Data snooping during exchange of data between replication nodes
Spoofing in a replication group by means of certificate-based authentication
Note:
SSL support in the Replication Manager is not built by default on Windows operating system. On Linux it is built by default only when suitable OpenSSL libraries and headers are present on UNIX. Otherwise, –with-repmgr-ssl=yes
with suitable values for LDFLAGS, LIBS and CFLAGS/CPPFLAGS are required to build it.
On UNIX, providing –with-repmgr-ssl=no
as an argument to configure, disables the build of SSL support for Replication Manager.
On Windows, removing the definition of HAVE_REPMGR_SSL_SUPPORT
from db_config.h
in build_windows
, disables SSL.
Once built, SSL support in the Replication Manager is enabled by default. You can, however, disable this by setting the Replication Manager flag DB_REPMGR_CONF_DISABLE_SSL
using DB_ENV->rep_set_config()
before starting the Replication Manager.
Features
The Replication Manager does not allow you to provide multiple files or directories for CA certificate lookup.
The Replication Manager does not support selective revocation of suspect certificates. In case you suspect that one or more certificates have been compromised, you have to restart the entire replication group with a new set of certificates.
The Replication Manager does not support automatic renegotiation of session keys after certain number of bytes are transferred or after certain amount of time has elapsed.