# Replication with Secure Connections

{% hint style="info" %}
The terms *master* and *slave* have historically been used in replication, and MariaDB has begun the process of adding *primary* and *replica* synonyms. The old terms will continue to be used to maintain backward compatibility - see [MDEV-18777](https://jira.mariadb.org/browse/MDEV-18777) to follow progress on this effort.
{% endhint %}

## Overview

By default, MariaDB replicates data between primaries and replicas without encrypting it. This is generally acceptable when the primary and replica run are in networks where security is guaranteed through other means. However, in cases where the primary and replica exist on separate networks or they are in a high-risk network, the lack of encryption does introduce security concerns as a malicious actor could potentially eavesdrop on the traffic as it is sent over the network between them.

To mitigate this concern, MariaDB allows you to encrypt replicated data in transit between primaries and replicas using the Transport Layer Security (TLS) protocol. TLS was formerly known as Secure Socket Layer (SSL), but strictly speaking the SSL protocol is a predecessor to TLS and, that version of the protocol is now considered insecure. The documentation still uses the term SSL often and for compatibility reasons TLS-related server system and status variables still use the prefix `ssl_`, but internally, MariaDB only supports its secure successors.

In order to secure connections between the primary and replica, you need to ensure that both servers were compiled with TLS support. See [Secure Connections Overview](/docs/server/security/encryption/data-in-transit-encryption/secure-connections-overview.md) to determine how to check whether a server was compiled with TLS support.

You also need an X509 certificate, a private key, and the Certificate Authority (CA) chain to verify the X509 certificate for the primary. If you want to use two-way TLS, then you will also an X509 certificate, a private key, and the Certificate Authority (CA) chain to verify the X509 certificate for the replica. If you want to use self-signed certificates that are created with OpenSSL, then see [Certificate Creation with OpenSSL](/docs/server/security/encryption/data-in-transit-encryption/certificate-creation-with-openssl.md) for information on how to create those.

## Securing Replication Traffic

In order to secure replication traffic, you will need to ensure that TLS is enabled on the primary. If you want to use two-way TLS, then you will also need to ensure that TLS is enabled on the replica. See [Securing Connections for Client and Server](/docs/server/security/encryption/data-in-transit-encryption/securing-connections-for-client-and-server.md) for information on how to do that.

For example, to set the TLS system variables for each server, add them to a relevant server [option group](/docs/server/server-management/install-and-upgrade-mariadb/configuring-mariadb/configuring-mariadb-with-option-files.md#option-groups) in an [option file](/docs/server/server-management/install-and-upgrade-mariadb/configuring-mariadb/configuring-mariadb-with-option-files.md) on each server:

```ini
[mariadb]
ssl_cert = /etc/my.cnf.d/certificates/server-cert.pem
ssl_key = /etc/my.cnf.d/certificates/server-key.pem
ssl_ca = /etc/my.cnf.d/certificates/ca.pem
```

And then restart the server to make the changes persistent.

At this point, you can reconfigure the replicas to use TLS to encrypt replicated data in transit. There are two methods available to do this:

* Executing the [CHANGE MASTER](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md) statement to set the relevant TLS options.
* Setting TLS client options in an [option file](/docs/server/server-management/install-and-upgrade-mariadb/configuring-mariadb/configuring-mariadb-with-option-files.md).

## Enabling TLS on a Replica

TLS can be enabled on a replication replica by issuing the [CHANGE MASTER](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md) statement, while setting a number of options. Which options you set depends on whether you want one-way TLS or two-way TLS, and whether or not you want to verify the server certificate.

