Enforce tls v1.2 for xtradb Cluster

adi · October 23, 2022, 8:50am

Hi Team,
How can I enforce TLS 1.2 for 4567 port.
Currently tls_version=TLSv1.2* is already set in my.cnf but looks like it’s not enforced for the 4567 port.

because when I run openssl s_client -connect host_IP:4567 -tls1_1 I can still see valid output, I wanto to disable tls1.1 and enforce only use of tls1.2 for galera internal communication also.

can’t find any such option for wsrep_provider_options

Thanks
Adi

Michael_Coburn · October 24, 2022, 2:30pm

Hi @adi thanks for posting to the Percona forums!
Have you experimented with socket.ssl_cipher Galera Parameters — Galera Cluster Documentation

wsrep_provider_options = "socket.ssl_cipher=ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4:!RSA"

adi · October 29, 2022, 8:23am

Thanks @Michael_Coburn, Will check it out.

Topic		Replies	Views
Enforce TLS for replication Percona XtraDB Cluster 5.x	2	616	October 24, 2022
WSREP has not yet prepared node for application use Percona XtraDB Cluster 8.x	1	1801	January 21, 2022
Cluster security Percona XtraDB Cluster 5.x	7	811	April 20, 2017
Percona Xtrdb Cluster SSL when SSL is not configured Percona XtraDB Cluster 8.x	1	954	September 20, 2022
updating galera2 to galera3 in percona-xtradb-5.6 cluster Percona XtraDB Cluster 5.x	1	459	August 27, 2015

Enforce tls v1.2 for xtradb Cluster

Related Topics