Starting with version 0.8.2 Galera library supports SSL for encryption of replication traffic. It is a cluster-wide option and should be enabled either on all of the nodes or none at all. To use it a private certificate/key pair should be generated for a cluster, for example, by the following command
$ openssl req -new -x509 -days 365000 -nodes -keyout key.pem -out cert.pem
Take note of the
-days parameter. Contrary to many SSL examples on the web, it is crucial to generate a pair which is valid for a very long time. When certificate expires, there will be no way to update the cluster without complete shutdown.
Then this pair should be copied to all of the nodes and taken to use by specifying the following Galera options:
socket.ssl_cert = <path_to_cert_file>; socket.ssl_key = <path_to_key_file>
Other SSL configuration parameters include
socket.ssl_cipher. See Galera parameters for details.
Galera SSL support covers only Galera communication. Since state snapshot transfer happens outside of Galera, a separate care should be taken to protect it. E.g. using internal SSL support in MySQL client or
stunnel program to protect