Bug #112766 Feature req: SOURCE_SSL should default to 1 for replication
Submitted: 18 Oct 2023 21:54 Modified: 22 Oct 14:30
Reporter: Marc Reilly Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Replication Severity:S4 (Feature request)
Version:8.1.0, 8.0.34 OS:Any
Assigned to: CPU Architecture:Any
Tags: replication, SSL

[18 Oct 2023 21:54] Marc Reilly 
Description:
In MySQL 5.7, connections to the database server changed to ssl by default but this did not change for binary log replication - SOURCE_SSL still defaults to 0

https://dev.mysql.com/blog-archive/secure-by-default-in-mysql-5-7/
https://dev.mysql.com/doc/refman/8.0/en/change-replication-source-to.html

How to repeat:
Run change replication source without specifying SOURCE_SSL

Suggested fix:
In a future release SOURCE_SSL should default to 1 so replication is using SSL by default. SOURCE_SSL_VERIFY_SERVER_CERT can remain at 0, similar to regular client connection defaults so as to avoid any issues with default configuration such as self signed certs etc.
https://dev.mysql.com/doc/refman/8.0/en/change-replication-source-to.html

Thanks!
Marc
[19 Oct 2023 5:54] MySQL Verification Team 
Hello Marc,

Thank you for the feature request.

regards,
Umesh
[30 May 2024 21:04] Jean-François Gagné 
Related: Bug#115179 - Replication Setup Documentation missing SOURCE_SSL=1.
[22 Oct 14:30] Marc Reilly 
Looks like this has been implemented in latest innovation release 9.5. Thanks!

https://dev.mysql.com/doc/relnotes/mysql/9.5/en/news-9-5-0.html#mysqld-9-5-0-replication