1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
include/group_replication.inc
Warnings:
Note #### Sending passwords in plain text without SSL/TLS is extremely insecure.
Note #### Storing MySQL user name or password information in the connection metadata repository is not secure and is therefore not recommended. Please consider using the USER and PASSWORD connection options for START REPLICA; see the 'START REPLICA Syntax' in the MySQL Manual for more information.
[connection server1]
############################################################
# 0. Configure members to use encryption and save defaults.
[connection server1]
SET @tls_version_save= @@GLOBAL.tls_version;
SET @tls_ciphersuites_save= @@GLOBAL.tls_ciphersuites;
SET @group_replication_ssl_mode_save= @@GLOBAL.group_replication_ssl_mode;
SET @@GLOBAL.group_replication_ssl_mode= REQUIRED;
[connection server2]
SET @tls_version_save= @@GLOBAL.tls_version;
SET @tls_ciphersuites_save= @@GLOBAL.tls_ciphersuites;
SET @group_replication_ssl_mode_save= @@GLOBAL.group_replication_ssl_mode;
SET @@GLOBAL.group_replication_ssl_mode= REQUIRED;
SET SESSION sql_log_bin= 0;
call mtr.add_suppression("\\[GCS\\] Error connecting to all peers. Member join failed. Local port:*");
call mtr.add_suppression("\\[GCS\\] The member was unable to join the group.*");
call mtr.add_suppression("Timeout on wait for view after joining group");
SET SESSION sql_log_bin= 1;
############################################################
# 1. 2 members group with OpenSSL 1.1.1
# No --tls-ciphersuites
# No --tls-version
# Outcome: group will work.
[connection server1]
include/start_and_bootstrap_group_replication.inc
[connection server2]
include/start_group_replication.inc
include/rpl_gr_wait_for_number_of_members.inc
[connection server1]
include/stop_group_replication.inc
[connection server2]
include/stop_group_replication.inc
############################################################
# 2. 2 members group with OpenSSL 1.1.1
# No --tls-ciphersuites
# server1: --tls-version='TLSv1,TLSv1.1,TLSv1.2,TLSv1.3'
# server2: --tls-version='TLSv1,TLSv1.1,TLSv1.2'
# Outcome: group will work.
[connection server1]
SET @@GLOBAL.tls_version= 'TLSv1,TLSv1.1,TLSv1.2,TLSv1.3';
ALTER INSTANCE RELOAD TLS;
Warnings:
Warning 4038 A deprecated TLS version TLSv1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
Warning 4038 A deprecated TLS version TLSv1.1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
include/start_and_bootstrap_group_replication.inc
[connection server2]
SET @@GLOBAL.tls_version= 'TLSv1,TLSv1.1,TLSv1.2';
ALTER INSTANCE RELOAD TLS;
Warnings:
Warning 4038 A deprecated TLS version TLSv1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
Warning 4038 A deprecated TLS version TLSv1.1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
include/start_group_replication.inc
include/rpl_gr_wait_for_number_of_members.inc
[connection server1]
include/stop_group_replication.inc
[connection server2]
include/stop_group_replication.inc
############################################################
# 3. 2 members group with OpenSSL 1.1.1
# No --tls-ciphersuites
# server1: --tls-version='TLSv1.3'
# server2: --tls-version='TLSv1,TLSv1.1,TLSv1.2'
# Outcome: group will not work.
[connection server1]
SET @@GLOBAL.tls_version= 'TLSv1.3';
ALTER INSTANCE RELOAD TLS;
include/start_and_bootstrap_group_replication.inc
[connection server2]
SET @@GLOBAL.tls_version= 'TLSv1,TLSv1.1,TLSv1.2';
ALTER INSTANCE RELOAD TLS;
Warnings:
Warning 4038 A deprecated TLS version TLSv1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
Warning 4038 A deprecated TLS version TLSv1.1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
START GROUP_REPLICATION;
ERROR HY000: The server is not configured properly to be an active member of the group. Please see more details on error log.
