Enforce TLS for replication

I have been referencing the following document to try and enforce TLSv1.2 (minimum) for replication, to no avail:

I have the following in the [mysqld] block of my.cnf:
wsrep_provider_options=“socket.ssl_cert=/path/to/our/ident/cert;socket.ssl_key=/path/to/our/ssl/key;socket.ssl_ca=/path/to/our/trust/store;ssl_cipher=tlsv1.2;socket.ssl=yes”

Yet I’m still able to connect to the port using TLS 1.0. I’ve been combing through documentation for 6 hours and that’s the best I could come up with. Any help would be greatly appreciated. Thanks!

1 Like

Hi ultrapain,

Yet I’m still able to connect to the port using TLS 1.0. I’ve been combing through documentation for 6 hours and that’s the best I could come up with.

What do you mean by “I am still able to connect to the port using TLS 1.0”? The connections you (client) make to MySQL are different than the internal communication happening among the nodes.

For client connections use “tls_version” parameter MySQL :: MySQL 5.7 Reference Manual :: 6.3.2 Encrypted Connection TLS Protocols and Ciphers and enforce a newer than 1.0 version

Regards

2 Likes

To test TLS enforcement on wsrep, I am doing the following:
openssl s_client -connect localhost:4567 -tls1

This attempts to make a connection to my server on port 4567 (the replication port) using tlsv1, which is accepted. Hope this helps to clarify my issue.

Thanks!

1 Like