Bug #84300 Setting to disable checking of "Not After" for replication with SSL/TLS
Submitted: 21 Dec 2016 14:13 Modified: 22 Dec 2016 8:43
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Replication Severity:S4 (Feature request)
Version:8.0 OS:Any
Assigned to: CPU Architecture:Any
Tags: replication, slave, SSL, tls

[21 Dec 2016 14:13] Daniël van Eeden 
Description:
Closely related to bug:
Bug #75404 	Reload certificate and crl without restart

If you have a MySQL setup with SSL and about 10 machines.
Then the SSL certificates expire (no monitoring, all requested at the same time)

Like this:
db1 -> db2
      -> db3
      -> db4
    -> db5
      -> db6
      -> db7
    -> db 8
      -> db9
      -> db10

Then replication keeps on working until you do a 'STOP SLAVE; START SLAVE' or something else which requires the I/O thread to reconnect.

Then to fix that you need to
1. Restart all servers, which might cause too much downtime, cold caches, etc.
2. Temporarily disable SSL for repliction (ALTER USER ... REQUIRE NONE). This leaves the traffic unencrypted.

This RFE is to ask for another option: Disable validity checking for replication.

How to repeat:
See description.

Suggested fix:
Implement one of these:
CHANGE MASTER TO MASTER_SSL_VERIFY_NOT_AFTER=0;
CHANGE MASTER TO MASTER_SSL_VERIFY_VALIDITY=0;
SET GLOBAL slave_ssl_validity_checks=0;

Having to do this with the replication channel stopped would be fine.
[22 Dec 2016 8:43] MySQL Verification Team 
Hello Daniël,

Thank you for the reasonable feature request!

Thanks,
Umesh