SSL Improvements

Percona Server enables transmitting data in the encrypted form by using the TLSv1.2 protocol.

Implemented Using OpenSSL

Percona Server binaries link with the OpenSSL library to implement the support of TLS protocols. Percona Server supports OpenSSL version 1.1.

Percona Server binaries do not link with the yaSSL embedded SSL library as MySQL Community Edition does. The yaSSL library only supports TSLv1.0 and TSL1.1 protocols which are less secure than TLSv1.2. You may still link with yaSSL when building Percona Server from source.

As part of its implementation, Percona Server offers correct diagnostic messages in cases like ciphers on the client and the server mismatching, the required TLS version not enabled, and so on. For more information, see #75311 Error for SSL cipher is unhelpful.

Important

As Percona Server does not use yaSSL, yaSSL security advisories are not applicable to Percona Server. System administrators should track the security advisories relevant to OpenSSL and upgrade their operating system promptly.

See also

More information about yaSSL embedded SSL library
https://www.wolfssl.com/products/yassl/
MySQL Documentation: OpenSSL Versus yaSSL
https://dev.mysql.com/doc/refman/5.7/en/openssl-versus-yassl.html
MySQL Bug System (solved for Percona Server):
#75311 Error for SSL cipher is unhelpful

By default, Percona Server passes elliptic curve crypto-based ciphers to OpenSSL, such as ECDHE-RSA-AES128-GCM-SHA256.

Note

Although documented as supported, elliptic curve crypto-based ciphers do not work with MySQL.

Multi-Domain Certificates

Percona Server supports multi-domain certificates (SAN). This feature is useful to help manage the storage better, for building high availability clusters, or as part of a backup solution.

See also

Percona Blog Post: When would you use SAN with MySQL?
https://www.percona.com/blog/2009/03/09/when-would-you-use-san-with-mysql/
MySQL Bug System (solved for Percona Server):
#68052 SSL Certificate Subject ALT Names with IPs not respected with –ssl-verify-serve

Compatibility Matrix

Feature YaSSL OpenSSL < 1.0.2 OpenSSL >= 1.0.2
Validation of SSL certificate common name Yes Yes Yes
Validation of SAN No Yes Yes
Support for wildcard names No No Yes