tags:

views:

259

answers:

3
+1  Q: 

Why does MySQL replication use five certificates?

Hello everyone!

I'm attempting to set up MySQL replication with SSL encryption, and while I'm beginning to close in on the solution, there's one aspect of the process that I can't wrap my brain around relating to the way MySQL uses SSL.

According to the documentation on MySQL 5.0 (setting up SSL for client/server and setting up SSL for replication), the SSL connection can involve up to five pieces of information: the CA cert, the master's signed public and private keys, and the slave's signed public and private keys. What I don't understand is the need for these five components. My understanding of SSL (gleaned from the Wikipedia entry) is that SSL generally requires only three pieces: the CA certificate (shared by server and client), the server's public key (sent to the client, validated against the CA cert, and used to encrypt / decrypt communication to the server), and the server's private key (kept by the server and use to encrypt / decrypt communication to client).

So why in the MySQL replication SSL solution does the slave also have a public/private key pair signed against the same CA cert as the master's public/private key pair?

+2  A: 

Both sides of the replication link have to deem the other end trustworthy.

Jan Jungnickel  2009-03-07 22:40:55
+4  A: 

Actually that's only three certificates. However each SSL certificate comprises two keys - the public key and the private key.

The server and the client can each use the fact that the other party's public key has been signed by the CA's private key to prove to each other that they're who they say they are.

The CA itself also has a public key and a private key, but in the case where you've obtained the SSL certificates from a third party you never get to see their private key.

Alnitak  2009-03-07 22:45:37
+2  A: 

This is for mutual authentication. The slave needs to prove to the master its identity and the master needs to prove its identity to the slave.

Edit: A certificate only contains a public key. (The private key is stored in the machine's Cryptographic Service Provider (CSP).) It's therefore 5 keys, and 3 certificates.

Jeroen Landheer  2009-03-07 22:47:22

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL