Yes, I'm referring to the connection from proxysql to MySQL pxc cluster node. For reference our configuration:
f5 vip for read which hits a proxysql on port 3306 routed to read nodes via port 3306
f5 vip for write which hits a proxysql on port 3307 routed to write node via port 3306
All three nodes have tls_version | TLSv1.2 and ALTER INSTANCE RELOAD TLS; was run on each node.
Here is the query we use against a MySQL node to determine what tls protocol is being used:
SELECT sbt.variable_value AS tls_version,
Count(sbt.variable_value) AS Total
FROM performance_schema.status_by_thread AS sbt
JOIN performance_schema.threads AS t
ON t.thread_id = sbt.thread_id
JOIN performance_schema.status_by_thread AS t2
ON t2.thread_id = t.thread_id
WHERE sbt.variable_name = 'Ssl_version'
AND t2.variable_name = 'Ssl_cipher'
AND sbt.variable_value LIKE 'TLS%'
GROUP BY sbt.variable_value
Here is the result of the query with hostnames redacted for all three nodes in our cluster
node 1 : tls_version Total TLSv1.2 84 <-- read node
node 2 : tls_version Total TLSv1.2 75 <-- read node
node 3 : tls_version Total TLSv1.3 261 TLSv1.2 59 <-- write node
I did the following tests before I made the configruation change to force the nodes to tls 1.3.
1. mysql client connect directly to host. confirm it was using tls 1.3.
2. mysql client connect to host via proxysql and confirm it was using tls 1.3
3. set variable and do alter for force use of tls 1.2 (all nodes)
4. mysql client connect directly to host. confirm it was using tls 1.2
5 mysql client connect to host via proxysql and confirm it was using tls 1.3
6. request bounce of user applications. found both tls 1.2 and 1.3 connections as shown above.
7. on one of proxysql killed the oldest connections in stats_mysql_processlist
8. reran the query and found no change; same numbers of tls 1.2 and tls 1.3 connections as shown above.
Do we need to bounce both proxysql and/or pxc nodes to get this forced to use tls 1.2
Thanks
John