Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.5, 10.2(EOL), 10.3(EOL), 10.4(EOL)
-
None
Description
- Pass joiner's authentication information to donor together with address in State Transfer Request. This allows joiner to authenticate donor on connection. Previously joiner would accept data from anywhere.
- Deprecate custom SSL configuration variables tca, tcert and tkey in favor of more familiar ssl-ca, ssl-cert and ssl-key. For backward compatibility tca, tcert and tkey are still supported.
- Allow falling back to server-wide SSL configuration in [mysqld] if no SSL configuration is found in [sst] section of the config file.
- Introduce ssl-mode variable in [sst] section that takes standard values and has following effects:
- old-style SSL configuration present in [sst]: no effect
- otherwise:
- ssl-mode=DISABLED or absent: retains old, backward compatible behavior and ignores any other SSL configuration
- ssl-mode=VERIFY*: verify joiner's certificate and CN on donor, verify donor's secret on joiner (passed to donor via State Transfer Request)
- BACKWARD INCOMPATIBLE BEHAVIOR
- anything else enables new SSL configuration conventions but does not require verification ssl-mode should be set to VERIFY only in a fully upgraded cluster.
Attachments
Issue Links
- blocks
-
MDEV-25471 Document SST Node authentication options
- Closed
- relates to
-
MDEV-18050 Port encrypt=4 from xtrabackup-v2 to mariabackup for SSTs
- Closed