This section is a draft and subject to change.
Before 8.0.23, there were two TCP connections and one TLS connection:
client <-> router // TCP router <-> server // TCP client <------------> server // TLS
Router Forwards the TLS packets as is, and this behavior can be configured with these Router configuration settings:
client_ssl_mode = PASSTHROUGH server_ssl_mode = AS_CLIENT
Where PASSTHOUGH means "forward everything to the server" and lets the client and server decide if they want to switch to TLS or not.
As of 8.0.23, the default behavior is:
client_ssl_mode = PREFERRED server_ssl_mode = AS_CLIENT
This establishes TLS connections between the client and Router if the client desires switching to TLS and the server supports TLS. This also matches the existing behaviour for client and server without the Router in-between.
As of Router 8.0.23, Router can accept the TLS session and open a new TLS session to the server. For example:
client <-> router // TCP router <-> server // TCP client <-> router // TLS router <-> server // TLS
To accept a TLS session from a client, Router has to present a TLS
client with the certificate using
To connect a TLS session to a server, Router verifies the server's
Because there are two TLS sessions (between client and Router; Router and server) there can also be two independent states of the connection.
server_ssl_mode accept DISABLED, PREFERRED, or
REQUIRED. In addition,
DISABLED: Router does not offer encryption to the client, and the client can't switch the client-router connection to TLS. The client may abort the connection if it must switch to TLS.
PREFERRED(default): Router accepts a TLS connection from the client, but is also okay if the client does not switch to encryption.
REQUIRED: Router accepts a TLS connection from the client, and will fail if the connection is not switched to TLS before authentication finishes.
PASSTHROUGH: Means 'forward everything to the server' and lets the client and server decide if they want to switch to TLS or not. This was default behavior before Router 8.0.23, and is only accepted by
AS_CLIENT(default): if the client-router connection is encrypted then also encrypt the router-server connection, otherwise do not. This option is only accepted by
server_ssl_verify option splits out
'VERIFY_CA' and 'VERIFY_IDENTITY' from the 'ssl_mode' that is
known from the MySQL client and MySQL server. In the MySQL
client's case, VERIFY_CA means ssl_mode=REQUIRED and to verify the
CA|IDENTITY. In Router's case, Router varifies certificates
server_ssl_mode; instead it's
purely based on whether the connection is encrypted and if
server_ssl_verify is not DISABLED, in which case it is verified.
Additional options include
All routing options and additional information is available at Routing Options.