MySQL can be compiled using OpenSSL or wolfSSL, both of which enable encrypted connections based on the OpenSSL API:
MySQL Enterprise Edition binary distributions are compiled using OpenSSL. It is not possible to use wolfSSL with MySQL Enterprise Edition.
MySQL Community Edition binary distributions are compiled using OpenSSL.
MySQL Community Edition source distributions can be compiled using either OpenSSL or wolfSSL (see Section 6.3.5, “Building MySQL with Support for Encrypted Connections”).
OpenSSL and wolfSSL offer the same basic functionality, but MySQL distributions compiled using OpenSSL have additional features:
OpenSSL supports a more flexible syntax for specifying ciphers for the
--ssl-cipheroption, and supports a wider range of encryption ciphers from which to choose. See Section 6.3.2, “Command Options for Encrypted Connections”, and Section 6.3.6, “Encrypted Connection Protocols and Ciphers”.
OpenSSL supports the
--ssl-capath. MySQL distributions compiled using wolfSSL do not because wolfSSL does not look in any directory and do not follow a chained certificate tree. wolfSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this limitation, concatenate the individual certificate files comprising the certificate tree into a new file and specify that file as the value of the
OpenSSL supports the
--ssl-crlpathoptions. Distributions compiled using wolfSSL do not because revocation lists do not work with wolfSSL. (wolfSSL accepts these options but silently ignores them.)
OpenSSL 1.1.1 and higher supports the TLSv1.3 protocol.
Accounts that authenticate using the
sha256_passwordplugin can use RSA key files for secure password exchange over unencrypted connections. See Section 188.8.131.52, “SHA-256 Pluggable Authentication”. (Accounts that authenticate using the
caching_sha2_passwordplugin can use RSA key pair-based password exchange regardless of whether MySQL was compiled using OpenSSL or wolfSSL. See Section 184.108.40.206, “Caching SHA-2 Pluggable Authentication”.)
The server can automatically generate missing SSL and RSA certificate and key files at startup. See Section 220.127.116.11, “Creating SSL and RSA Certificates and Keys using MySQL”.
OpenSSL supports more encryption modes for the
AES_DECRYPT()functions. See Section 12.13, “Encryption and Compression Functions”
Certain OpenSSL-related system and status variables are present only if MySQL was compiled using OpenSSL:
To determine whether a server was compiled using OpenSSL, test the existence of any of those variables. For example, this statement returns a row if OpenSSL was used and an empty result if wolfSSL was used:
SHOW STATUS LIKE 'Rsa_public_key';