4
1
We have a SQL server replication in place. I'm trying to ensure that the replication is occurring over secure channels. Given that MASTER_SSL_Allowed
is true ("Yes"), does this suggest things are traveling over SSL/TLS?
How can I be sure that the replication connection is encrypted? How can I effectively forbid unencrypted traffic between master and replication?
mysql> show slave status\G
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.10.100
Master_User: slave_user
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.000192
Read_Master_Log_Pos: 37748817
Relay_Log_File: mysqld-relay-bin.000032
Relay_Log_Pos: 1244
Relay_Master_Log_File: mysql-bin.000092
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB: omega
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 37748817
Relay_Log_Space: 124980
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/mysql/certs/omega-ca-cert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /etc/mysql/certs/omega-client-cert.pem
Master_SSL_Cipher:
Master_SSL_Key: /etc/mysql/certs/omega-client-key.pem
1+1 for suggesting the use of
tcpdump
,Wireshark
, or other network packet analyzer. That's the best way I can think of to prove positive that the replication is happening over TLS instead of cleartext. The technique of "checking the master" here isn't helpful, because it only shows whether the master can support TLS, not if it's actually being used. Likewise, you may want to ensure that TLS is actually working before you modify theGRANT
s for the user to require TLS. – Christopher Schultz – 2016-10-07T11:23:22.143