To use an encrypted connection for the transfer of the binary log required during replication, both the source and the replica servers must support encrypted network connections. If either server does not support encrypted connections (because it has not been compiled or configured for them), replication through an encrypted connection is not possible.
Setting up encrypted connections for replication is similar to doing so for client/server connections. You must obtain (or create) a suitable security certificate that you can use on the source, and a similar certificate (from the same certificate authority) on each replica. You must also obtain suitable key files.
For more information on setting up a server and client for encrypted connections, see Configuring MySQL to Use Encrypted Connections.
To enable encrypted connections on the source, you must create or
obtain suitable certificate and key files, and then add the
following configuration parameters to the source's configuration
[mysqld] section of the source's
my.cnf file, changing the file names as
The paths to the files may be relative or absolute; we recommend that you always use complete paths for this purpose.
The configuration parameters are as follows:
ssl_ca: The path name of the Certificate Authority (CA) certificate file. (
--ssl-capathis similar but specifies the path name of a directory of CA certificate files.)
ssl_cert: The path name of the server public key certificate file. This certificate can be sent to the client and authenticated against the CA certificate that it has.
ssl_key: The path name of the server private key file.
To enable encrypted connections on the replica, use the
CHANGE MASTER TO statement.
To name the replica's certificate and SSL private key files using
CHANGE MASTER TO, add the appropriate
MASTER_SSL_options, like this:
-> MASTER_SSL_CA = 'ca_file_name', -> MASTER_SSL_CAPATH = 'ca_directory_name', -> MASTER_SSL_CERT = 'cert_file_name', -> MASTER_SSL_KEY = 'key_file_name',
These options correspond to the
--ssl-options with the same names, as described in Command Options for Encrypted Connections. For these options to take effect,
MASTER_SSL=1must also be set. For a replication connection, specifying a value for either of
MASTER_SSL_CAPATHcorresponds to setting
--ssl-mode=VERIFY_CA. The connection attempt succeeds only if a valid matching Certificate Authority (CA) certificate is found using the specified information.
To activate host name identity verification, add the
This option corresponds to the
--ssl-verify-server-certoption, which is deprecated as of MySQL 5.7.11 and removed in MySQL 8.0. For a replication connection, specifying
MASTER_SSL_VERIFY_SERVER_CERT=1corresponds to setting
--ssl-mode=VERIFY_IDENTITY, as described in Command Options for Encrypted Connections. For this option to take effect,
MASTER_SSL=1must also be set. Host name identity verification does not work with self-signed certificates.
To activate certificate revocation list (CRL) checks, add the
MASTER_SSL_CRLPATHoption, as shown here:
-> MASTER_SSL_CRL = 'crl_file_name', -> MASTER_SSL_CRLPATH = 'crl_directory_name',
These options correspond to the
--ssl-options with the same names, as described in Command Options for Encrypted Connections. If they are not specified, no CRL checking takes place.
To specify lists of ciphers and encryption protocols permitted by the replica for the replication connection, add the
MASTER_TLS_VERSIONoptions, like this:
-> MASTER_SSL_CIPHER = 'cipher_list', -> MASTER_TLS_VERSION = 'protocol_list', -> SOURCE_TLS_CIPHERSUITES = 'ciphersuite_list',
MASTER_SSL_CIPHERoption specifies the list of ciphers permitted by the replica for the replication connection, with one or more cipher names separated by colons. The
MASTER_TLS_VERSIONoption specifies the encryption protocols permitted by the replica for the replication connection. The format is like that for the
tls_versionsystem variable, with one or more comma-separated protocol versions. The protocols and ciphers that you can use in these lists depend on the SSL library used to compile MySQL. For information about the formats and permitted values, see Encrypted Connection TLS Protocols and Ciphers.
After the source information has been updated, start the replication process on the replica, like this:
mysql> START SLAVE;
You can use the
SHOW SLAVE STATUSstatement to confirm that an encrypted connection was established successfully.
Requiring encrypted connections on the replica does not ensure that the source requires encrypted connections from replicas. If you want to ensure that the source only accepts replicas that connect using encrypted connections, create a replication user account on the source using the
REQUIRE SSLoption, then grant that user the
REPLICATION SLAVEprivilege. For example:
mysql> CREATE USER 'repl'@'%.example.com' IDENTIFIED BY 'password' -> REQUIRE SSL; mysql> GRANT REPLICATION SLAVE ON *.* -> TO 'repl'@'%.example.com';
If you have an existing replication user account on the source, you can add
REQUIRE SSLto it with this statement:
mysql> ALTER USER 'repl'@'%.example.com' REQUIRE SSL;