)

Server Configuration

Add the following settings to your MariaDB configuration file under the [mariadbd] section (or [mysqld] on MariaDB < 10.5).

Path note: Debian/Ubuntu: /etc/mysql/mariadb.conf.d/50-server.cnf. RHEL/CentOS: /etc/my.cnf.d/server.cnf. SLES: /etc/my.cnf.d/mariadb-server.cnf.

Certificate Files

[mariadbd]
ssl_cert = /etc/mysql/ssl/server-cert.pem
ssl_key = /etc/mysql/ssl/server-key.pem
ssl_ca = /etc/mysql/ssl/ca.pem

Protocol Versions

MariaDB 10.6+ supports tls_version to restrict allowed TLS versions:

[mariadbd]
tls_version = TLSv1.2,TLSv1.3

On MariaDB 10.4 and 10.5, TLS versions are controlled by the OpenSSL configuration rather than a server variable. Upgrade to 10.6+ for explicit tls_version support.

Cipher Suites

Configure strong cipher suites for TLS 1.2:

[mariadbd]
ssl_cipher = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

Require Encrypted Connections

Force all client connections to use TLS:

[mariadbd]
require_secure_transport = ON

Without this, clients can still connect unencrypted unless individual user accounts require SSL.

Complete Server Configuration

[mysqld]
# Note: [mariadbd] can be used on MariaDB 10.5+, but [mysqld] works on all versions including 10.3+

# Certificate files
ssl_cert = /etc/mysql/ssl/server-cert.pem
ssl_key = /etc/mysql/ssl/server-key.pem
ssl_ca = /etc/mysql/ssl/ca.pem

# Protocol versions — requires MariaDB 10.6+; on older versions, omit this line
tls_version = TLSv1.2,TLSv1.3

# TLS 1.2 cipher suites
ssl_cipher = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

# Require encrypted connections — requires MariaDB 10.5+; on older versions, omit this line
require_secure_transport = ON

Differences from MySQL

MariaDB's TLS configuration differs from MySQL in several ways:

• Section name: MariaDB uses [mariadbd] (or the older [mysqld]) instead of MySQL's [mysqld].
• No tls_ciphersuites: MariaDB does not have a separate variable for TLS 1.3 cipher suites. TLS 1.3 ciphers are managed by the TLS library (OpenSSL) automatically.
• TLS library: MariaDB can use OpenSSL, wolfSSL, or the bundled yaSSL/GnuTLS. OpenSSL is recommended for full TLS 1.3 support and modern cipher coverage.
• No mysql_ssl_rsa_setup: MariaDB does not include this utility. Generate certificates manually or use your CA.

Client Configuration

Add TLS settings to the [client-mariadb] or [client] section:

[client-mariadb]
ssl
ssl-ca = /etc/mysql/ssl/ca.pem
ssl-verify-server-cert

• ssl enables TLS for the connection.
• ssl-verify-server-cert verifies the server certificate against the CA (equivalent to MySQL's ssl_mode=VERIFY_IDENTITY).

Connection String

mariadb -h db.example.com -u appuser -p --ssl --ssl-ca=/etc/mysql/ssl/ca.pem --ssl-verify-server-cert

On MariaDB 10.5+, you can also use --ssl-mode:

mariadb -h db.example.com -u appuser -p --ssl-mode=VERIFY_IDENTITY --ssl-ca=/etc/mysql/ssl/ca.pem

Per-User TLS Requirements

Require specific users to connect with TLS:

ALTER USER 'appuser'@'%' REQUIRE SSL;

For stricter requirements, require a specific certificate:

ALTER USER 'appuser'@'%' REQUIRE X509;

Require a specific subject or issuer:

ALTER USER 'appuser'@'%' REQUIRE SUBJECT '/CN=appuser'
    AND ISSUER '/CN=My Internal CA';

Replication TLS

To encrypt replication traffic between primary and replica servers, configure the replica to use TLS:

CHANGE MASTER TO
    MASTER_SSL = 1,
    MASTER_SSL_CA = '/etc/mysql/ssl/ca.pem',
    MASTER_SSL_CERT = '/etc/mysql/ssl/client-cert.pem',
    MASTER_SSL_KEY = '/etc/mysql/ssl/client-key.pem',
    MASTER_SSL_VERIFY_SERVER_CERT = 1;

On MariaDB 10.5+, use the newer syntax:

CHANGE MASTER TO
    MASTER_SSL = 1,
    MASTER_SSL_CA = '/etc/mysql/ssl/ca.pem',
    MASTER_SSL_VERIFY_SERVER_CERT = 1;

Note: Unlike MySQL, MariaDB continues to use CHANGE MASTER TO syntax in all current versions (including 10.11+ and 11.x). MariaDB has not adopted MySQL's CHANGE REPLICATION SOURCE TO syntax.

Galera Cluster TLS

For MariaDB Galera Cluster, encrypt the replication traffic between nodes:

[mariadbd]
wsrep_provider_options = "socket.ssl_key=/etc/mysql/ssl/server-key.pem;socket.ssl_cert=/etc/mysql/ssl/server-cert.pem;socket.ssl_ca=/etc/mysql/ssl/ca.pem;socket.ssl_cipher=ECDHE-RSA-AES256-GCM-SHA384"

The SST (State Snapshot Transfer) method should also use encryption. For mariabackup (MariaDB 10.4--10.11; on 10.6+ mariadb-backup is the preferred name):

[sst]
ssl-ca = /etc/mysql/ssl/ca.pem
ssl-cert = /etc/mysql/ssl/server-cert.pem
ssl-key = /etc/mysql/ssl/server-key.pem
encrypt = 3

Verification

Restart MariaDB and verify TLS is active:

systemctl restart mariadb

Check TLS status:

mariadb -u root -p -e "SHOW VARIABLES LIKE '%ssl%';"
mariadb -u root -p -e "SHOW VARIABLES LIKE 'tls_version';"

Check the current connection encryption:

mariadb -u root -p -e "SHOW SESSION STATUS LIKE 'Ssl_cipher';"
mariadb -u root -p -e "SHOW SESSION STATUS LIKE 'Ssl_version';"

A successful TLS connection will show a cipher name like TLS_AES_256_GCM_SHA384 and a version like TLSv1.3.