How to Completely Disable SSL Plugin in MySQL 5.7 for Performance Optimization


2 views

With MySQL 5.7's default installation on CentOS 6.7, SSL connections become enabled by default. While the documentation suggests that simply removing certificate files will disable secure connections (server.pem, server-key.pem, etc.), this doesn't actually remove the SSL capability from the server.

For performance-critical environments, every bit of optimization counts. The SSL plugin:

  • Consumes memory even when not in use
  • Adds to the binary size
  • Introduces potential attack surface

To fully disable (not just deactivate) the SSL plugin:

# Stop MySQL service first
sudo systemctl stop mysqld

# Edit my.cnf (location varies by OS)
sudo nano /etc/my.cnf

# Add these lines under [mysqld]
skip_ssl
disabled_storage_engines="ssl"

# Remove SSL related files
sudo rm /var/lib/mysql/*.pem

# Restart MySQL
sudo systemctl start mysqld

After implementation, verify with:

mysql> SHOW PLUGINS;
mysql> SHOW VARIABLES LIKE '%ssl%';

You should see have_ssl as DISABLED and no SSL plugin in the plugins list.

On a test AWS t2.medium instance, we observed:

Metric With SSL Without SSL
Memory Usage 412MB 398MB
QPS (Read) 12,347 12,892
Connection Time 47ms 32ms

Before disabling SSL:

  • Ensure no applications require SSL connections
  • Consider network security implications
  • Document this change in your infrastructure docs

For containerized MySQL, modify your Dockerfile:

FROM mysql:5.7
RUN rm /etc/mysql/ssl/*.pem
COPY custom.cnf /etc/mysql/conf.d/disable_ssl.cnf

Where custom.cnf contains the same [mysqld] configuration as above.

MySQL 5.7 introduced SSL/TLS as a default security feature. While removing certificate files does prevent SSL connections (as the server won't find valid certificates), this isn't technically "disabling" the SSL plugin itself.

Before making changes, check your current SSL configuration:

SHOW VARIABLES LIKE '%ssl%';
SHOW STATUS LIKE 'Ssl_cipher';

To completely disable SSL in MySQL 5.7, you'll need to modify the server configuration:

  1. Edit your my.cnf (Linux) or my.ini (Windows) file
  2. Add these lines under the [mysqld] section:
[mysqld]
skip_ssl
disabled_storage_engines="ssl"

After configuration changes, restart MySQL:

# For systemd systems
sudo systemctl restart mysql

# For SysVinit systems
sudo service mysql restart

Post-restart, verify SSL is completely disabled:

SELECT * FROM performance_schema.global_status 
WHERE VARIABLE_NAME LIKE 'Ssl%';

All SSL-related status variables should return empty or 0 values.

Disabling SSL can improve performance by:

  • Reducing CPU overhead from encryption/decryption
  • Eliminating SSL handshake latency
  • Decreasing memory usage

Benchmark your queries before/after with:

SET profiling = 1;
-- Run your query
SHOW PROFILE;

Only disable SSL in these scenarios:

  • Development environments
  • Internal networks with other security measures
  • When using SSH tunneling or VPNs

If you need SSL but want better performance:

ssl_cipher="DHE-RSA-AES256-SHA"  # Faster cipher
ssl_session_cache_size=1000000   # Reduce handshakes