WL#13850: Support separate set of TLS certificates for admin connection port

MySQL supports a dedicated port for administrative connections. See: https://dev.mysql.com/doc/mysql-port-reference/en/mysql-ports-reference- tables.html#mysql-admin-connection-port

As of now, both admin connection port and regular client-server connection port share same set of TLS certificates. In a managed hosted environment, this poses challenge because: 1. Customer may want to bring their own certificates 2. Policy for certificate rotation may be different for internal and external certificates

Idea here is to introduce separate set of TLS certificates and other related configuration and status parameters specifically for admin connection port and use separate SSL context for connection coming from these two different ports.

Definition

• MySQL admin connection interface: Combination of --admin-address and --admin-port.
• MySQL client-server connection interface: Combination of --host and --port.
• TLS material and configuration: It includes following:
  • CA file
  • CA path
  • Certificate file
  • Key file
  • CRL file
  • CRL path
  • TLS version
  • TLSv1.3 ciphersuites
  • TLSv1.2 ciphersuites

Function and Non-Functional Requirements

• FR1: It should be possible to use separate set of TLS material and configuration for MySQL admin connection interface.
• FR2: TLS material and configuration for MySQL admin connection interface should be re-configurable at runtime.
• FR3: It should be possible to check status of TLS configuration for MySQL admin connection interface and Mysql client-server connection interface using performance schema.
• FR4: It should be possible to specify whether to use MySQL admin connection interface's TLS config or MySQL client-server connection interface's TLS config for GR.

• NFR1: There is should not be any impact on MySQL upgrade process.

• HLS1: New system variables will be introduced to configure TLS for MySQL admin connection interface.
  • --admin-ssl
    • Description: Flag to specify whether to use encrypted connections for MySQL admin connection interface or not.
    • Type: Command line variable
    • Settable at runtime: No
    • Default: ON
  • --admin-ssl-ca
    • Description: The path name of the Certificate Authority (CA) certificate file
    • Type: Global
    • Settable at runtime: Yes
    • Default: NONE
  • --admin-ssl-capath
    • Description: The path name of a directory of Certificate Authority (CA) certificate files
    • Type: Global
    • Settable at runtime: Yes
    • Default: NONE
  • --admin-ssl-cert
    • Description: The path name of server public key certificate file
    • Type: Global
    • Settable at runtime: Yes
    • Default: NONE
  • --admin-ssl-key
    • Description: The path name of server private key file
    • Type: Global
    • Settable at runtime: Yes
    • Default: NONE
  • --admin-ssl-crl
    • Description: The path name of the file containing certificate revocation lists
    • Type: Global
    • Settable at runtime: Yes
    • Default: NONE
  • --admin-ssl-crlpath
    • Description: The path name of a directory of certificate revocations list files
    • Type: Global
    • Settable at runtime: Yes
    • Default: NONE
  • --admin-tls-version
    • Description: List of TLS protocol permitted
    • Type: Global
    • Settable at runtime: Yes
    • Default: Same as https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_tls_version
  • --admin-ssl-cipher
    • Description: List of ciphers supported for TLSv1.2 protocol
    • Type: Global
    • Settable at runtime: Yes
    • Default: Same as https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_ssl_cipher
  • --admin-tls-ciphersuites
    • Description: List of ciphers supported for TSLv1.3 protocol
    • Type: Global
    • Settable at runtime: Yes
    • Default: Same as https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_tls_ciphersuites
• HLS2: Following will be the behavior of connection requests coming through MySQL admin connection interface
  • If --admin-ssl is set to OFF, MySQL admin connection interface won't use encrypted connections
  • Else if TLS context for MySQL admin interface is not empty, it will be used
  • Else if all of the TLS parameters mentioned in HLS1 have default values, MySQL client-server connection interface's TLS context will be used.
• HLS3: ALTER INSTANCE DDL will be extended in following manner to support reloading TLS material for MySQL admin connection interface
  • ALTER INSTANCE RELOAD TLS FOR CHANNEL <channel_name> [NO ROLLBACK ON ERROR]
  • Supported channels as of now: "mysql_main" and "mysql_admin"
  • ALTER INSTANCE RELOAD TLS FOR CHANNEL mysql_main [NO ROLLBACK ON ERROR] will be equivalent of ALTER INSTANCE RELOAD TLS [NO ROLLBACK ON ERROR]
• HLS4: A new performance schema table: tls_channel_status will be introduced to provide various status information about TLS context for MySQL admin connection interface.
  • The performance schema table will have following columns:
    • Channel: Name of the interface for which TLS status is being displayed
    • Property: Status parameter name
    • Value: Value of status parameter
• HLS5: A new plugin option will be added to group replication plugin to configure GR to use TLS material either from client-server interface or admin connection interface.
  • group_replication_tls_source = mysql_main | mysql_admin
    • Description: Identify source for TLS material for group replication
    • Type: GLOBAL
    • Settable at runtime: Can be changed anytime. Its value is used on START GROUP_REPLICATION and automatic rejoins. See [1]
    • Default: mysql_main

[1] https://dev.mysql.com/doc/refman/8.0/en/group-replication-options.html#sysvar_group_replication_autorejoin_tries