Support for TLS v1.1 and v1.2¶
Percona Server has implemented TLS v1.1 and v1.2 protocol support and at the same time disabled TLS v1.0 support (support for TLS v1.0 can be enabled by adding the TLSv1
to tls_version
variable). Support for TLS v1.1 and v1.2 protocols has been implemented by porting the tls_version
variable from 5.7 server. TLS v1.0 protocol has been disabled because it will no longer be viable for PCI after June 30th 2016. Variable default has been changed from TLSv1,TLSv1.1,TLSv1.2
to TLSv1.1,TLSv1.2
to disable the support for TLS v1.0 by default.
The client-side has the ability to make TLSv1.1 and 1.2 connections, but the option to allow only some protocol versions (--tls-version
, MYSQL_OPT_TLS_VERSION
in C API) has not been backported due to compatibility concerns and relatively easy option to use 5.7 clients instead if needed. Note: MASTER_TLS_VERSION
clause of CHANGE MASTER TO
statement has not been backported.
Version Specific Information¶
5.5.50-38.0
: Implemented support for TLS v1.1 and TLS v1.2 protocols
System Variables¶
-
variable
tls_version
¶ Version Info: - 5.5.50-38.0 – Introduced
Command Line: Yes
Config File: Yes
Scope: Global
Dynamic: No
Variable Type: String
Default Value: TLSv1.1,TLSv1.2
This variable defines protocols permitted by the server for encrypted connections.
-
variable
have_tlsv1_2
¶ Version Info: - 5.5.50-38.0 – Introduced
Command Line: Yes
Config File: No
Scope: Global
Dynamic: No
Variable Type: Boolean
This server variable is set to ON
if the server has been compiled with a SSL library providing TLSv1.2 support.
Contact Us
For free technical help, visit the Percona Community Forum.To report bugs or submit feature requests, open a JIRA ticket.
For paid support and managed or professional services, contact Percona Sales.