wsrep_ssl_mode

Overview

In 23.08 ES, 23.07 ES, 10.6 ES:

Select which SSL implementation is used for wsrep provider communications: PROVIDER - wsrep provider internal SSL implementation; SERVER - use server side SSL implementation; SERVER_X509 - as SERVER and require valid X509 certificate.

In 10.6 CS, 10.5 ES, 10.5 CS, 10.4 ES, 10.4 CS, 10.3 ES, 10.3 CS, 10.2 ES, 10.2 CS:

Not present

See also: System Variables for MariaDB Enterprise Server 23.08, in 23.07 ES, in 10.6 ES, in 10.5 ES, in 10.4 ES, in 10.3 ES, in 10.2 ES, in 10.6 CS, in 10.5 CS, in 10.4 CS, in 10.3 CS, and in 10.2 CS

USAGE

The wsrep_ssl_mode system variable is used to configure the WSREP TLS Mode used by MariaDB Enterprise Cluster, powered by Galera.

When set to SERVER or SERVER_X509, MariaDB Enterprise Cluster uses the TLS configuration for MariaDB Enterprise Server:

[mariadb]
...
wsrep_ssl_mode = SERVER_X509

ssl_ca = /certs/ca-cert.pem
ssl_cert = /certs/server-cert.pem
ssl_key = /certs/server-key.pem

When set to PROVIDER, MariaDB Enterprise Cluster obtains its TLS configuration from the wsrep_provider_options system variable:

[mariadb]
...
wsrep_ssl_mode = PROVIDER
wsrep_provider_options = "socket.ssl=true;socket.ssl_cert=/certs/server-cert.pem;socket.ssl_ca=/certs/ca-cert.pem;socket.ssl_key=/certs/server-key.pem"

DETAILS

The wsrep_ssl_mode system variable configures the WSREP TLS Mode. The following WSREP TLS Modes are supported:

WSREP TLS Mode

Values

Description

Provider

  • PROVIDER

  • TLS is optional for Enterprise Cluster replication traffic.

  • Each node obtains its TLS configuration from the wsrep_provider_options system variable. When the provider is not configured to use TLS on a node, the node will connect to the cluster without TLS.

  • The Provider WSREP TLS Mode is backward compatible with ES 10.5 and earlier. When performing a rolling upgrade from ES 10.5 and earlier, the Provider WSREP TLS Mode can be configured on the upgraded nodes.

Server

  • SERVER

  • TLS is mandatory for Enterprise Cluster replication traffic, but X509 certificate verification is not performed.

  • Each node obtains its TLS configuration from the node's MariaDB Enterprise Server configuration. When MariaDB Enterprise Server is not configured to use TLS on a node, the node will fail to connect to the cluster.

  • The Server WSREP TLS Mode is the default in ES 10.6.

Server X509

  • SERVER_X509

  • TLS and X509 certificate verification are mandatory for Enterprise Cluster replication traffic.

  • Each node obtains its TLS configuration from the node's MariaDB Enterprise Server configuration. When MariaDB Enterprise Server is not configured to use TLS on a node, the node will fail to connect to the cluster.

When the wsrep_ssl_mode system variable is set to PROVIDER, each node obtains its TLS configuration from the wsrep_provider_options system variable. The following options are used:

WSREP Provider Option

Description

socket.ssl

Set this option to true to enable TLS.

socket.ssl_ca

Set this option to the path of the CA chain file.

socket.ssl_cert

Set this option to the path of the node's X509 certificate file.

socket.ssl_key

Set this option to the path of the node's private key file.

When the wsrep_ssl_mode system variable is set to SERVER or SERVER_X509, each node obtains its TLS configuration from the node's MariaDB Enterprise Server configuration. The following system variables are used:

System Variable

Description

ssl_ca

Set this system variables to the path of the CA chain file.

ssl_capath

Optionally set this system variables to the path of the CA chain directory. The directory must have been processed by openssl rehash. When your CA chain is stored in a single file, use the ssl_ca system variable instead.

ssl_cert

Set this system variable to the path of the node's X509 certificate file.

ssl_key

Set this system variable to the path of the node's private key file.

SYNONYMS

SCHEMA

PARAMETERS

Command-line

--wsrep_ssl_mode={PROVIDER|SERVER|SERVER_X509}

Configuration file

Supported

Dynamic

No

Scope

Global

Data Type

ENUM (PROVIDER, SERVER, SERVER_X509)

Product Default Value

SERVER

SKYSQL

PRIVILEGES

EXAMPLES

ERROR HANDLING

FEATURE INTERACTION

RESPONSES

DIAGNOSIS

ISO 9075:2016

CHANGE HISTORY

Release Series

History

23.08 Enterprise

  • Present starting in MariaDB Enterprise Server 23.08.0.

23.07 Enterprise

  • Present starting in MariaDB Enterprise Server 23.07.0.

10.6 Enterprise

  • Added in MariaDB Enterprise Server 10.6.4-1.

10.6 Community

  • Not present.

10.5 Enterprise

  • Not present.

10.5 Community

  • Not present.

10.4 Enterprise

  • Not present.

10.4 Community

  • Not present.

10.3 Enterprise

  • Not present.

10.3 Community

  • Not present.

10.2 Enterprise

  • Not present.

10.2 Community

  • Not present.

EXTERNAL REFERENCES