Description:
While investigating BUG#22616245 it was noticed that since the push with the commit id 1bf8bc77a115b84ea8066b7b7b3175518c5810cc the slave is always using SSL/TLS when the servers support it, regardless of MASTER_SSL option.
How to repeat:
Apply the diff below and run:
$ ./mtr --mem rpl_ssl
...
rpl_topology=1->2
connection master;
Assertion text: 'Without MASTER_SSL, the slave should be connected to the master without SSL/TLS'
Assertion condition: '"SSL/TLS" = "TCP/IP"'
Assertion condition, interpolated: '"SSL/TLS" = "TCP/IP"'
Assertion result: '0'
diff --git a/mysql-test/suite/rpl/t/rpl_ssl.test b/mysql-test/suite/rpl/t/rpl_ssl.test
index d141d78..7905068 100644
--- a/mysql-test/suite/rpl/t/rpl_ssl.test
+++ b/mysql-test/suite/rpl/t/rpl_ssl.test
@@ -2,6 +2,20 @@
source include/have_ssl_communication.inc;
source include/master-slave.inc;
+# Default replication setup at master-slave.inc does not set MASTER_SSL
+--connection slave
+--let $current_master_ssl= query_get_value(SHOW SLAVE STATUS, Master_SSL_Allowed, 1)
+--let $assert_text= Master_SSL_Allowed should be NO by default
+--let $assert_cond= "$current_master_ssl" = "NO"
+--source include/assert.inc
+
+# The slave should be initially connected to the master without SSL/TLS
+--connection master
+--let $connection_type= `SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE PROCESSLIST_COMMAND = "Binlog Dump"`
+--let $assert_text= Without MASTER_SSL, the slave should be connected to the master without SSL/TLS
+--let $assert_cond= "$connection_type" = "TCP/IP"
+--source include/assert.inc
+
# create a user for replication that requires ssl encryption
connection master;
set @orig_sql_mode= @@sql_mode;
Suggested fix:
If MASTER_SSL is not configured, the slave should not connect using SSL/TLS.
diff --git a/sql/rpl_slave.cc b/sql/rpl_slave.cc
index d3d50b2..3540e13 100644
--- a/sql/rpl_slave.cc
+++ b/sql/rpl_slave.cc
@@ -8630,6 +8630,7 @@ static int connect_to_master(THD* thd, MYSQL* mysql, Master_info* mi,
#ifdef HAVE_OPENSSL
if (mi->ssl)
{
+ /* The channel is configured to use SSL */
mysql_ssl_set(mysql,
mi->ssl_key[0]?mi->ssl_key:0,
mi->ssl_cert[0]?mi->ssl_cert:0,
@@ -8655,6 +8656,12 @@ static int connect_to_master(THD* thd, MYSQL* mysql, Master_info* mi,
ssl_mode= SSL_MODE_REQUIRED;
mysql_options(mysql, MYSQL_OPT_SSL_MODE, &ssl_mode);
}
+ else
+ {
+ /* The channel is not configured to use SSL */
+ enum mysql_ssl_mode ssl_mode= SSL_MODE_DISABLED;
+ mysql_options(mysql, MYSQL_OPT_SSL_MODE, &ssl_mode);
+ }
#endif
/*
Description: While investigating BUG#22616245 it was noticed that since the push with the commit id 1bf8bc77a115b84ea8066b7b7b3175518c5810cc the slave is always using SSL/TLS when the servers support it, regardless of MASTER_SSL option. How to repeat: Apply the diff below and run: $ ./mtr --mem rpl_ssl ... rpl_topology=1->2 connection master; Assertion text: 'Without MASTER_SSL, the slave should be connected to the master without SSL/TLS' Assertion condition: '"SSL/TLS" = "TCP/IP"' Assertion condition, interpolated: '"SSL/TLS" = "TCP/IP"' Assertion result: '0' diff --git a/mysql-test/suite/rpl/t/rpl_ssl.test b/mysql-test/suite/rpl/t/rpl_ssl.test index d141d78..7905068 100644 --- a/mysql-test/suite/rpl/t/rpl_ssl.test +++ b/mysql-test/suite/rpl/t/rpl_ssl.test @@ -2,6 +2,20 @@ source include/have_ssl_communication.inc; source include/master-slave.inc; +# Default replication setup at master-slave.inc does not set MASTER_SSL +--connection slave +--let $current_master_ssl= query_get_value(SHOW SLAVE STATUS, Master_SSL_Allowed, 1) +--let $assert_text= Master_SSL_Allowed should be NO by default +--let $assert_cond= "$current_master_ssl" = "NO" +--source include/assert.inc + +# The slave should be initially connected to the master without SSL/TLS +--connection master +--let $connection_type= `SELECT CONNECTION_TYPE FROM performance_schema.threads WHERE PROCESSLIST_COMMAND = "Binlog Dump"` +--let $assert_text= Without MASTER_SSL, the slave should be connected to the master without SSL/TLS +--let $assert_cond= "$connection_type" = "TCP/IP" +--source include/assert.inc + # create a user for replication that requires ssl encryption connection master; set @orig_sql_mode= @@sql_mode; Suggested fix: If MASTER_SSL is not configured, the slave should not connect using SSL/TLS. diff --git a/sql/rpl_slave.cc b/sql/rpl_slave.cc index d3d50b2..3540e13 100644 --- a/sql/rpl_slave.cc +++ b/sql/rpl_slave.cc @@ -8630,6 +8630,7 @@ static int connect_to_master(THD* thd, MYSQL* mysql, Master_info* mi, #ifdef HAVE_OPENSSL if (mi->ssl) { + /* The channel is configured to use SSL */ mysql_ssl_set(mysql, mi->ssl_key[0]?mi->ssl_key:0, mi->ssl_cert[0]?mi->ssl_cert:0, @@ -8655,6 +8656,12 @@ static int connect_to_master(THD* thd, MYSQL* mysql, Master_info* mi, ssl_mode= SSL_MODE_REQUIRED; mysql_options(mysql, MYSQL_OPT_SSL_MODE, &ssl_mode); } + else + { + /* The channel is not configured to use SSL */ + enum mysql_ssl_mode ssl_mode= SSL_MODE_DISABLED; + mysql_options(mysql, MYSQL_OPT_SSL_MODE, &ssl_mode); + } #endif /*