By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What does the `ssl_encryption` parameter to `mysql.rds_set_external_master` actually do?

0

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/mysql-stored-proc-replicating.html#mysql_rds_set_external_master really makes it sound like passing 0 at the end of mysql.rds_set_external_master is going to result in an un-encrypted connection:

ssl_encryption

A value that specifies whether Secure Socket Layer (SSL) encryption is used on the replication connection. 1 specifies to use SSL encryption, 0 specifies to not use encryption. The default is 0.

However, we've found that leaving ssl_ecryption set to 0 works even for a user that we've configured to require ssl. Note the ssl_type=ANY here:

source> select user, host, ssl_type from mysql.user where user='replication';
+--------------+----------+----------+
| user         | host     | ssl_type |
+--------------+----------+----------+
| replication  | %        | ANY      |
+--------------+----------+----------+
1 row in set (0.032 sec)

So we're convinced that the connection is using SSL, despite the fact that we've set ssl_encryption=0 when invoking mysql.rds_set_external_master.

Is it possible that setting ssl_encryption=0 actually makes the target database connection to the source behave more like mysql client's--ssl-mode=PREFERRED, where it'll use a SSL connection if it can, but will happily fall back to non-SSL? And ssl_encryption=1 acts like --ssl-mode=REQUIRED?

Topics
Migration & ModernizationAnalyticsDatabase
Tags
Amazon Relational Database ServiceDatabaseAmazon AuroraMySQL
Language
English
Jeremy
asked 6 months ago263 views
2 Answers
0
Accepted Answer

We finally know the answer to this question. In short, the MySQL and RDS docs are quite confusing about this, and there's a difference in behavior between Aurora 2 and 3 that makes this even more confusing.

  1. The ssl_encryption parameter to mysql.rds_set_external_source does 3 things under the hood:

    • It enables (and requires) a SSL connection to the source database. In other words, setting SOURCE_SSL=1 with MySQL's CHANGE REPLICATION SOURCE TO statement.
    • It enables verification of the source databases’s certificate. In other words, under the hood, this is threading ssl_ca rds “binlog rds ssl material” (as set by RDS's mysql.rds_import_binlog_ssl_material) through to the SOURCE_SSL_VERIFY_SERVER_CERT and SOURCE_SSL_CA* parameters for MySQL's CHANGE REPLICATION SOURCE TO statement.
    • It enables MySQL client certificate based authentication (as described in this MySQL blog post). This is a problem, as we do not have the power to generate a valid client certificate for RDS instances.
      • In other words, under the hood, this is threading the ssl_key and ssl_cert rds “binlog rds ssl material” through to the SOURCE_SSL_KEY, and SOURCE_SSL_CERT parameters for MySQL's CHANGE REPLICATION SOURCE TO statement.
      • Can we get a valid client cert? No. This SO post from 2018 says AWS doesn’t support it and it’s on the backlog. We filed a support ticket, and they said "RDS/Aurora does not support logging in via certificates".
        • We tried generating a cert ourselves (following the instructions here), and that unsurprisingly didn’t work. The source database rejects the connection because it doesn’t trust the cert being presented.
      • Does MySQL encrypted replication really require using client cert based authentication? No. We know this both from manual testing with MySQL 8 running on our laptops, and from the fact that we were able to do encrypted replication on Aurora 2 (perhaps unintentionally on AWS’s part). If we could just run the underlying CHANGE REPLICATION SOURCE TO command ourselves, we could configure this correctly. However, the the admin user on Aurora RDS doesn’t have permission to do this.
        • We even tried to get clever by doing this sequence of operations:
          • Call mysql.rds_import_binlog_ssl_material
          • Call mysql.rds_set_external_source(..., ssl_encryption=0)
          • Call mysql.rds_remove_binlog_ssl_material
            • This just results in a broken replication configuration (it’s pointing at certs that no longer exist on disk).
          • In January 2024, we asked AWS if there’s some way of enabling SSL without enabling client certs, and they said no. (Note that as of March 2024, this is now possible. Read on for more details).

  2. On 2024-03-07, Aurora 3.06.0 was released, with a new mysql.rds_set_binlog_source_ssl setting: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/mysql-stored-proc-replicating.html#mysql_rds_set_binlog_source_ssl, which corresponds to just the SOURCE SSL setting for MySQL's CHANGE REPLICATION SOURCE TO statement.

    • This does exactly what we want it to: we call mysql.rds_set_external_source(..., ssl_encryption=0) and then we call mysql.rds_set_binlog_source_ssl(1), and we are able to do encrypted replication. Make sure you do it in this order, as mysql.rds_set_external_source will clobber the Source_SSL_Allowed setting. Since this is so stupid and easy to get wrong, just confirm that the replica is trying to connect with ssl by running this command:

      mysql> show replica status\G
           ...
           Source_SSL_Allowed: Yes
           ...
1 row in set (0.01 sec)
Jeremy
answered a month ago
-1

Hello,

The stored procedure “mysql.rds_set_external_master” could be used to configure an Aurora MySQL DB instance to be a read replica of an instance of MySQL running external to Amazon RDS.

If the data in the Aurora MySQL DB cluster is not encrypted, the ssl_encryption parameter must be set to 0. If the data is encrypted, the ssl_encryption parameter must be set to 1.

[+] Synchronizing the Amazon Aurora MySQL DB cluster with the external MySQL database - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Migrating.ExtMySQL.S3.html#AuroraMySQL.Migrating.ExtMySQL.S3.RepSync.Synchronizing

You may further check if replication is connected with SSL by using the query below in your primary database :

mysql> SELECT id, user, host, connection_type

FROM performance_schema.threads pst

INNER JOIN information_schema.processlist isp

ON pst.processlist_id = isp.id;

For further information about the behaviour observed by you regarding ssl_encryption, you may reach out to AWS Support with the concerned resource details so that your concerns could be investigated effectively. [+] https://repost.aws/knowledge-center/get-aws-technical-support

Thank You!

AWS
Vedanshi_A
answered 6 months ago
  • Jeremy
    6 months ago

    If the data in the Aurora MySQL DB cluster is not encrypted, the ssl_encryption parameter must be set to 0. If the data is encrypted, the ssl_encryption parameter must be set to 1.

    This is confusing to me. I thought this ssl_encryption setting is about what gets transferred over the wire, not about what's actually stored at rest.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content