diff options
author | Alexey Yurchenko <alexey.yurchenko@galeracluster.com> | 2021-04-25 18:06:53 +0300 |
---|---|---|
committer | Julius Goryavsky <julius.goryavsky@mariadb.com> | 2021-05-06 01:40:24 +0200 |
commit | cf67ca48d6731ba43dcde385991ae1efaff40675 (patch) | |
tree | 284db99c9bf7bc8c092400e616dfc6827b9270aa /mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.cnf | |
parent | ee1e877470715f0626529e0499c6ddfd4187e941 (diff) | |
download | mariadb-git-cf67ca48d6731ba43dcde385991ae1efaff40675.tar.gz |
MDEV-25418 rsync SST does not work with stunnel encryption
1. Fix eval command line to correctly pass stunnel option to rsync on donor.
2. Deprecate `tkey`, `tcert` and `tca` options in [sst] section in favor of
conventional `ssl-key`, `ssl-cert` and `ssl-ca`, but keep their precedence
for backward compatibility.
3. Default to require SSL encryption if at least SSL key and cert files are
specified in configuration, either in [sst] or [mysqld] sections.
4. Enable `verify*` option for stunnel on donor only if
a. CA file is specified somewhere in the configuration
b. it is explicitly requested in [sst] section by either specifying
ssl-mode or CA file there. In this case if ssl-mode is not explicitly
given, it defaults to VERIFY_CA.
ssl-mode maps to stunnel options as follows:
VERIFY_CA -> verifyChain = yes
VERIFY_IDENTITY -> verifyPeer = yes
Example to require donor to verify joiner identity:
```
[mysqld]
ssl-cert=/path/to/cert
ssl-key=/path/to/key
ssl-ca=/path/to/ca
[sst]
ssl-mode=VERIFY_IDENTITY
```
5. If SSL verification is requested, joiner verifies donor by checking the
secret passed to donor via SST request.
Signed-off-by: Julius Goryavsky <julius.goryavsky@mariadb.com>
Diffstat (limited to 'mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.cnf')
-rw-r--r-- | mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.cnf | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.cnf b/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.cnf new file mode 100644 index 00000000000..f131088f582 --- /dev/null +++ b/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.cnf @@ -0,0 +1,15 @@ +!include ../galera_2nodes.cnf + +[mysqld] +wsrep_sst_method=rsync + +[sst] +tkey=@ENV.MYSQL_TEST_DIR/std_data/server-key.pem +tcert=@ENV.MYSQL_TEST_DIR/std_data/server-cert.pem + +[mysqld.1] +wsrep_provider_options='base_port=@mysqld.1.#galera_port;gcache.size=1;pc.ignore_sb=true' + +[mysqld.2] +wsrep_provider_options='base_port=@mysqld.2.#galera_port;gcache.size=1;pc.ignore_sb=true' + |