Secure sockets can be used for group communication connections between members of a group.
The Group Replication system variable
group_replication_ssl_mode
is
used to activate the use of SSL for group communication
connections and specify the security mode for the connections. The
default setting means that SSL is not used. The option has the
following possible values:
Table 20.1 group_replication_ssl_mode configuration values
Value | Description |
---|---|
DISABLED |
Establish an unencrypted connection (the default). |
REQUIRED |
Establish a secure connection if the server supports secure connections. |
VERIFY_CA |
Like |
VERIFY_IDENTITY |
Like |
If SSL is used, the means for configuring the secure connection depends on whether the XCom or the MySQL communication stack is used for group communication.
When using the XCom communication stack
(group_replication_communication_stack=XCOM
):
The remainder of the configuration for Group Replication's group
communication connections is taken from the server's SSL
configuration. For more information on the options for
configuring the server SSL, see
Command Options for Encrypted Connections. The server SSL
options that are applied to Group Replication's group
communication connections are as follows:
Table 20.2 SSL Options
Server Configuration | Description |
---|---|
ssl_key |
The path name of the SSL private key file in PEM format. On the client side, this is the client private key. On the server side, this is the server private key. |
ssl_cert |
The path name of the SSL public key certificate file in PEM format. On the client side, this is the client public key certificate. On the server side, this is the server public key certificate. |
ssl_ca |
The path name of the Certificate Authority (CA) certificate file in PEM format. |
ssl_capath |
The path name of the directory that contains trusted SSL certificate authority (CA) certificate files in PEM format. |
ssl_crl |
The path name of the file containing certificate revocation lists in PEM format. |
ssl_crlpath |
The path name of the directory that contains certificate revocation list files in PEM format. |
ssl_cipher |
A list of permissible ciphers for encrypted connections. |
tls_version |
A list of the TLS protocols the server permits for encrypted connections. |
tls_ciphersuites |
Which TLSv1.3 ciphersuites the server permits for encrypted connections. |
Support for the TLSv1 and TLSv1.1 connection protocols was removed in MySQL 8.0. MySQL clients, including Group Replication server instances acting as clients, do not return warnings to the user if a deprecated TLS protocol version is used. See Removal of Support for the TLSv1 and TLSv1.1 Protocols for more information.
MySQL 9.1 supports the TLSv1.3 protocol, provided that the MySQL Server was compiled using OpenSSL 1.1.1. The server checks the version of OpenSSL at startup; if it is lower than 1.1.1, TLSv1.3 is removed from the default values for all server system variables relating to TLS versions, including
group_replication_recovery_tls_version
.MySQL 9.1 Group Replication supports TLSv1.3.
Use
group_replication_recovery_tls_version
andgroup_replication_recovery_tls_ciphersuites
to configure client support for any selection of ciphersuites, including only non-default ciphersuites if desired.In the list of TLS protocols specified in the
tls_version
system variable, ensure the specified versions are contiguous (for example,TLSv1.2,TLSv1.3
). If there are any gaps in the list of protocols (for example, if you specifiedTLSv1,TLSv1.2
, omitting TLS 1.1) Group Replication might be unable to make group communication connections.
In a replication group, OpenSSL negotiates the use of the highest
TLS protocol that is supported by all members. A joining member
that is configured to use only TLSv1.3
(tls_version=TLSv1.3
) cannot join
a replication group where any existing member does not support
TLSv1.3, because the group members in that case are using a lower
TLS protocol version. To join the member to the group, you must
configure the joining member to also permit the use of lower TLS
protocol versions supported by the existing group members.
Conversely, if a joining member does not support TLSv1.3, but the
existing group members all do and are using that version for
connections to each other, the member can join if the existing
group members already permit the use of a suitable lower TLS
protocol version, or if you configure them to do so. In that
situation, OpenSSL uses a lower TLS protocol version for the
connections from each member to the joining member. Each member's
connections to other existing members continue to use the highest
available protocol that both members support.
You can change the tls_version
system variable at runtime to alter the list of permitted TLS
protocol versions for the server. For Group Replication, the
ALTER INSTANCE RELOAD TLS
statement, which reconfigures the server's TLS context from the
current values of the system variables that define the context,
does not change the TLS context for Group Replication's group
communication connection while Group Replication is running. To
apply the reconfiguration to these connections, you must execute
STOP GROUP_REPLICATION
followed by
START GROUP_REPLICATION
to restart
Group Replication on the member or members where you changed the
tls_version
system variable.
Similarly, if you want to make all members of a group change to
using a higher or lower TLS protocol version, you must carry out a
rolling restart of Group Replication on the members after changing
the list of permitted TLS protocol versions, so that OpenSSL
negotiates the use of the higher TLS protocol version when the
rolling restart is completed. For instructions to change the list
of permitted TLS protocol versions at runtime, see
Section 8.3.2, “Encrypted Connection TLS Protocols and Ciphers” and
Server-Side Runtime Configuration and Monitoring for Encrypted
Connections.
The following example shows a section from a
my.cnf
file that configures SSL on a server,
and activates SSL for Group Replication group communication
connections:
[mysqld]
ssl_ca = "cacert.pem"
ssl_capath = "/.../ca_directory"
ssl_cert = "server-cert.pem"
ssl_cipher = "DHE-RSA-AEs256-SHA"
ssl_crl = "crl-server-revoked.crl"
ssl_crlpath = "/.../crl_directory"
ssl_key = "server-key.pem"
group_replication_ssl_mode= REQUIRED
The ALTER INSTANCE RELOAD TLS
statement, which reconfigures the server's TLS context from the
current values of the system variables that define the context,
does not change the TLS context for Group Replication's group
communication connections while Group Replication is running. To
apply the reconfiguration to these connections, you must execute
STOP GROUP_REPLICATION
followed
by START GROUP_REPLICATION
to
restart Group Replication.
Connections made between a joining member and an existing member for distributed recovery are not covered by the options described above. These connections use Group Replication's dedicated distributed recovery SSL options, which are described in Section 20.6.3.2, “Secure Socket Layer (SSL) Connections for Distributed Recovery”.
When using the MySQL communication stack (group_replication_communication_stack=MYSQL): The security settings for distributed recovery of the group are applied to the normal communications between group members. See Section 20.6.3, “Securing Distributed Recovery Connections” on how to configure the security settings.