### Enabling Two-Way TLS

Two-way TLS means that both the client and server provide a private key and an X509 certificate. It is called "two-way" TLS because both the client and server can be authenticated. In this case, the "client" is the replica. To configure two-way TLS, you would need to set the following options:

* You need to set the path to the server's certificate by setting the [MASTER\_SSL\_CERT](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl_cert) option.
* You need to set the path to the server's private key by setting the [MASTER\_SSL\_KEY](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl_key) option.
* You need to set the path to the certificate authority (CA) chain that can verify the server's certificate by setting either the [MASTER\_SSL\_CA](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl_ca) or the [MASTER\_SSL\_CAPATH](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl_capath) options.
* If you want [server certificate verification](/docs/server/security/encryption/data-in-transit-encryption/secure-connections-overview.md#server-certificate-verification), then you also need to set the [MASTER\_SSL\_VERIFY\_SERVER\_CERT](https://github.com/mariadb-corporation/mariadb-docs/blob/main/server/reference/sql-statements-and-structure/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl_verify_server_cert) option (enabled by default from [MariaDB 11.3](/docs/release-notes/community-server/old-releases/11.3/what-is-mariadb-113.md)).
* If you want to restrict the server to certain ciphers, then you also need to set the [MASTER\_SSL\_CIPHER](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl_cipher) option.

If the [replica threads](/docs/server/ha-and-performance/standard-replication/replication-threads.md#threads-on-the-replica) are currently running, you first need to stop them by executing the [STOP SLAVE](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/stop-replica.md) statement. For example:

```sql
STOP SLAVE;
```

Then, execute the [CHANGE MASTER](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md) statement to configure the replica to use TLS. For example:

```sql
CHANGE MASTER TO
   MASTER_SSL_CERT = '/path/to/client-cert.pem',
   MASTER_SSL_KEY = '/path/to/client-key.pem',
   MASTER_SSL_CA = '/path/to/ca/ca.pem',
   MASTER_SSL_VERIFY_SERVER_CERT=1;
```

At this point, you can start replication by executing the [START SLAVE](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/start-replica.md) statement. For example:

```sql
START SLAVE;
```

The replica now uses TLS to encrypt data in transit as it replicates it from the primary.

### Enabling One-Way TLS

#### Enabling One-Way TLS With Server Certificate Verification

One-way TLS means that only the server provides a private key and an X509 certificate. When TLS is used without a client certificate, it is called "one-way" TLS, because only the server can be authenticated, so authentication is only possible in one direction. However, encryption is still possible in both directions. [Server certificate verification](/docs/server/security/encryption/data-in-transit-encryption/secure-connections-overview.md#server-certificate-verification) means that the client verifies that the certificate belongs to the server. In this case, the "client" is the replica. This mode is enabled by default starting from [MariaDB 11.3](/docs/release-notes/community-server/old-releases/11.3/what-is-mariadb-113.md). To configure one-way TLS in earlier versions, you would need to set the following options:

* You need to set the path to the certificate authority (CA) chain that can verify the server's certificate by setting either the [MASTER\_SSL\_CA](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl_ca) or the [MASTER\_SSL\_CAPATH](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl_capath) options.
* You need to set the [MASTER\_SSL\_VERIFY\_SERVER\_CERT](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl_verify_server_cert) option.
* If you want to restrict the server to certain ciphers, then you also need to set the [MASTER\_SSL\_CIPHER](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl_cipher) option.

If the [replica threads](/docs/server/ha-and-performance/standard-replication/replication-threads.md#threads-on-the-replica) are currently running, you first need to stop them by executing the [STOP SLAVE](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/stop-replica.md) statement. For example:

```sql
STOP SLAVE;
```

Then, execute the [CHANGE MASTER](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md) statement to configure the replica to use TLS. For example:

```sql
CHANGE MASTER TO
   MASTER_SSL_CA = '/path/to/ca/ca.pem',
   MASTER_SSL_VERIFY_SERVER_CERT=1;
```

At this point, you can start replication by executing the [START SLAVE](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/start-replica.md) statement. For example:

```sql
START SLAVE;
```

The replica now uses TLS to encrypt data in transit as it replicates it from the primary.

