Information
Mutual TLS (a.k.a. Two-Way TLS) enhances TLS by requiring that both parties authenticate each other when establishing a connection. Mutual TLS adds a requirement (over TLS) that the client provide its certificate so the server can authenticate the client.
Rationale:
By requiring the client to authenticate to the server (in this case, the REPLICA to authenticate to the PRIMARY), the server (PRIMARY) prevents unauthorized clients (REPLICAs) from performing replication.
Impact:
The REPLICA will need to have TLS enabled to support mutual TLS.
Solution
To remediate this setting, you must run the CHANGE MASTER TO command on the REPLICA with MASTER_SSL_CERT and MASTER_SSL_KEY set to the paths for the REPLICA's certificate and private key files.
For example, run:
STOP REPLICA; -- required if replication was already running
CHANGE MASTER TO
MASTER_SSL_CERT='/etc/mysql/mariadb.conf.d/certificates/server-cert.pem',
MASTER_SSL_KEY='/etc/mysql/mariadb.conf.d/certificates/server-key.pem';
START REPLICA; -- required if you want to restart replication
If the PRIMARY does not require your replication users to provide X.509 certificates, use the ALTER USER command with REQUIRE X509 (and/or optionally REQUIRE SUBJECT and/or REQUIRE ISSUER) for the user accounts needing remediation.
For example, run:
ALTER USER <replication user> REQUIRE X509;
Default Value:
Disabled.