[connection server1]
include/stop_group_replication.inc
############################################################
# 4. 2 members group with OpenSSL 1.1.1
# No --tls-ciphersuites
# server1: --tls-version='TLSv1.3'
# server2: --tls-version='TLSv1.3'
# Outcome: group will work.
[connection server1]
SET @@GLOBAL.tls_version= 'TLSv1.3';
ALTER INSTANCE RELOAD TLS;
include/start_and_bootstrap_group_replication.inc
[connection server2]
SET @@GLOBAL.tls_version= 'TLSv1.3';
ALTER INSTANCE RELOAD TLS;
include/start_group_replication.inc
include/rpl_gr_wait_for_number_of_members.inc
[connection server1]
include/stop_group_replication.inc
[connection server2]
include/stop_group_replication.inc
############################################################
# 5. 2 members group with OpenSSL 1.1.1
# --tls-ciphersuites='TLS_AES_256_GCM_SHA384'
# server1: --tls-version='TLSv1,TLSv1.1,TLSv1.2,TLSv1.3'
# server2: --tls-version='TLSv1,TLSv1.1,TLSv1.2,TLSv1.3'
# Outcome: group will work.
[connection server1]
SET @@GLOBAL.tls_version= 'TLSv1,TLSv1.1,TLSv1.2,TLSv1.3';
SET @@GLOBAL.tls_ciphersuites= 'TLS_AES_256_GCM_SHA384';
ALTER INSTANCE RELOAD TLS;
Warnings:
Warning 4038 A deprecated TLS version TLSv1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
Warning 4038 A deprecated TLS version TLSv1.1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
include/start_and_bootstrap_group_replication.inc
[connection server2]
SET @@GLOBAL.tls_version= 'TLSv1,TLSv1.1,TLSv1.2,TLSv1.3';
SET @@GLOBAL.tls_ciphersuites= 'TLS_AES_256_GCM_SHA384';
ALTER INSTANCE RELOAD TLS;
Warnings:
Warning 4038 A deprecated TLS version TLSv1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
Warning 4038 A deprecated TLS version TLSv1.1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
include/start_group_replication.inc
include/rpl_gr_wait_for_number_of_members.inc
[connection server1]
include/stop_group_replication.inc
[connection server2]
include/stop_group_replication.inc
############################################################
# 6. 2 members group with OpenSSL 1.1.1
# --tls-ciphersuites= '', which will disable all ciphers.
# No --tls-version
# Outcome: group will not work.
[connection server1]
SET @@GLOBAL.tls_ciphersuites= '';
ALTER INSTANCE RELOAD TLS;
Warnings:
Warning 4038 A deprecated TLS version TLSv1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
Warning 4038 A deprecated TLS version TLSv1.1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
START GROUP_REPLICATION;
ERROR HY000: The server is not configured properly to be an active member of the group. Please see more details on error log.
Pattern found.
############################################################
# 7. Clean up.
[connection server1]
SET @@GLOBAL.group_replication_ssl_mode= @group_replication_ssl_mode_save;
SET @@GLOBAL.tls_version= @tls_version_save;
SET @@GLOBAL.tls_ciphersuites= @tls_ciphersuites_save;
ALTER INSTANCE RELOAD TLS;
Warnings:
Warning 4038 A deprecated TLS version TLSv1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
Warning 4038 A deprecated TLS version TLSv1.1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
[connection server2]
SET @@GLOBAL.group_replication_ssl_mode= @group_replication_ssl_mode_save;
SET @@GLOBAL.tls_version= @tls_version_save;
SET @@GLOBAL.tls_ciphersuites= @tls_ciphersuites_save;
ALTER INSTANCE RELOAD TLS;
Warnings:
Warning 4038 A deprecated TLS version TLSv1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
Warning 4038 A deprecated TLS version TLSv1.1 is enabled for channel mysql_main. Please use TLSv1.2 or higher.
include/group_replication_end.inc
|
