No way to observe that SSL is in effect #165

Open
philip-galera opened this Issue Oct 24, 2014 · 2 comments

Comments

Projects
None yet
2 participants
@philip-galera
Contributor

philip-galera commented Oct 24, 2014

There is no way to observe that SSL is in effect from the SQL side. Therefore, it will be difficult for tests and monitoring tools to confirm that the cluster has been properly secured.
The only mention is in the error log, which is difficult to test and observe:

2014-10-24 10:38:04 2030 [Note] WSREP: (b0977687, 'ssl://0.0.0.0:13005') listening at ssl://0.0.0.0:13005

Instead, SHOW STATUS should display information such as:

  • the current protocol in use at this time
  • the current cipher in use, as reported by OpenSSL
  • bytes sent over SSL vs. bytes sent unencrypted.
@chandlermelton

This comment has been minimized.

Show comment
Hide comment
@chandlermelton

chandlermelton Nov 2, 2015

I'm not sure about client to server encryption, but for replication, my wsrep_provider_options variable contains socket.ssl = YES.

I'm not sure about client to server encryption, but for replication, my wsrep_provider_options variable contains socket.ssl = YES.

@philip-galera

This comment has been minimized.

Show comment
Hide comment
@philip-galera

philip-galera Nov 2, 2015

Contributor

Yes, this setting enables encryption between Galera nodes, however there is no status variable to show what type of encryption was negotiated.

Contributor

philip-galera commented Nov 2, 2015

Yes, this setting enables encryption between Galera nodes, however there is no status variable to show what type of encryption was negotiated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment