Description:
I've not looked in detail but it seems that it's not possible to change an already running server which does not have TLS configured to allow it to use TLS.
It's not also possible to change certificates while the server is running.
For systems which run 24x7x365 this is not convenient.
Initial TLS setup may be a one-off affair but certificate changes are expected to happen at regular intervals and to have to interrupt the MySQL service to change this is not helpful.
How to repeat:
root@myhost [(none)]> select @@ssl_ca, @@ssl_cert, @@ssl_key;
+----------+------------+-----------+
| @@ssl_ca | @@ssl_cert | @@ssl_key |
+----------+------------+-----------+
| NULL | NULL | NULL |
+----------+------------+-----------+
1 row in set (0.00 sec)
root@myhost [(none)]> select @@version;
+------------+
| @@version |
+------------+
| 5.6.25-log |
+------------+
1 row in set (0.00 sec)
root@myhost [(none)]> set global ssl_ca = '/etc/ssl/certs/ca-bundle.crt';
ERROR 1238 (HY000): Variable 'ssl_ca' is a read only variable
root@myhost [(none)]> set global ssl_cert = '/etc/ssl/somepath/mysql.crt' ;
ERROR 1238 (HY000): Variable 'ssl_cert' is a read only variable
root@myhost [(none)]> set global ssl_key = '/etc/ssl/somepath/private/mysql.key';
ERROR 1238 (HY000): Variable 'ssl_key' is a read only variable
I believe that 5.7.12 behaves the same.
Suggested fix:
Please make it possible to:
* configure TLS dynamically
* change certificates dynamically
This would make it easier to "improve security" of your server while it's running.
