[#MXS-4718] Add replication_custom_options to enable replication TLS certification check

[MXS-4718] Add replication_custom_options to enable replication TLS certification check Created: 2023-08-16 Updated: 2023-12-11 Resolved: 2023-10-16
Status:	Closed
Project:	MariaDB MaxScale
Component/s:	Monitor
Affects Version/s:	6.4.8, 23.02.3
Fix Version/s:	23.02.5, 23.08.2

Type:

Bug

Priority:

Major

Reporter:

Hartmut Holzgraefe

Assignee:

Esa Korhonen

Resolution:

Fixed

Votes:

Labels:

None

Issue Links:

Duplicate
is duplicated by	~~MXS-4889~~	auto_rejoin with SSL replication fail...	Closed
Problem/Incident
is caused by	~~MDEV-31934~~	CHANGE MASTER does not pick up TLS de...	Closed
Relates
relates to	~~MXS-4845~~	Maxscale: SSL certificates don't show...	Closed

Sprint:

MXS-SPRINT-191, MXS-SPRINT-192

Description

Replication switchover and failover do not work when having replication set up to require two-way TLS by creating the replication user with REQUIRE x509.
Problem is that even with replication_master_ssl=true only adds MASTER_SSL=1 to the CHANGE_MASTER statement, but not MASTER_SSL_CERT etc.

As far as I understand it relies on these to be fetched from the MariaDB options file(s) as documented here:
https://mariadb.com/kb/en/replication-with-secure-connections/#setting-tls-client-options-in-an-option-file
but this does not work as documented, see ~~MDEV-31934~~, and so makes switchover fail in a setup requiring two-way TLS as the slave will not send a client certificate to the master.

Generated at Thu Feb 08 04:30:39 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MXS-4718] Add replication_custom_options to enable replication TLS certification check Created: 2023-08-16 Updated: 2023-12-11 Resolved: 2023-10-16