How to Set have_ssl to Yes

This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: 如何设置have_ssl为yes

| username: du拉松

【TiDB Usage Environment】Production Environment
【TiDB Version】v7.1.2
【Reproduction Path】
Directly executing show VARIABLES like ‘have_ssl’; shows disabled, but when executing set have_ssl = ‘YES’, it prompts 1238 - Variable ‘have_ssl’ is a read-only variable.
【Encountered Problem: Problem Phenomenon and Impact】
Because we are undergoing a security evaluation, the evaluation has scanned and found related issues. How can we change this parameter to yes? Should we directly modify the corresponding parameter in the VARIABLES_INFO table?
【Resource Configuration】
【Attachments: Screenshots/Logs/Monitoring】

| username: srstack | Original post link

It looks like you need to enable SSL/TLS?
If it is deployed with TiUP, you can set global.enable_tls to true or use tiup cluster tls to operate.

| username: Fly-bird | Original post link

Enable SSL/TLS

| username: andone | Original post link

global.enable_tls is set to true

| username: Kongdom | Original post link

According to the description, this is read-only and cannot be modified directly. It will only be set to “yes” when TLS is enabled. You can enable it by setting the configuration file enable_tls to true.

| username: tidb菜鸟一只 | Original post link

Use tiup cluster edit-config <cluster-name>, add enable_tls: true in the global section, and then reload the entire cluster.

| username: du拉松 | Original post link

enable_tls: true, if this is changed to true, does it mean that the entire cluster’s clients need to be modified to use SSL?

| username: tidb菜鸟一只 | Original post link

There are only two options: yes or no. Choosing yes means that all components of the entire cluster must enable TLS mode, and the client connections to the components must also use TLS certificates.

| username: swino | Original post link

global.enable_tls = true

| username: system | Original post link

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.