WL#14481: Deprecate the --ssl command line option and the have_ssl system variable
Affects: Server-8.0 — Status: Complete
TLS support in MySQL is moving towards the concept of channels: named sets of TLS parameters that apply to different securable ports or protocols. The --ssl command line option is not very useful in this context since it assumesa single "channel" exists that it enables or disables. And this is no longer true. Fruthermore, with the TLS options being dynamic one can enable the TLS channels even if the --ssl command line option is off. And finally: the effect of the option, if absolutely required, can be recreated via a server SQL startup script. Thus the --ssl command line option should be deprecated in 8.0. Again, from the concept of channels, the have_ssl system variable is also a bit obsolete as it again assumes there's a single "channel" that it signals the state of. Right now it returns true if *any* of the TLS channels is active but that's a very arbitrary decision that just demonstrates how limited the have_ssl value really is. Note also that the channels state is displayed into a performance schema table, thus removing the need for have_ssl. So the have_ssl system variables should be deprecated in 8.0.
FR1: --ssl, when specified at the command line, will produce a deprecation warning. FR2: --admin-ssl, when specified at the command line, will produce a deprecation warning FR3: reading the value of have_ssl will produce a deprecation warning. FR4: reading the values of have_openssl will produce a deprecation warning.
--ssl=off is deprecated in favor of (e.g.) --tls-version=invalid. --admin-ssl=off is deprecated in favor of (e.g.) --admin-tls-version=invalid @@global.have_ssl is deprecated in favor of PERFORMANCE_SCHEMA.tls_channel_status @@global.have_openssl is deprecated.
Copyright (c) 2000, 2021, Oracle Corporation and/or its affiliates. All rights reserved.