From 9799cfdb2b8ecd54b1c97b8f2182d35780065ee9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Thu, 23 Aug 2018 08:57:58 +0300 Subject: [PATCH] MXS-1735: Clarify differences between MaxScale and server The server allows both unencrypted and encrypted connections on the same port. MaxScale only allows either encrypted or unencrypted connections. The differences as well as the reasoning for this need to be documented. --- .../Getting-Started/Configuration-Guide.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md index 8e0abb874..22f0100d9 100644 --- a/Documentation/Getting-Started/Configuration-Guide.md +++ b/Documentation/Getting-Started/Configuration-Guide.md @@ -1390,8 +1390,20 @@ to `required` and provide the three files for `ssl_cert`, `ssl_key` and After this, MaxScale connections between the server and/or the client will be encrypted. Note that the database must be configured to use TLS/SSL connections -if backend connection encryption is used. When client-side encryption is -enabled, only encrypted connections to MaxScale can be created. +if backend connection encryption is used. + +**Note:** MaxScale does not allow mixed use of TLS/SSL and normal connections on + the same port. + +If TLS encryption is enabled for a listener, any unencrypted connections to it +will be rejected. MaxScale does this to improve security by preventing +accidental creation on unencrypted connections. + +The separation of secure and insecure connections differs from the MariaDB +server which allows both secure and insecure connections on the same port. As +MaxScale is the gateway through which all connections go, in order to guarantee +a more secure system MaxScale enforces a stricter security policy than what the +server does. #### `ssl`