maria-discuss team mailing list archive

[Roberto Spadim <roberto@xxxxxxxxxxxxx>]

nice, no problem, i don't need crypt outside vpn, i will test and any news
i will reply :)
thanks guy


2014-02-19 13:20 GMT-03:00 Reindl Harald <h.reindl@xxxxxxxxxxxxx>:

> depends, for the WAN VPN is enough
> openVPN supports compression
>
> # Enable compression on the VPN link
> # If you enable it here, you must also
> # enable it in the client config file
> comp-lzo
>
> but keep in mind that the link between MySQL and the VPN
> server itself is unencrypted, so if you need end-to-end
> encryption for security reasons use both
>
> however, mysql supports compression for replication native
>
> http://dev.mysql.com/doc/refman/5.0/en/replication-options-slave.html
> --slave_compressed_protocol={0|1}
> Command-Line Format     --slave_compressed_protocol
> Option-File Format      slave_compressed_protocol
> System Variable Name    slave_compressed_protocol
> Variable Scope  Global
> Dynamic Variable        Yes
>         Permitted Values
> Type    boolean
> Default OFF
>
> If this option is set to 1, use compression for the slave/master protocol
> if both the slave and the master support
> it. The default is 0 (no compression).
>
> Am 19.02.2014 17:16, schrieb Roberto Spadim:
> > nice, i will try a vpn, do you think i need ssl+ vpn or just vpn give a
> good security and good compression? the
> > link is very poor (satelite with very high delay ~1 second or more)
> >
> > 2014-02-19 11:15 GMT-03:00 Reindl Harald <h.reindl@xxxxxxxxxxxxx<mailto:
> h.reindl@xxxxxxxxxxxxx>>:
> >
> >
> >
> >     Am 19.02.2014 14:10, schrieb Roberto Spadim:
> >     > What is better (better = more secure, and with good compression),
> a ssh tunnel,
> >     > or a native mariadb ssl connection between master/slave replication
> >     > mariadb servers?
> >
> >     both combined - any replication here is using mysql-ssl-encryption,
> even
> >     between VM's on the same host because they may be splitted to
> different
> >     hosts in case of VMotion
> >
> >     since i would never ever have listen MariaDB/MySQL the ssh-tunnel is
> >     mandatory in any case or better if possible OpenVPN because the
> >     encryption and HMAC-authentication of OpenVPN improves security
> >     dramatical
> >
> >     _____________________________________
> >
> >     have fun try to break that tunnel, you need the "ta.key" to even get
> any
> >     package accepted, then ca.crt and client.crt and need to break
> DHE-AES
> >
> >     and since it's easy to setup MySQL replication with SSL *inside* that
> >     tunnel it get wrapped - until today nobody on this planet can break
> >     that all at once without a rootkit on the involved machines
> >
> >     Tue Feb 18 22:10:15 2014 Control Channel Authentication: using
> '/etc/openvpn/ta.key' as a OpenVPN static key file
> >     Tue Feb 18 22:10:15 2014 Diffie-Hellman initialized with 4096 bit key
> >     Tue Feb 18 22:10:15 2014 Outgoing Control Channel Authentication:
> Using 512 bit message hash 'SHA512' for HMAC
> >     authentication
> >     Tue Feb 18 22:10:15 2014 Incoming Control Channel Authentication:
> Using 512 bit message hash 'SHA512' for HMAC
> >     authentication
> >     Tue Feb 18 21:10:27 2014 62.178.103.85:11258 <
> http://62.178.103.85:11258> Data Channel Encrypt: Cipher
> >     'AES-256-CBC' initialized with 256 bit key
> >     Tue Feb 18 21:10:27 2014 62.178.103.85:11258 <
> http://62.178.103.85:11258> Data Channel Encrypt: Using 512 bit
> >     message hash 'SHA512' for HMAC
> >     authentication
> >     Tue Feb 18 21:10:27 2014 62.178.103.85:11258 <
> http://62.178.103.85:11258> Data Channel Decrypt: Cipher
> >     'AES-256-CBC' initialized with 256 bit key
> >     Tue Feb 18 21:10:27 2014 62.178.103.85:11258 <
> http://62.178.103.85:11258> Data Channel Decrypt: Using 512 bit
> >     message hash 'SHA512' for HMAC
> >     authentication
> >     Tue Feb 18 21:10:27 2014 62.178.103.85:11258 <
> http://62.178.103.85:11258> Control Channel: TLSv1, cipher
> >     TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096
> >     bit RSA
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Roberto Spadim
SPAEmpresarial
Eng. Automação e Controle