[MDEV-9906] Update KB to replace "SSL" with "TLS" and explain the difference Created: 2016-04-13  Updated: 2016-04-29  Resolved: 2016-04-29

Status: Closed
Project: MariaDB Server
Component/s: Documentation
Fix Version/s: N/A

Type: Task Priority: Major
Reporter: Kolbe Kegel (Inactive) Assignee: Ian Gilfillan
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
PartOf
is part of MDEV-9553 TLS/SSL tasks Stalled
Relates
relates to MDEV-9910 Add --tls options and deprecate --ssl... Closed

 Description   

greenman, we've made a decision to begin deprecating the usage of the term "SSL" in option names and descriptions of MariaDB functionality.

SSL refers to SSLv2 and SSLv3, which are completely insecure and have been removed from our products. TLS refers to TLSv1.1 and TLSv1.2, which offer high-quality security. In order to remove confusion, and to make it clear that we only support high-quality protocols.

 Comments   
Comment by Ian Gilfillan [ 2016-04-13 ]

Which release/s will the option names be deprecated? So the new option names will be tls_x etc.?

Comment by Kolbe Kegel (Inactive) [ 2016-04-13 ]

At this point, the --ssl options are only deprecated in principle, not in code

SSL itself (meaning SSLv2 and SSLv3) is already removed from MariaDB in favor of TLS, but the options that influence TLS behavior still use the --ssl prefix.

This task is to begin changing descriptions of functionality, and to include a description of the conceptual differences between "SSL" and "TLS" in any places it's relevant to do so.

MDEV-9910 will add new --tls options and deprecate --ssl, which will of course need to be reflected in the documentation in due course.

Comment by Sergei Golubchik [ 2016-04-15 ]

SSLv2 and SSLv3 protocols are not removed, they were never supported in the first place.

MySQL and MariaDB always used to have "SSL support", although they only supported TLSv1.0 and later, never SSLv2 or SSLv3.

There were no changes in this regard recently.

wikipedia says

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL' <...>

And OpenSSL is not called OpenTLS.

So, I personally think that "SSL" as a name is clear enough. For the manual, "SSL/TLS" can be used where "SSL" would be ambiguous.

Comment by Ian Gilfillan [ 2016-04-28 ]

After the initial comment about the decision to deprecate SSL, I updated the KB, preferring the term TLS, with a clarification about SSL. Sergei's comment implies some ambiguity, so I'm not sure how to proceed. Take a look at https://mariadb.com/kb/en/mariadb/tls-system-variables/ for example.

Comment by Kolbe Kegel (Inactive) [ 2016-04-28 ]

I was in a room with serg and georg when I thought we all discussed and agreed on this change. But your'e right that Sergei seems less than convinced at this point. I think Georg may need to take another go at advocating for this change.

Comment by Vladislav Vaintroub [ 2016-04-28 ]

I think deprecating variables may go to far, it is cosmetics, which might (when really removed) break some existing environments, that depend on options being --ssl.
Also it is called ssl everywhere. SSLStream in .NET, and SSLSocket in Java and Python, openssl and those named won't change to reflect the fact they support TLS
TLS on another hand is a less known term, and an ambiguous one (I think of thread local storage first, every time I hear it)

Comment by Ian Gilfillan [ 2016-04-29 ]

Based on the discussion above and Serg renaming the article to SSL/TLS System Variables, I've gone ahead and used SSL/TLS where appropriate in article titles, which I think is a fair solution. There are already explanations SSL vs TLS, so based on that I'm closing the task for now. I'll keep an eye on what happens with the variable names in the server, and document when the time comes.

Generated at Thu Feb 08 07:38:12 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.