SSL Improvements

Percona Server for MySQL enables transmitting data in the encrypted form by using the TLSv1.2 protocol. By default, Percona Server for MySQL disables TLSv1.0 and deprecates TLSv1.1.

Implemented Using OpenSSL

Percona Server for MySQL binaries link with the OpenSSL library to implement the support of TLS protocols. Percona Server for MySQL supports OpenSSL version 1.1.

Percona Server for MySQL binaries do not link with the yaSSL embedded SSL library as MySQL Community Edition does. The yaSSL library only supports TSLv1.0 and TSL1.1 protocols which are less secure than TLSv1.2. You may still link with yaSSL when building Percona Server for MySQL from source.

As part of its implementation, Percona Server for MySQL offers correct diagnostic messages in cases like ciphers on the client and the server mismatching, the required TLS version not enabled, and so on. For more information, see #75311 Error for SSL cipher is unhelpful.

Important

As Percona Server for MySQL does not use yaSSL, yaSSL security advisories are not applicable to Percona Server for MySQL. System administrators should track the security advisories relevant to OpenSSL and upgrade their operating system promptly.

See also

More information about yaSSL embedded SSL library
https://www.wolfssl.com/products/yassl/
MySQL Documentation: OpenSSL Versus yaSSL
https://dev.mysql.com/doc/refman/5.6/en/openssl-versus-yassl.html
MySQL Bug System (solved for Percona Server for MySQL):
#75311 Error for SSL cipher is unhelpful

By default, Percona Server for MySQL passes elliptic curve crypto-based ciphers to OpenSSL, such as ECDHE-RSA-AES128-GCM-SHA256.

Note

Although documented as supported, elliptic curve crypto-based ciphers do not work with MySQL.

See also

MySQL Bug System (solved for Percona Server for MySQL):
#82935 Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in man/Ssl_cipher_list, not supported

Multi-Domain Certificates

Percona Server for MySQL supports multi-domain certificates (SAN). This feature is useful to help manage the storage better, for building high availability clusters, or as part of a backup solution.

See also

Percona Blog Post: When would you use SAN with MySQL?
https://www.percona.com/blog/2009/03/09/when-would-you-use-san-with-mysql/
MySQL Bug System (solved for Percona Server for MySQL):
#68052 SSL Certificate Subject ALT Names with IPs not respected with –ssl-verify-serve

Compatibility Matrix

Feature YaSSL OpenSSL < 1.0.2 OpenSSL >= 1.0.2
Validation of SSL certificate common name Yes Yes Yes
Validation of SAN No Yes Yes
Support for wildcard names No No Yes

SSL Improvements in mysqlbinlog

Percona Server for MySQL extends mysqlbinlog to accept the SSL connection options as all the other client programs.

See also

How Percona Server for MySQL extends the functionality of mysqlbinlog
Extended mysqlbinlog
MySQL Bug System (solved for Percona Server for MySQL):
#41975 Support for SSL options not included in mysqlbinlog