On Tue, 2023-10-31 at 23:09 +0100, Hartmut Holzgraefe via discuss wrote:
On 31.10.23 22:45, Nick Lockheart via discuss wrote:

How can I get verbose messages about what is happening with TLS (why is
it being rejected)?

unfortunately your best options are either to capture the initial TLS
dialog packages and to analyze them with Wireshark, or to use the
OpenSSL s_client tool to emulate a mysql protocol connection trying
to switch to TLS:

see e.g.: https://serverfault.com/a/931652


One thing that makes this particularly frustrating is that when `require_secure_transport = on` is set on the master, I can still login remotely to the master computer from the slave computer manually, using the same replication user:

mariadb -h masterdomain.com -P 3306 -p'secret' -u rep_slave -v
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 191
Server version: 10.5.21-MariaDB-0+deb11u1-log Debian 11

And it appears that TLS is working:

MariaDB [(none)]> SHOW SESSION STATUS LIKE 'Ssl_cipher';

+---------------+------------------------+
| Variable_name | Value |
+---------------+------------------------+
| Ssl_cipher | TLS_AES_256_GCM_SHA384 |
+---------------+------------------------+
1 row in set (0.023 sec)


But meanwhile, in the logs, I'm still seeing:

"Access denied for user 'rep_slave'@'domain.com' (using password: YES)"

So it seems like TLS does work for the replication user, too, if I log in manually from the command line (on the remote machine) but the same user is failing (when TLS is enforced) as the automated replication slave user.