Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22131

allow transition from unencrypted to TLS cluster communication without cluster downtime

    XMLWordPrintable

Details

    Description

      Right now wsrep/gcomm communication between Galera nodes can either be unencrypted, or it can be SSL/TLS encrypted.

      There is no way yet to have a node accept both, even not just temporarily, so changing an unencrypted cluster to using encryption is not possible by doing a rolling restart, a node restarted after activating encryption in its wsrep_provider_options settings would no longer be able to communicate with the other nodes in the cluster that don't use encryption yet.

      So right now making a cluster more secure by enabling encryption between the Galera nodes is only possible by shutting down the cluster completely, changing the wsrep encryption settings, and then bringing all nodes up again, with the cluster being completely offline / unavailable for at least a short period of time.

      Attachments

        Issue Links

          includes

          Task - A task that needs to be done. MDEV-21730 Improve TLS/SSL error reporting

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              jplindst Jan Lindström (Inactive)
              hholzgra Hartmut Holzgraefe
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.