MySQL 5.7 Reference Manual Including MySQL NDB Cluster 7.5 and NDB Cluster 7.6
To use an encrypted connection for the transfer of the binary log required during replication, both the source and the replica servers must support encrypted network connections. If either server does not support encrypted connections (because it has not been compiled or configured for them), replication through an encrypted connection is not possible.
Setting up encrypted connections for replication is similar to doing so for client/server connections. You must obtain (or create) a suitable security certificate that you can use on the source, and a similar certificate (from the same certificate authority) on each replica. You must also obtain suitable key files.
For more information on setting up a server and client for encrypted connections, see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.
To enable encrypted connections on the source, you must create or
obtain suitable certificate and key files, and then add the
following configuration parameters to the source's configuration
within the [mysqld]
section of the source's
my.cnf
file, changing the file names as
necessary:
[mysqld] ssl_ca=cacert.pem ssl_cert=server-cert.pem ssl_key=server-key.pem
The paths to the files may be relative or absolute; we recommend that you always use complete paths for this purpose.
The configuration parameters are as follows:
ssl_ca
: The path name of the
Certificate Authority (CA) certificate file.
(--ssl-capath
is similar but specifies the
path name of a directory of CA certificate files.)
ssl_cert
: The path name of
the server public key certificate file. This certificate can
be sent to the client and authenticated against the CA
certificate that it has.
ssl_key
: The path name of the
server private key file.
To enable encrypted connections on the replica, use the
CHANGE MASTER TO
statement. You can
either name the replica certificate and SSL private key files
required for the encrypted connection in the
[client]
section of the replica's
my.cnf
file, or you can explicitly specify
that information using the CHANGE MASTER
TO
statement. For more information on the
CHANGE MASTER TO
statement, see
Section 13.4.2.1, “CHANGE MASTER TO Statement”.
To name the replica certificate and key files using an option
file, add the following lines to the
[client]
section of the replica's
my.cnf
file, changing the file names as
necessary:
[client] ssl-ca=cacert.pem ssl-cert=client-cert.pem ssl-key=client-key.pem
Restart the replica server, using the
--skip-slave-start
option to
prevent the replica from connecting to the source. Use
CHANGE MASTER TO
to specify the
source configuration, and add the
MASTER_SSL
option to connect using
encryption:
mysql>CHANGE MASTER TO
->MASTER_HOST='source_hostname',
->MASTER_USER='repl',
->MASTER_PASSWORD='
->password
',MASTER_SSL=1;
Setting MASTER_SSL=1
for a replication
connection and then setting no further
MASTER_SSL_
options corresponds to setting
xxx
--ssl-mode=REQUIRED
for the client, as
described in Command Options for Encrypted Connections.
With MASTER_SSL=1
, the connection attempt
only succeeds if an encrypted connection can be established. A
replication connection does not fall back to an unencrypted
connection, so there is no setting corresponding to the
--ssl-mode=PREFERRED
setting for
replication. If MASTER_SSL=0
is set, this
corresponds to --ssl-mode=DISABLED
.
To name the replica certificate and SSL private key files
using the CHANGE MASTER TO
statement, if you did not do this in the replica's
my.cnf
file, add the appropriate
MASTER_SSL_
options:
xxx
->MASTER_SSL_CA = 'ca_file_name',
->MASTER_SSL_CAPATH = 'ca_directory_name',
->MASTER_SSL_CERT = 'cert_file_name',
->MASTER_SSL_KEY = 'key_file_name',
These options correspond to the
--ssl-
options with the same names, as described in
Command Options for Encrypted Connections. For these
options to take effect, xxx
MASTER_SSL=1
must
also be set. For a replication connection, specifying a value
for either of MASTER_SSL_CA
or
MASTER_SSL_CAPATH
, or specifying these
options in the replica's my.cnf
file,
corresponds to setting
--ssl-mode=VERIFY_CA
. The connection
attempt only succeeds if a valid matching Certificate
Authority (CA) certificate is found using the specified
information.
To activate host name identity verification, add the
MASTER_SSL_VERIFY_SERVER_CERT
option:
-> MASTER_SSL_VERIFY_SERVER_CERT=1,
This option corresponds to the
--ssl-verify-server-cert
option, which is
deprecated as of MySQL 5.7.11 and is removed in MySQL 8.0. For
a replication connection, specifying
MASTER_SSL_VERIFY_SERVER_CERT=1
corresponds
to setting --ssl-mode=VERIFY_IDENTITY
, as
described in Command Options for Encrypted Connections.
For this option to take effect,
MASTER_SSL=1
must also be set. Host name
identity verification does not work with self-signed
certificates.
To activate certificate revocation list (CRL) checks, add the
MASTER_SSL_CRL
or
MASTER_SSL_CRLPATH
option:
->MASTER_SSL_CRL = 'crl_file_name',
->MASTER_SSL_CRLPATH = 'crl_directory_name',
These options correspond to the
--ssl-
options with the same names, as described in
Command Options for Encrypted Connections. If they are
not specified, no CRL checking takes place.
xxx
To specify lists of ciphers and encryption protocols permitted
by the replica for the replication connection, add the
MASTER_SSL_CIPHER
and
MASTER_TLS_VERSION
options:
->MASTER_SSL_CIPHER = 'cipher_list',
->MASTER_TLS_VERSION = 'protocol_list',
The MASTER_SSL_CIPHER
option specifies the
list of ciphers permitted by the replica for the replication
connection, with one or more cipher names separated by colons.
The MASTER_TLS_VERSION
option specifies the
encryption protocols permitted by the replica for the
replication connection. The format is like that for the
tls_version
system variable,
with one or more comma-separated protocol versions. The
protocols and ciphers that you can use in these lists depend
on the SSL library used to compile MySQL. For information
about the formats and permitted values, see
Section 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”.
After the source information has been updated, start the replication process:
mysql> START SLAVE;
You can use the SHOW SLAVE
STATUS
statement to confirm that an encrypted
connection was established successfully.
Requiring encrypted connections on the replica does not ensure
that the source requires encrypted connections from replicas.
If you want to ensure that the source only accepts replicas
that connect using encrypted connections, create a replication
user account on the source using the REQUIRE
SSL
option, then grant that user the
REPLICATION SLAVE
privilege.
For example:
mysql>CREATE USER 'repl'@'%.example.com' IDENTIFIED BY '
->password
'REQUIRE SSL;
mysql>GRANT REPLICATION SLAVE ON *.*
->TO 'repl'@'%.example.com';
If you have an existing replication user account on the
source, you can add REQUIRE SSL
to it with
this statement:
mysql> ALTER USER 'repl'@'%.example.com' REQUIRE SSL;