MySQL is OpenSSL-only now !

MySQL needs an SSL/TLS library. It uses it primarily to encrypt network connections, but also uses its various algorithms and random number generators.

OpenSSL is the golden standard when it comes to cross-platform open source SSL/TLS library that you use from C/C++. This library is widely used, well maintained, and provides a very vast array of functionality that MySQL leverages.

We put a great deal of effort making sure compiling with OpenSSL is very easy and the resulting binaries work as expected. We test continuously and make sure new features we add work and perform with OpenSSL.

Given that OpenSSL is the industry standard, and trusted by our customers and users, we have decided to support OpenSSL in MySQL 5.6, 5.7 and 8.0. We are eliminating support for YaSSL and WolfSSL

This will allow us to focus our efforts on developing more interesting MySQL features instead of maintaining integration with multiple SSL/TLS libraries.

I have removed the code that supports building MySQL with any library but the OpenSSL library. Note the -DWITH_SSL=bundled cmake option is not supported going forward. The new default for WITH_SSL is -DWITH_SSL=system.

The MySQL team also started building all of the binaries we provide with OpenSSL. And not with just any OpenSSL version. There is one additional complication. According to OpenSSL’s release strategy, OpenSSL 1.0.2 support stops on 2019-12-31. They are encouraging people to migrate to the next Long Term Support release (LTS): 1.1.1.

Note that all of our MySQL 8.0 binaries have always been built with OpenSSL and linked dynamically. And the MySQL 5.6 and 5.7 enterprise binaries have been built with OpenSSL for many years. Thus, the MySQL/OpenSSL combination is very well tested and production proven.

To sum things up, we’re going to be building all of our binaries (commercial and community) for each release (5.6, 5.7, 8.0) in the same identical way when it comes to SSL/TLS libraries.

Thank you for using MySQL !

One thought on “MySQL is OpenSSL-only now !

  1. Wow. This begs so many questions. The reason for having YaSSL/WolfSSL was never technical, it was a legal issue related to OpenSSL license being incompatible with GPLv2. How did you solve it?
    * What about Debian? Debian legal used to have a very strong opinion about it, and MySQL was always linked with YaSSL there.
    * What will happen to MySQL in Ubuntu, will it use OpenSSL now? Is Ubuntu legal ok with it?
    * Binary tarballs, will you link them with OpenSSL? So it won’t be “just unpack and run” anymore, it’s “unpack and install the exact 1.0.2r OpenSSL that we build with, while trying not to break your system OpenSSL” ?
    * Windows? Do you stop building MySQL on Windows?

Leave a Reply