include/group_replication.inc
Warnings:
Note	####	Sending passwords in plain text without SSL/TLS is extremely insecure.
Note	####	Storing MySQL user name or password information in the connection metadata repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START REPLICA; see the 'START REPLICA Syntax' in the MySQL Manual for more information.
[connection server1]
#
# Setup the first member with a recovery user that requires TLS 1.3
#
[connection server1]
SET SESSION sql_log_bin=0;
CREATE USER 'rec_ssl_user'@'%' REQUIRE SSL;
GRANT replication slave ON *.* TO 'rec_ssl_user'@'%';
SET SESSION sql_log_bin=1;
SET @tls_version_saved= @@GLOBAL.tls_version;
SET GLOBAL tls_version='TLSv1.3';
SET @tls_ciphersuites_saved= @@GLOBAL.tls_ciphersuites;
SET GLOBAL tls_ciphersuites='TLS_AES_128_CCM_8_SHA256';
ALTER INSTANCE RELOAD TLS;
#
# Add some data and start the member
#
CREATE TABLE t1 (c1 INT NOT NULL PRIMARY KEY) ENGINE=InnoDB;
INSERT INTO t1 VALUES (1);
include/start_and_bootstrap_group_replication.inc
#
# Configure a joining member to use SSL options and a different TLS
# ciphersuite on recovery. Member will not be able to join.
#
[connection server2]
SET SESSION sql_log_bin= 0;
call mtr.add_suppression("There was an error when connecting to the donor server. Please check that group_replication_recovery channel credentials and all MEMBER_HOST column values of performance_schema.replication_group_members table are correct and DNS resolvable.");
call mtr.add_suppression("Plugin group_replication reported: 'For details please check performance_schema.replication_connection_status table and error log messages of Replica I/O for channel group_replication_recovery.");
call mtr.add_suppression("Plugin group_replication reported: 'Maximum number of retries when trying to connect to a donor reached. Aborting group replication incremental recovery.");
call mtr.add_suppression("Fatal error during the incremental recovery process of Group Replication. The server will leave the group.");
call mtr.add_suppression("The server was automatically set into read only mode after an error was detected.");
call mtr.add_suppression("Skipping leave operation: concurrent attempt to leave the group is on-going.");
SET SESSION sql_log_bin= 1;
SET @tls_version_saved= @@GLOBAL.tls_version;
SET GLOBAL tls_version='TLSv1.3';
SET @tls_ciphersuites_saved= @@GLOBAL.tls_ciphersuites;
SET GLOBAL tls_ciphersuites='TLS_AES_128_CCM_8_SHA256';
ALTER INSTANCE RELOAD TLS;
CHANGE REPLICATION SOURCE TO SOURCE_USER="rec_ssl_user" FOR CHANNEL "group_replication_recovery";
SET @group_replication_recovery_use_ssl_saved= @@GLOBAL.group_replication_recovery_use_ssl;
SET GLOBAL group_replication_recovery_use_ssl=1;
SET @group_replication_recovery_tls_ciphersuites_saved= @@GLOBAL.group_replication_recovery_tls_ciphersuites;
SET GLOBAL group_replication_recovery_tls_ciphersuites='TLS_AES_128_CCM_SHA256';
SET @group_replication_recovery_retry_count_saved= @@GLOBAL.group_replication_recovery_retry_count;
SET GLOBAL group_replication_recovery_retry_count= 1;
include/start_group_replication.inc
include/assert.inc [incremental recovery connection failed with error CR_SSL_CONNECTION_ERROR]
include/stop_group_replication.inc
#
# Clean up
#
[connection server2]
SET @@GLOBAL.tls_version= @tls_version_saved;
SET @@GLOBAL.tls_ciphersuites= @tls_ciphersuites_saved;
ALTER INSTANCE RELOAD TLS;
SET @@GLOBAL.group_replication_recovery_use_ssl= @group_replication_recovery_use_ssl_saved;
SET @@GLOBAL.group_replication_recovery_tls_ciphersuites= @group_replication_recovery_tls_ciphersuites_saved;
SET @@GLOBAL.group_replication_recovery_retry_count= @group_replication_recovery_retry_count_saved;
[connection server1]
SET @@GLOBAL.tls_version= @tls_version_saved;
SET @@GLOBAL.tls_ciphersuites= @tls_ciphersuites_saved;
ALTER INSTANCE RELOAD TLS;
SET SESSION sql_log_bin=0;
DROP USER 'rec_ssl_user';
SET SESSION sql_log_bin=1;
DROP TABLE t1;
include/group_replication_end.inc