Skip to content

security: add steps to validate TLS between components #21811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

security: add steps to validate TLS between components #21811

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions enable-tls-between-components.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,50 @@ To verify the caller's identity for a component, you need to mark the certificat
cert-allowed-cn = ["tiproxy", "tidb", "test-client", "prometheus"]
```

## Validating TLS between TiDB components

After configuring TLS for communication between TiDB components, you can use the following commands to verify that TLS has been successfully enabled:

- TiDB

The following command will print out the certificate configured for TiDB and the SSL handshake details.

```sh
openssl s_client -connect <tidb_host>:10080 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
```

- PD

The following command will print out the certificate configured for PD and the SSL handshake details.

```sh
openssl s_client -connect <pd_host>:2379 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
```

- TiKV

The following command will print out the certificate configured for TiKV and the SSL handshake details.

```sh
openssl s_client -connect <tikv_host>:20160 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
```

- TiFlash (New in v4.0.5)

The following command will print out the certificate configured for TiFlash and the SSL handshake details.

```sh
openssl s_client -connect <tiflash_host>:<tiflash_port> -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
```

- TiProxy

The following command will print out the certificate configured for TiProxy and the SSL handshake details.

```sh
openssl s_client -connect <tiproxy_host>:3080 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
```
Comment on lines +233 to +273
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

To improve clarity and reduce repetition, you can consolidate the descriptive text for each component into a single introductory sentence. This makes the section more concise and easier to read.1

After configuring TLS for communication between TiDB components, you can use the following commands to verify that TLS has been successfully enabled. These commands print the certificate and SSL handshake details for each component.

- TiDB

    ```sh
    openssl s_client -connect <tidb_host>:10080 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
    ```

- PD

    ```sh
    openssl s_client -connect <pd_host>:2379 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
    ```

- TiKV

    ```sh
    openssl s_client -connect <tikv_host>:20160 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
    ```

- TiFlash (New in v4.0.5)

    ```sh
    openssl s_client -connect <tiflash_host>:<tiflash_port> -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
    ```

- TiProxy

    ```sh
    openssl s_client -connect <tiproxy_host>:3080 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
    ```

Style Guide References

Footnotes

  1. Avoid unnecessary words and repetition.


## Reload certificates

- If your TiDB cluster is deployed in a local data center, to reload the certificates and keys, TiDB, PD, TiKV, TiFlash, TiCDC, TiProxy, and all kinds of clients reread the current certificates and key files each time a new connection is created, without restarting the TiDB cluster.
Expand Down
Loading