Data snooping during exchange of data between replication nodes
Spoofing in a replication group by means of certificate-based authentication
SSL support in the Replication Manager is not built by default on Windows operating system. On Linux it is built by default only when suitable OpenSSL libraries and headers are present on UNIX. Otherwise,
–with-repmgr-ssl=yes with suitable values for LDFLAGS, LIBS and CFLAGS/CPPFLAGS are required to build it.
On UNIX, providing
–with-repmgr-ssl=no as an argument to configure, disables the build of SSL support for Replication Manager.
On Windows, removing the definition of
build_windows, disables SSL.
Once built, SSL support in the Replication Manager is enabled by default. You can, however, disable this by setting the Replication Manager flag
DB_ENV->rep_set_config() before starting the Replication Manager.
"Building Secure Sockets Layer (SSL) Support for the Replication Manager" in Chapter "Building Berkeley DB for Windows"of the Oracle Berkeley DB Installation and Build Guide
"--with-replication-ssl" in Chapter "Building Berkeley DB for UNIX/POSIX" of the Oracle Berkeley DB Installation and Build Guide
You can use the DB_ENV->repmgr_set_ssl_config() method for specifying the location of the certificates and keys. You use this method to set the value of the following SSL configuration options:
Location of CA certificate or CA chain certificate for verification.
Location of directory containing all CA /Intermediate CA certificates for verification.
Location of certificate presented by this node to peers for authentication.
Location of Private Key corresponding to the RepNode certificate.
Password protecting the aforementioned Private Key.
Number of levels of verification allowed for peer certificate verification.
The Replication Manager does not allow you to provide multiple files or directories for CA certificate lookup.
The Replication Manager does not support selective revocation of suspect certificates. In case you suspect that one or more certificates have been compromised, you have to restart the entire replication group with a new set of certificates.
The Replication Manager does not support automatic renegotiation of session keys after certain number of bytes are transferred or after certain amount of time has elapsed.