To use an encrypted connection for the transfer of the binary log required during replication, both the master and the slave servers must support encrypted network connections. If either server does not support encrypted connections (because it has not been compiled or configured for them), replication through an encrypted connection is not possible.
Setting up encrypted connections for replication is similar to doing so for client/server connections. You must obtain (or create) a suitable security certificate that you can use on the master, and a similar certificate (from the same certificate authority) on each slave. You must also obtain suitable key files.
For more information on setting up a server and client for encrypted connections, see Section 6.3.1, “Configuring MySQL to Use Encrypted Connections”.
To enable encrypted connections on the master, you must create or
obtain suitable certificate and key files, and then add the
following configuration options to the master's configuration
[mysqld] section of the master's
my.cnf file, changing the file names as
[mysqld] ssl-ca=cacert.pem ssl-cert=server-cert.pem ssl-key=server-key.pem
The paths to the files may be relative or absolute; we recommend that you always use complete paths for this purpose.
The options are as follows:
--ssl-ca: The path name of the Certificate Authority (CA) certificate file. (
--ssl-capathis similar but specifies the path name of a directory of CA certificate files.)
--ssl-cert: The path name of the server public key certificate file. This certificate can be sent to the client and authenticated against the CA certificate that it has.
--ssl-key: The path name of the server private key file.
To enable encrypted connections on the slave, use the
CHANGE MASTER TO statement. You can
either name the slave certificate and SSL private key files
required for the encrypted connection in the
[client] section of the slave's
my.cnf file, or you can explicitly specify
that information using the
TO statement. For more information on the
CHANGE MASTER TO statement, see
Section 126.96.36.199, “CHANGE MASTER TO Statement”.
To name the slave certificate and key files using an option file, add the following lines to the
[client]section of the slave's
my.cnffile, changing the file names as necessary:
[client] ssl-ca=cacert.pem ssl-cert=client-cert.pem ssl-key=client-key.pem
Restart the slave server, using the
--skip-slave-startoption to prevent the slave from connecting to the master. Use
CHANGE MASTER TOto specify the master configuration, and add the
MASTER_SSLoption to connect using encryption:
mysql> CHANGE MASTER TO -> MASTER_HOST='master_hostname', -> MASTER_USER='repl', -> MASTER_PASSWORD='password', -> MASTER_SSL=1;
MASTER_SSL=1for a replication connection and then setting no further
MASTER_SSL_options corresponds to setting
--ssl-mode=REQUIREDfor the client, as described in Command Options for Encrypted Connections. With
MASTER_SSL=1, the connection attempt only succeeds if an encrypted connection can be established. A replication connection does not fall back to an unencrypted connection, so there is no setting corresponding to the
--ssl-mode=PREFERREDsetting for replication. If
MASTER_SSL=0is set, this corresponds to
To name the slave certificate and SSL private key files using the
CHANGE MASTER TOstatement, if you did not do this in the slave's
my.cnffile, add the appropriate
-> MASTER_SSL_CA = 'ca_file_name', -> MASTER_SSL_CAPATH = 'ca_directory_name', -> MASTER_SSL_CERT = 'cert_file_name', -> MASTER_SSL_KEY = 'key_file_name',
These options correspond to the
--ssl-options with the same names, as described in Command Options for Encrypted Connections. For these options to take effect,
MASTER_SSL=1must also be set. For a replication connection, specifying a value for either of
MASTER_SSL_CAPATH, or specifying these options in the slave's
my.cnffile, corresponds to setting
--ssl-mode=VERIFY_CA. The connection attempt only succeeds if a valid matching Certificate Authority (CA) certificate is found using the specified information.
To activate host name identity verification, add the
This option corresponds to the
--ssl-verify-server-certoption, which was deprecated from MySQL 5.7 and removed in MySQL 8.0. For a replication connection, specifying
MASTER_SSL_VERIFY_SERVER_CERT=1corresponds to setting
--ssl-mode=VERIFY_IDENTITY, as described in Command Options for Encrypted Connections. For this option to take effect,
MASTER_SSL=1must also be set. Host name identity verification does not work with self-signed certificates.
To activate certificate revocation list (CRL) checks, add the
-> MASTER_SSL_CRL = 'crl_file_name', -> MASTER_SSL_CRLPATH = 'crl_directory_name',
These options correspond to the
--ssl-options with the same names, as described in Command Options for Encrypted Connections. If they are not specified, no CRL checking takes place.
To specify lists of ciphers, ciphersuites, and encryption protocols permitted by the slave for the replication connection, use the
-> MASTER_SSL_CIPHER = 'cipher_list', -> MASTER_TLS_VERSION = 'protocol_list', -> MASTER_TLS_CIPHERSUITES = 'ciphersuite_list',
MASTER_SSL_CIPHERoption specifies a colon-separated list of one or more ciphers permitted by the slave for the replication connection.
MASTER_TLS_VERSIONoption specifies a comma-separated list of the TLS encryption protocols permitted by the slave for the replication connection, in a format like that for the
tls_versionserver system variable. The connection procedure negotiates the use of the highest TLS version that both the master and the slave permit. To be able to connect, the slave must have at least one TLS version in common with the master.
MASTER_TLS_CIPHERSUITESoption (available from MySQL 8.0.19) specifies a colon-separated list of one or more ciphersuites that are permitted by the slave for the replication connection if TLSv1.3 is used for the connection. If this option is set to
NULLwhen TLSv1.3 is used (which is the default if you do not set the option), the ciphersuites that are enabled by default are allowed. If you set the option to an empty string, no ciphersuites are allowed, and TLSv1.3 will therefore not be used.
The protocols, ciphers, and ciphersuites that you can specify in these lists depend on the SSL library used to compile MySQL. For information about the formats, the permitted values, and the defaults if you do not specify the options, see Section 6.3.2, “Encrypted Connection TLS Protocols and Ciphers”.Note
In MySQL 8.0.16 through 8.0.18, MySQL supports TLSv1.3, but the
MASTER_TLS_CIPHERSUITESoption is not available. In these releases, if TLSv1.3 is used for connections between a replication master and slave, the replication master must permit the use of at least one TLSv1.3 ciphersuite that is enabled by default. From MySQL 8.0.19, you can use the option to specify any selection of ciphersuites, including only non-default ciphersuites if you want.
After the master information has been updated, start the slave replication process:
mysql> START SLAVE;
You can use the
SHOW SLAVE STATUSstatement to confirm that an encrypted connection was established successfully.
Requiring encrypted connections on the slave does not ensure that the master requires encrypted connections from slaves. If you want to ensure that the master only accepts replication slaves that connect using encrypted connections, create a replication user account on the master using the
REQUIRE SSLoption, then grant that user the
REPLICATION SLAVEprivilege. For example:
mysql> CREATE USER 'repl'@'%.example.com' IDENTIFIED BY 'password' -> REQUIRE SSL; mysql> GRANT REPLICATION SLAVE ON *.* -> TO 'repl'@'%.example.com';
If you have an existing replication user account on the master, you can add
REQUIRE SSLto it with this statement:
mysql> ALTER USER 'repl'@'%.example.com' REQUIRE SSL;