[Date Prev][Date Next]
Re: Syncrepl SSL fail
Quanah Gibson-Mount wrote:
--On October 13, 2011 10:43:55 AM -0700 Josh Miller
On Oct 13, 2011, at 10:29 AM, Quanah Gibson-Mount wrote:
I don't see any of the tls_* options to the syncrepl configuration here.
Likely the syncrepl client is unable to verify the master's cert. I
would note that using refreshOnly is ill-advised.
Why is RefreshOnly ill-advised? That is the recommendation in the docs
(very timely as I just set this up again myself).
The admin guide has examples, not recommendations. In any case, I fully
intend to change those examples to be refreshAndPersist so people stop
defaulting to refreshOnly. It is not always reliable, and your
significantly delay your replication by using it.
Of course, it may be the only thing that works reliably if you have a firewall
that silently kills old connections.
The examples should stand as-is. We cannot predict what environment it's going
to be deployed in. It's up to administrators to use their brains and know
these details of their network.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/