1.. _extended_tls_support: 2 3============================= 4Support for TLS v1.1 and v1.2 5============================= 6 7|Percona Server| has implemented TLS v1.1 and v1.2 protocol support and at the same time disabled TLS v1.0 support (support for TLS v1.0 can be enabled by adding the ``TLSv1`` to :variable:`tls_version` variable). Support for TLS v1.1 and v1.2 protocols has been implemented by porting the :variable:`tls_version` variable from 5.7 server. TLS v1.0 protocol has been disabled because it will no longer be viable for `PCI after June 30th 2016 <https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf>`_. Variable default has been changed from ``TLSv1,TLSv1.1,TLSv1.2`` to ``TLSv1.1,TLSv1.2`` to disable the support for TLS v1.0 by default. 8 9The client-side has the ability to make TLSv1.1 and 1.2 connections, but the option to allow only some protocol versions (``--tls-version``, ``MYSQL_OPT_TLS_VERSION`` in C API) has not been backported due to compatibility concerns and relatively easy option to use 5.7 clients instead if needed. **Note:** ``MASTER_TLS_VERSION`` clause of ``CHANGE MASTER TO`` statement has not been backported. 10 11Version Specific Information 12============================ 13 14 * :rn:`5.6.31-77.0`: 15 Implemented support for TLS v1.1 and TLS v1.2 protocols 16 17System Variables 18================ 19 20.. variable:: tls_version 21 22 :version 5.6.31-77.0: Introduced 23 :cli: Yes 24 :conf: Yes 25 :scope: Global 26 :dyn: No 27 :vartype: String 28 :default: ``TLSv1.1,TLSv1.2`` 29 30This variable defines protocols permitted by the server for encrypted connections. 31 32.. variable:: have_tlsv1_2 33 34 :version 5.6.31-77.0: Introduced 35 :cli: Yes 36 :conf: No 37 :scope: Global 38 :dyn: No 39 :vartype: Boolean 40 41This server variable is set to ``ON`` if the server has been compiled with a SSL library providing TLSv1.2 support. 42