I have been referencing the following document to try and enforce TLSv1.2 (minimum) for replication, to no avail:
I have the following in the [mysqld] block of my.cnf:
wsrep_provider_options=“socket.ssl_cert=/path/to/our/ident/cert;socket.ssl_key=/path/to/our/ssl/key;socket.ssl_ca=/path/to/our/trust/store;ssl_cipher=tlsv1.2;socket.ssl=yes”
Yet I’m still able to connect to the port using TLS 1.0. I’ve been combing through documentation for 6 hours and that’s the best I could come up with. Any help would be greatly appreciated. Thanks!
Yet I’m still able to connect to the port using TLS 1.0. I’ve been combing through documentation for 6 hours and that’s the best I could come up with.
What do you mean by “I am still able to connect to the port using TLS 1.0”? The connections you (client) make to MySQL are different than the internal communication happening among the nodes.
To test TLS enforcement on wsrep, I am doing the following:
openssl s_client -connect localhost:4567 -tls1
This attempts to make a connection to my server on port 4567 (the replication port) using tlsv1, which is accepted. Hope this helps to clarify my issue.