← Back to team overview

maria-discuss team mailing list archive

Re: Doubt - replication and ssh/ssl

 

nice, i will try a vpn, do you think i need ssl+ vpn or just vpn give a
good security and good compression? the link is very poor (satelite with
very high delay ~1 second or more)


2014-02-19 11:15 GMT-03:00 Reindl Harald <h.reindl@xxxxxxxxxxxxx>:

>
>
> Am 19.02.2014 14:10, schrieb Roberto Spadim:
> > What is better (better = more secure, and with good compression), a ssh
> tunnel,
> > or a native mariadb ssl connection between master/slave replication
> > mariadb servers?
>
> both combined - any replication here is using mysql-ssl-encryption, even
> between VM's on the same host because they may be splitted to different
> hosts in case of VMotion
>
> since i would never ever have listen MariaDB/MySQL the ssh-tunnel is
> mandatory in any case or better if possible OpenVPN because the
> encryption and HMAC-authentication of OpenVPN improves security
> dramatical
>
> _____________________________________
>
> have fun try to break that tunnel, you need the "ta.key" to even get any
> package accepted, then ca.crt and client.crt and need to break DHE-AES
>
> and since it's easy to setup MySQL replication with SSL *inside* that
> tunnel it get wrapped - until today nobody on this planet can break
> that all at once without a rootkit on the involved machines
>
> Tue Feb 18 22:10:15 2014 Control Channel Authentication: using
> '/etc/openvpn/ta.key' as a OpenVPN static key file
> Tue Feb 18 22:10:15 2014 Diffie-Hellman initialized with 4096 bit key
> Tue Feb 18 22:10:15 2014 Outgoing Control Channel Authentication: Using
> 512 bit message hash 'SHA512' for HMAC
> authentication
> Tue Feb 18 22:10:15 2014 Incoming Control Channel Authentication: Using
> 512 bit message hash 'SHA512' for HMAC
> authentication
> Tue Feb 18 21:10:27 2014 62.178.103.85:11258 Data Channel Encrypt: Cipher
> 'AES-256-CBC' initialized with 256 bit key
> Tue Feb 18 21:10:27 2014 62.178.103.85:11258 Data Channel Encrypt: Using
> 512 bit message hash 'SHA512' for HMAC
> authentication
> Tue Feb 18 21:10:27 2014 62.178.103.85:11258 Data Channel Decrypt: Cipher
> 'AES-256-CBC' initialized with 256 bit key
> Tue Feb 18 21:10:27 2014 62.178.103.85:11258 Data Channel Decrypt: Using
> 512 bit message hash 'SHA512' for HMAC
> authentication
> Tue Feb 18 21:10:27 2014 62.178.103.85:11258 Control Channel: TLSv1,
> cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096
> bit RSA
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Roberto Spadim
SPAEmpresarial
Eng. Automação e Controle

Follow ups

References