By default, MariaDB replicates data between primaries and replicas without encrypting it. This is generally acceptable when the primary and replica run are in networks where security is guaranteed through other means. However, in cases where the primary and replica exist on separate networks or they are in a high-risk network, the lack of encryption does introduce security concerns as a malicious actor could potentially eavesdrop on the traffic as it is sent over the network between them.
To mitigate this concern, MariaDB allows you to encrypt replicated data in transit between primaries and replicas using the Transport Layer Security (TLS) protocol. TLS was formerly known as Secure Socket Layer (SSL), but strictly speaking the SSL protocol is a predecessor to TLS and, that version of the protocol is now considered insecure. The documentation still uses the term SSL often and for compatibility reasons TLS-related server system and status variables still use the prefix ssl_, but internally, MariaDB only supports its secure successors.
In order to secure connections between the primary and replica, you need to ensure that both servers were compiled with TLS support. See to determine how to check whether a server was compiled with TLS support.
You also need an X509 certificate, a private key, and the Certificate Authority (CA) chain to verify the X509 certificate for the primary. If you want to use two-way TLS, then you will also an X509 certificate, a private key, and the Certificate Authority (CA) chain to verify the X509 certificate for the replica. If you want to use self-signed certificates that are created with OpenSSL, then see for information on how to create those.
In order to secure replication traffic, you will need to ensure that TLS is enabled on the primary. If you want to use two-way TLS, then you will also need to ensure that TLS is enabled on the replica. See for information on how to do that.
For example, to set the TLS system variables for each server, add them to a relevant server in an on each server:
And then restart the server to make the changes persistent.
At this point, you can reconfigure the replicas to use TLS to encrypt replicated data in transit. There are two methods available to do this:
Executing the statement to set the relevant TLS options.
Setting TLS client options in an .
TLS can be enabled on a replication replica by executing the statement. In order to do so, there are a number of options that you would need to set. The specific options that you would need to set would depend on whether you want one-way TLS or two-way TLS, and whether you want to verify the server certificate.
Two-way TLS means that both the client and server provide a private key and an X509 certificate. It is called "two-way" TLS because both the client and server can be authenticated. In this case, the "client" is the replica. To configure two-way TLS, you would need to set the following options:
You need to set the path to the server's certificate by setting the option.
You need to set the path to the server's private key by setting the option.
You need to set the path to the certificate authority (CA) chain that can verify the server's certificate by setting either the or the options.
If you want , then you also need to set the option (enabled by default from
If the are currently running, you first need to stop them by executing the statement. For example:
Then, execute the statement to configure the replica to use TLS. For example:
At this point, you can start replication by executing the statement. For example:
The replica now uses TLS to encrypt data in transit as it replicates it from the primary.
Enabling One-Way TLS with CHANGE MASTER with Server Certificate Verification
One-way TLS means that only the server provides a private key and an X509 certificate. When TLS is used without a client certificate, it is called "one-way" TLS, because only the server can be authenticated, so authentication is only possible in one direction. However, encryption is still possible in both directions. means that the client verifies that the certificate belongs to the server. In this case, the "client" is the replica. This mode is enabled by default starting from . To configure one-way TLS in earlier versions, you would need to set the following options:
You need to set the path to the certificate authority (CA) chain that can verify the server's certificate by setting either the or the options.
You need to set the option.
If you want to restrict the server to certain ciphers, then you also need to set the option.
If the are currently running, you first need to stop them by executing the statement. For example:
Then, execute the statement to configure the replica to use TLS. For example:
At this point, you can start replication by executing the statement. For example:
The replica now uses TLS to encrypt data in transit as it replicates it from the primary.
Enabling One-Way TLS with CHANGE MASTER without Server Certificate Verification
One-way TLS means that only the server provides a private key and an X509 certificate. When TLS is used without a client certificate, it is called "one-way" TLS, because only the server can be authenticated, so authentication is only possible in one direction. However, encryption is still possible in both directions. In this case, the "client" is the replica. To configure two-way TLS without server certificate verification, you would need to set the following options:
You need to configure the replica to use TLS by setting the option.
If you want to restrict the server to certain ciphers, then you also need to set the option.
Starting from you need to disable the option.
If the are currently running, you first need to stop them by executing the statement. For example:
Then, execute the statement to configure the replica to use TLS. For example:
At this point, you can start replication by executing the statement. For example:
The replica now uses TLS to encrypt data in transit as it replicates it from the primary.
In cases where you don't mind restarting the server or you are setting the server up from scratch for the first time, you may find it more convenient to configure TLS options for replication through an . This is done the same way as it is for other clients. The specific options that you would need to set would depend on whether you want one-way TLS or two-way TLS, and whether you want to verify the server certificate. See for more information. For example, to enable two-way TLS with , then you could specify the following options in a relevant client in an :
Before you restart the server, you may also want to set the option in a server in an . This option prevents the from restarting automatically when the server starts. Instead, they will have to be restarted manually. After these changes have been made, you can restart the server. Once the server is back online, set the option by executing the statement. This will enable TLS. For example:
The certificate and keys will be read from the option file. At this point, you can start replication by executing the statement.
This page is licensed: CC BY-SA / Gnu FDL
If you want to restrict the server to certain ciphers, then you also need to set the MASTER_SSL_CIPHER option.
[mariadb]
...
ssl_cert = /etc/my.cnf.d/certificates/server-cert.pem
ssl_key = /etc/my.cnf.d/certificates/server-key.pem
ssl_ca = /etc/my.cnf.d/certificates/ca.pemSTOP SLAVE;CHANGE MASTER TO
MASTER_SSL_CERT = '/path/to/client-cert.pem',
MASTER_SSL_KEY = '/path/to/client-key.pem',
MASTER_SSL_CA = '/path/to/ca/ca.pem',
MASTER_SSL_VERIFY_SERVER_CERT=1;START SLAVE;STOP SLAVE;CHANGE MASTER TO
MASTER_SSL_CA = '/path/to/ca/ca.pem',
MASTER_SSL_VERIFY_SERVER_CERT=1;START SLAVE;STOP SLAVE;CHANGE MASTER TO
MASTER_SSL=1, MASTER_SSL_VERIFY_SERVER_CERT=0;START SLAVE;[client-mariadb]
...
ssl_cert = /etc/my.cnf.d/certificates/client-cert.pem
ssl_key = /etc/my.cnf.d/certificates/client-key.pem
ssl_ca = /etc/my.cnf.d/certificates/ca.pem
ssl-verify-server-certCHANGE MASTER TO
MASTER_SSL=1;START SLAVE;