Support for TLS 1.3 in Group Replication

In MySQL 8.0.18, we enhanced the Group Communication System (GCS) layer used by Group Replication (GR) with the ability to use and configure member-to-member connections using TLS v1.3. Therefore, you can secure further your system’s communication with the latest security algorithms.

Motivation and Internals

With the advent of TLS 1.3 in OpenSSL 1.1.1, there was the need to add extra variables and fields to MySQL in order to configure it. Thus, TLS Cipher Suites concept ( configurable via tls_ciphersuites ) comes to existence for TLS v1.3 and beyond, because this new protocol version it is backward-incompatible with all previous versions. This variable will determine which the TLS 1.3 Ciphers each node supports during the negotiation phase. TLS Cipher List ( configurable via ssl_cipher ) is still used but for legacy versions of TLS.

Since GCS/XCom maintains its own communication layer, one needs to pass on those new configuration parameters to the GCS/XCom layer. Note that this change does not affect the Group Replication Recovery process. It only regards GR’s internal communication stack.

Configuration

Group Replication piggybacks SSL configurations from the server where it runs. If the server is already configured to run with SSL, you just need to enable group_replication_ssl_mode. An example full configuration could be:

[mysqld] 
ssl_ca = "cacert.pem"
ssl_capath = "/.../ca_directory"
ssl_cert = "server-cert.pem"
ssl_cipher = "DHE-RSA-AEs256-SHA"
ssl_crl = "crl-server-revoked.crl"
ssl_crlpath = "/.../crl_directory"
ssl_key = "server-key.pem"
group_replication_ssl_mode= REQUIRED

Not that you did not configure tls_version . Its default value is to list all available TLS protocols. It is enough to get you up and running! All of this is documented here .

To use TLS v1.3 in communication channels inside the group, make sure that you have your server running at least with OpenSSL 1.1.1, leave tls_version and  tls_ciphersuites blank and your group will be configured to run with TLS v1.3! The GR plugin will learn this configuration option and configure itself accordingly. Here, the default value is enough for you to get started. An example configuration could be:

[mysqld] 
ssl_ca = "cacert.pem"
ssl_capath = "/.../ca_directory"
ssl_cert = "server-cert.pem"
ssl_cipher = "DHE-RSA-AEs256-SHA"
ssl_crl = "crl-server-revoked.crl"
ssl_crlpath = "/.../crl_directory"
ssl_key = "server-key.pem"
group_replication_ssl_mode= REQUIRED
tls_version = TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 // Example: this is the default value
tls_ciphersuites= // Example: this is the default value

Considerations

OpenSSL contains a protocol and cipher handshake part when it establishes a connection. This means that will take care of the negotiation and make sure that everyone speaks the best available protocol if properly configured. One needs to take extra care when performing Group Replication rolling Upgrades and Downgrades.

If a node that supports TLS v1.3 wants to join a group that only speaks, at maximum, TLS 1.2, which is the previously supported version, it must enter the group making sure that it has protocols under 1.3 supported and configured. This is achieved by leaving tls_version blank in all nodes. Older nodes will have  tls_version = TLSv1,TLSv1.1,TLSv1.2 as value and the new node will have  tls_version=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 .  Then, just add the new node to the group.

In the same way, if an old node wants to join a group that only speaks TLS 1.3 (variable configured with  tls_version=TLSv1.3 ), one needs to configure the group to make it support previous versions of the TLS protocol. Again, just leave it for OpenSSL and MySQL to take care of it for you! This is achieved again by leaving tls_version blank in all nodes. Nodes already in the group will have  tls_version = TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 as value and the old node trying to join the group will have  tls_version=TLSv1,TLSv1.1,TLSv1.2 . Perform a rolling restart of the group and then you can add old nodes at will.

Conclusion

In MySQL 8.0.18, we added to GR the ability to configure a group using TLS v1.3. For more information regarding this feature go and check the official documentation . Please, try this new feature and let us know about any feedback you have!

108 total views, 108 views today