Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22131

allow transition from unencrypted to TLS cluster communication without cluster downtime

    XMLWordPrintable

    Details

      Description

      Right now wsrep/gcomm communication between Galera nodes can either be unencrypted, or it can be SSL/TLS encrypted.

      There is no way yet to have a node accept both, even not just temporarily, so changing an unencrypted cluster to using encryption is not possible by doing a rolling restart, a node restarted after activating encryption in its wsrep_provider_options settings would no longer be able to communicate with the other nodes in the cluster that don't use encryption yet.

      So right now making a cluster more secure by enabling encryption between the Galera nodes is only possible by shutting down the cluster completely, changing the wsrep encryption settings, and then bringing all nodes up again, with the cluster being completely offline / unavailable for at least a short period of time.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jplindst Jan Lindström
              Reporter:
              hholzgra Hartmut Holzgraefe
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration