How to enable have_openssl, have_ssl, ssl_cipher in TiDB

Note:
This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: tidb 如何开启have_openssl、have_ssl、ssl_cipher

| username: RAIN

【TiDB Usage Environment】Production Environment
【TiDB Version】6.1.4
【Encountered Problem: Problem Phenomenon and Impact】
Security agency detection requires enabling have_openssl, have_ssl, ssl_cipher, otherwise, there are three high-risk vulnerabilities. Please help…
image

| username: tidb菜鸟一只 | Original post link

To enable SSL in TiDB, modify the enable_tls system parameter to true. These two variables should not be changed; they are read-only variables made for MySQL compatibility.

| username: RAIN | Original post link

How to enable it? Is there an official document?

| username: tidb菜鸟一只 | Original post link

After modifying the corresponding parameters with tiup cluster edit-config <cluster-name>, reload the cluster to take effect.

| username: RAIN | Original post link

Thanks a lot, I’ll give it a try.

| username: 像风一样的男子 | Original post link

If this is not enabled, it is considered a medium-risk vulnerability that can be fixed or not. Which security assessment are you referring to that considers it high-risk?

| username: RAIN | Original post link

The link to the image you provided is broken or inaccessible. Please provide the text you need translated.

| username: 像风一样的男子 | Original post link

Enabling this means that the client connecting to the database and all internal components of the database need to use encrypted connections, which is quite troublesome.

| username: oceanzhang | Original post link

It’s not about changing the database parameters, it’s about changing the node configuration.

| username: RAIN | Original post link

After making this change, it cannot be saved. What should I do?

| username: caiyfc | Original post link

Check out my article:
Column - The Trials and Tribulations of Enabling Encrypted Communication TLS in TiDB Production Clusters - Opening Chapter | TiDB Community
After enabling it, some tools are affected. Follow the instructions in this article:
Column - The Trials and Tribulations of Enabling Encrypted Communication TLS in TiDB Production Clusters - Tools Chapter | TiDB Community

| username: RAIN | Original post link

According to your documentation, TLS has already been enabled, but when logging into the database, these two values are still in the off state.
image

| username: caiyfc | Original post link

This is the 6.1 documentation. Normally, it should be enabled. How about finding an opportunity to restart and check?

| username: RAIN | Original post link

I have already restarted it, but it doesn’t work.

| username: caiyfc | Original post link

I haven’t checked this parameter separately. If restarting the cluster doesn’t work, then it seems we can only explain that TiDB’s parameters are just compatible with MySQL but actually ineffective. :joy:

| username: RAIN | Original post link

Sure, no problem.

| username: dba远航 | Original post link

I have done these two upgrades on Oracle before.