By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post

What does the `ssl_encryption` parameter to `mysql.rds_set_external_master` actually do?

0

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/mysql-stored-proc-replicating.html#mysql_rds_set_external_master really makes it sound like passing 0 at the end of mysql.rds_set_external_master is going to result in an un-encrypted connection:

ssl_encryption

A value that specifies whether Secure Socket Layer (SSL) encryption is used on the replication connection. 1 specifies to use SSL encryption, 0 specifies to not use encryption. The default is 0.

However, we've found that leaving ssl_ecryption set to 0 works even for a user that we've configured to require ssl. Note the ssl_type=ANY here:

source> select user, host, ssl_type from mysql.user where user='replication';
+--------------+----------+----------+
| user         | host     | ssl_type |
+--------------+----------+----------+
| replication  | %        | ANY      |
+--------------+----------+----------+
1 row in set (0.032 sec)

So we're convinced that the connection is using SSL, despite the fact that we've set ssl_encryption=0 when invoking mysql.rds_set_external_master.

Is it possible that setting ssl_encryption=0 actually makes the target database connection to the source behave more like mysql client's--ssl-mode=PREFERRED, where it'll use a SSL connection if it can, but will happily fall back to non-SSL? And ssl_encryption=1 acts like --ssl-mode=REQUIRED?

Topics
Migration & ModernizationDatabase
Tags
Amazon Relational Database ServiceDatabaseAmazon AuroraMySQL
Language
English
Jeremy
asked 22 days ago135 views
1 Answer
0

Hello,

The stored procedure “mysql.rds_set_external_master” could be used to configure an Aurora MySQL DB instance to be a read replica of an instance of MySQL running external to Amazon RDS.

If the data in the Aurora MySQL DB cluster is not encrypted, the ssl_encryption parameter must be set to 0. If the data is encrypted, the ssl_encryption parameter must be set to 1.

[+] Synchronizing the Amazon Aurora MySQL DB cluster with the external MySQL database - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Migrating.ExtMySQL.S3.html#AuroraMySQL.Migrating.ExtMySQL.S3.RepSync.Synchronizing

You may further check if replication is connected with SSL by using the query below in your primary database :

mysql> SELECT id, user, host, connection_type

FROM performance_schema.threads pst

INNER JOIN information_schema.processlist isp

ON pst.processlist_id = isp.id;

For further information about the behaviour observed by you regarding ssl_encryption, you may reach out to AWS Support with the concerned resource details so that your concerns could be investigated effectively. [+] https://repost.aws/knowledge-center/get-aws-technical-support

Thank You!

AWS
Vedanshi_A
answered 21 days ago
  • Jeremy
    21 days ago

    If the data in the Aurora MySQL DB cluster is not encrypted, the ssl_encryption parameter must be set to 0. If the data is encrypted, the ssl_encryption parameter must be set to 1.

    This is confusing to me. I thought this ssl_encryption setting is about what gets transferred over the wire, not about what's actually stored at rest.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content