replication-solutions-ssl

This page has moved or been replaced. The new page is located here:

http://dev.mysql.com/doc/refman/5.5/en/replication-solutions-secure-connections.html

Please update any bookmarks that point to the old page.


User Comments
  Posted by Sam Critchley on February 7, 2014
Note that the "REQUIRE SSL" grant may not work if your client configuration has all three certificate lines enabled. In that case, you should only specify the certificate authority key:

ssl-ca=cacert.pem

If you want to require a client certificate then the account should have "REQUIRE X509" instead of "REQUIRE SSL" and your client config should look (roughly) like this:

ssl-ca=cacert.pem
ssl-cert=client-cert.pem
ssl-key=client-key.pem

You can show which cipher is in use in the client simply by typing "\s":

username@hostname [(none)]> \s
--------------
mysql Ver 14.14 Distrib 5.5.35, for debian-linux-gnu (x86_64) using readline 6.2

Connection id: 63
Current database:
Current user: localturn2@localturn2
SSL: Cipher in use is DHE-RSA-AES256-SHA

This is the same as detailed in the client documentation at:

https://dev.mysql.com/doc/refman/5.5/en/using-ssl-connections.html

  Posted by Chaoran Xie on July 22, 2014
One small tip, make sure you use full path for MASTER_SSL_CA when running CHANGE MASTER statement

so instead of something like
MASTER_SSL_CA = 'ca-cert.pem', MASTER_SSL_CAPATH = '/opt/newcerts/'

use
MASTER_SSL_CA = '/opt/newcerts/ca-cert.pem', MASTER_SSL_CAPATH = ''

  Posted by Fred W on March 31, 2015
Couple tips:
1. client cert is optional unless account used for replication requires X509.
2. When using CHANGE MASTER TO to config slave, parameter MASTER_SSL_CA and MASTER_SSL_CAPATH are resolved at slave side.
Sign Up Login You must be logged in to post a comment.