No way to observe that SSL is in effect

philip-galera commented 9 years ago

There is no way to observe that SSL is in effect from the SQL side. Therefore, it will be difficult for tests and monitoring tools to confirm that the cluster has been properly secured. The only mention is in the error log, which is difficult to test and observe:

2014-10-24 10:38:04 2030 [Note] WSREP: (b0977687, 'ssl://0.0.0.0:13005') listening at ssl://0.0.0.0:13005

Instead, SHOW STATUS should display information such as:

the current protocol in use at this time
the current cipher in use, as reported by OpenSSL
bytes sent over SSL vs. bytes sent unencrypted.

chandlermelton commented 8 years ago

I'm not sure about client to server encryption, but for replication, my wsrep_provider_options variable contains socket.ssl = YES.

philip-galera commented 8 years ago

Yes, this setting enables encryption between Galera nodes, however there is no status variable to show what type of encryption was negotiated.

codership / galera

No way to observe that SSL is in effect #165