maria-discuss team mailing list archive

Thread
Date

Re: Doubt - replication and ssh/ssl

To: maria-discuss@xxxxxxxxxxxxxxxxxxx
From: Reindl Harald <h.reindl@xxxxxxxxxxxxx>
Date: Wed, 19 Feb 2014 15:15:47 +0100
In-reply-to: <CAH3kUhGsw2kOpTS6tVH9+FEXrJDJYWRWNmg2oVeWnQVE80oaWQ@mail.gmail.com>
Openpgp: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt
Organization: the lounge interactive design
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0


Am 19.02.2014 14:10, schrieb Roberto Spadim:
> What is better (better = more secure, and with good compression), a ssh tunnel, 
> or a native mariadb ssl connection between master/slave replication 
> mariadb servers?

both combined - any replication here is using mysql-ssl-encryption, even
between VM's on the same host because they may be splitted to different
hosts in case of VMotion

since i would never ever have listen MariaDB/MySQL the ssh-tunnel is
mandatory in any case or better if possible OpenVPN because the
encryption and HMAC-authentication of OpenVPN improves security
dramatical

_____________________________________

have fun try to break that tunnel, you need the "ta.key" to even get any
package accepted, then ca.crt and client.crt and need to break DHE-AES

and since it's easy to setup MySQL replication with SSL *inside* that
tunnel it get wrapped - until today nobody on this planet can break
that all at once without a rootkit on the involved machines

Tue Feb 18 22:10:15 2014 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Tue Feb 18 22:10:15 2014 Diffie-Hellman initialized with 4096 bit key
Tue Feb 18 22:10:15 2014 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC
authentication
Tue Feb 18 22:10:15 2014 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC
authentication
Tue Feb 18 21:10:27 2014 62.178.103.85:11258 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Feb 18 21:10:27 2014 62.178.103.85:11258 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC
authentication
Tue Feb 18 21:10:27 2014 62.178.103.85:11258 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Feb 18 21:10:27 2014 62.178.103.85:11258 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC
authentication
Tue Feb 18 21:10:27 2014 62.178.103.85:11258 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096
bit RSA

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: Doubt - replication and ssh/ssl
From: Roberto Spadim, 2014-02-19

References

Doubt - replication and ssh/ssl
From: Roberto Spadim, 2014-02-19