#### Enabling One-Way TLS Without Server Certificate Verification

One-way TLS means that only the server provides a private key and an X509 certificate. When TLS is used without a client certificate, it is called "one-way" TLS, because only the server can be authenticated, so authentication is only possible in one direction. However, encryption is still possible in both directions. In this case, the "client" is the replica. To configure two-way TLS without server certificate verification, you would need to set the following options:

* You need to configure the replica to use TLS by setting the [MASTER\_SSL](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl) option.
* If you want to restrict the server to certain ciphers, then you also need to set the [MASTER\_SSL\_CIPHER](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl_cipher) option.
* Starting from [MariaDB 11.3](/docs/release-notes/community-server/old-releases/11.3/what-is-mariadb-113.md) you need to disable the [MASTER\_SSL\_VERIFY\_SERVER\_CERT](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl_verify_server_cert) option.

If the [replica threads](/docs/server/ha-and-performance/standard-replication/replication-threads.md#threads-on-the-replica) are currently running, you first need to stop them by issuing the [STOP REPLICA](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/stop-replica.md) statement:

```sql
STOP REPLICA;
```

Then, execute the [CHANGE MASTER](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md) statement to configure the replica to use TLS. For example:

```sql
CHANGE MASTER TO
   MASTER_SSL=1, MASTER_SSL_VERIFY_SERVER_CERT=0;
```

Now start replication by issuing the [START REPLICA](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/start-replica.md) statement:

```sql
START REPLICA;
```

The replica now uses TLS to encrypt data in transit as it replicates from the primary.

## Setting TLS Client Options in an Option File

In cases where you don't mind restarting the server or you are setting the server up from scratch for the first time, you may find it more convenient to configure TLS options for replication through an [option file](/docs/server/server-management/install-and-upgrade-mariadb/configuring-mariadb/configuring-mariadb-with-option-files.md). This is done the same way as it is for other clients. The specific options that you would need to set would depend on whether you want one-way TLS or two-way TLS, and whether you want to verify the server certificate. See [Securing Connections for Client and Server: Enabling TLS for MariaDB Clients](/docs/server/security/encryption/data-in-transit-encryption/securing-connections-for-client-and-server.md#enabling-tls-for-mariadb-clients) for more information.

To enable two-way TLS with [server certificate verification](/docs/server/security/encryption/data-in-transit-encryption/secure-connections-overview.md#server-certificate-verification), you can specify the following options in a relevant client [option group](/docs/server/server-management/install-and-upgrade-mariadb/configuring-mariadb/configuring-mariadb-with-option-files.md#option-groups) in an [option file](/docs/server/server-management/install-and-upgrade-mariadb/configuring-mariadb/configuring-mariadb-with-option-files.md):

```ini
[client-mariadb]
ssl_cert = /etc/my.cnf.d/certificates/client-cert.pem
ssl_key = /etc/my.cnf.d/certificates/client-key.pem
ssl_ca = /etc/my.cnf.d/certificates/ca.pem
ssl-verify-server-cert
```

Before restarting the server, you may also want to set the [--skip-slave-start](/docs/server/server-management/starting-and-stopping-mariadb/mariadbd-options.md#-skip-slave-start) option in a server [option group](/docs/server/server-management/install-and-upgrade-mariadb/configuring-mariadb/configuring-mariadb-with-option-files.md#option-groups) in an [option file](/docs/server/server-management/install-and-upgrade-mariadb/configuring-mariadb/configuring-mariadb-with-option-files.md). This option prevents the [replica threads](/docs/server/ha-and-performance/standard-replication/replication-threads.md#threads-on-the-replica) from restarting automatically when the server starts. Instead, they will have to be restarted manually.

After these changes have been made, you can restart the server.

Once the server is back online, set the [MASTER\_SSL](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md#master_ssl) option by executing the [CHANGE MASTER](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/change-master-to.md) statement. This enables TLS. For example:

```sql
CHANGE MASTER TO MASTER_SSL=1;
```

The certificate and keys are read from the option file. At this point, you can start replication by issuing the [START REPLICA](/docs/server/reference/sql-statements/administrative-sql-statements/replication-statements/start-replica.md) statement:

```sql
START REPLICA;
```

<sub>*This page is licensed: CC BY-SA / Gnu FDL*</sub>

{% @marketo/form formId="4316" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mariadb.com/docs/server/security/encryption/data-in-transit-encryption/replication-with-secure-connections.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.