# Specifying the TLS Version Use the `tls_version` global variable to specify the TLS versions allowed by the server. This variable can only be set at startup. As of SingleStore 8.1, OpenSSL 3.0 is now used to establish secure connections to SingleStore. As a consequence, a client certificate that uses SHA or MD5 hash functions in its signature must be replaced with a certificate that uses SHA256 at a minimum, or a secure connection to SingleStore cannot be established. While SingleStore supports TLS v1, TLS v1.1, and TLS v1.2, using TLS v1.2 is recommended. When FIPS is enabled, only TLS v1.2 is supported. Refer to [Troubleshoot OpenSSL 3.0 Connections](https://docs.singlestore.com/db/v9.1/security/encryption/troubleshoot-openssl-3-0-connections.md) for more information. To see the current TLS version, run the following command. ```sql SELECT @@tls_version; ``` ```output +-----------------------+ | @@tls_version | +-----------------------+ | TLSv1,TLSv1.1,TLSv1.2 | +-----------------------+ ``` **Configuring TLSv1.2 to Use a Specific Set of Cipher Suites** Use the [ssl\_cipher](https://docs.singlestore.com/db/v9.1/reference/configuration-reference/engine-variables/list-of-engine-variables/#non-sync-variables-list.md) global variable to specify the cipher suites allowed by the server. By default, all cipher suites from the environment's OpenSSL version are enabled for compatibility with client applications. This list can be restricted for SingleStore and can be set only at startup. **Client Compatibility Issues** Restricting the available cipher suites used by SingleStore may cause compatibility issues with client applications. SingleStore recommends to confirm your client application(s) cipher suite settings prior to configuring a specific set of cipher suites for SingleStore to ensure compatibility. The CHACHA20 ciphers are not supported by SingleStore’s versions of OpenSSL. The supported cipher suites are: | **Supported Cipher Suite** | **OpenSSL 1.0** | **OpenSSL 3.0** | | ----------------------------- | --------------- | --------------- | | AES128-GCM-SHA256 | | ✔ | | AES128-SHA | | ✔ | | AES128-SHA256 | | ✔ | | AES256-GCM-SHA384 | | ✔ | | AES256-SHA | | ✔ | | AES256-SHA256 | | ✔ | | DHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | | DHE-RSA-AES128-SHA | | ✔ | | DHE-RSA-AES128-SHA256 | | ✔ | | DHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | | DHE-RSA-AES256-SHA | | ✔ | | DHE-RSA-AES256-SHA256 | | ✔ | | ECDHE-ECDSA-AES128-GCM-SHA256 | ✔ | ✔ | | ECDHE-ECDSA-AES128-SHA | | ✔ | | ECDHE-ECDSA-AES128-SHA256 | | ✔ | | ECDHE-ECDSA-AES256-GCM-SHA384 | ✔ | ✔ | | ECDHE-ECDSA-AES256-SHA | | ✔ | | ECDHE-ECDSA-AES256-SHA384 | | ✔ | | ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ | | ECDHE-RSA-AES128-SHA | | ✔ | | ECDHE-RSA-AES128-SHA256 | | ✔ | | ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ | | ECDHE-RSA-AES256-SHA | | ✔ | | ECDHE-RSA-AES256-SHA384 | | ✔ | Refer to [Troubleshoot OpenSSL 3.0 Connections](https://docs.singlestore.com/db/v9.1/security/encryption/troubleshoot-openssl-3-0-connections.md) for more information. The following examples demonstrate how you can update the `tls_version` and `ssl_cipher` variables on the nodes by running Toolbox commands. ## Toolbox The following command updates the TLS version to `TLSv1.2` on all nodes in the cluster. ```shell sdb-admin update-config --key tls_version --value TLSv1.2 --all ``` ```output Toolbox is about to run 'memsqlctl update-config --key tls_version --value TLSv1.2' on the following nodes: - On host 127.0.0.1: + 27235D3E385B1056478CE11258959592CE49EE82 + F9F6A7E64946D5D3D1E6F00C175EF00FC240AB97 Would you like to continue? [y/N]: y ✓ Updated configuration on 127.0.0.1 Operation completed successfully ``` The following command restarts all nodes in the cluster for the new `tls_version` value to take effect. ```shell sdb-admin stop-node --all ``` ```output ✓ Successfully connected to host 127.0.0.1 Toolbox is about to perform the following actions: · Stop all nodes in the cluster Would you like to continue? [y/N]: y ✓ Stopped Master node on 127.0.0.1 (1/1) ✓ Successfully stopped Master node on 1 host ✓ Stopped Master node ✓ Stopped Leaf nodes on 127.0.0.1 (1/1) ✓ Successfully stopped Leaf nodes on 1 host ✓ Stopped Leaf node Operation completed successfully ``` ```shell sdb-admin start-node --all ``` ```output Toolbox is about to perform the following actions: · Start all nodes in the cluster Would you like to continue? [y/N]: y ✓ Successfully connected to host 127.0.0.1 ✓ Started Leaf nodes on 127.0.0.1 (1/1) ✓ Successfully started Leaf nodes on 1 host ✓ Successfully connected to Leaf node ✓ Started Master node on 127.0.0.1 (1/1) ✓ Successfully started Master node on 1 host ✓ Successfully connected to Master node Operation completed successfully ``` ```shell singlestore -p ``` ```output Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 5 Server version: 5.5.58 MemSQL source distribution (compatible; MySQL Enterprise & MySQL Commercial) Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. No entry for terminal type "xterm-256color"; using dumb terminal settings. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. ``` ```sql SELECT @@tls_version; ``` ```output +---------------+ | @@tls_version | +---------------+ | TLSv1.2 | +---------------+ 1 row in set (0.01 sec) ``` The following command updates the `ssl_cipher` variable: ```shell sdb-admin update-config --key ssl_cipher --value DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384 --all ``` *** Modified at: October 29, 2025 Source: [/db/v9.1/security/encryption/ssl-secure-connections/specifying-the-tls-version/](https://docs.singlestore.com/db/v9.1/security/encryption/ssl-secure-connections/specifying-the-tls-version/) (An index of the documentation is available at /llms.txt)