CentOS 7

MariaDB

Check SSL variable on both master and slave. This value should be 'DISABLED' or 'OK'. If value is 'NO' then reinstall or recompile with SSL support:

mysql> SHOW VARIABLES LIKE 'have_ssl';

Create replication user on master server:

mysql>MariaDB [powerdns]> CREATE USER 'replicator'@'%' IDENTIFIED BY 'chooseyourownpassword!';
Query OK, 0 rows affected (0.00 sec)

MariaDB [powerdns]> GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'replicator'@'%';
Query OK, 0 rows affected (0.00 sec)

MariaDB [powerdns]> GRANT SELECT ON powerdns.* TO 'replicator'@'%';
Query OK, 0 rows affected (0.00 sec)

MariaDB [powerdns]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.01 sec)

Test connection with the above username and password, from the slave to the master.

Create directory for key and certificates:

mkdir -p /etc/pki/tls/certs/mariadb
cd /etc/pki/tls/certs/mariadb

Create private key and public certificate:

openssl req -x509 -sha256 -newkey rsa:4096 \
-keyout master-private.pem -out master-public.pem \
-subj '/CN=ns1.polaire.nl' -nodes -days 3650

chmod 400 master-private.pem
chown mysql master-private.pem

Copy public certificate to (as) 'CA certificate':

cp master-public.pem ca.pem

Edit /etc/my.cnf, add:

[mysqld]
log_bin = mysql-bin
server_id = 10
ssl-ca=/etc/pki/tls/certs/mariadb/ca.pem
ssl-cert=/etc/pki/tls/certs/mariadb/master-public.pem
ssl-key=/etc/pki/tls/certs/mariadb/master-private.pem

Restart MariaDB:

systemctl restart mariadb

Modify replicator user to require SSL:

MariaDB [(none)]> GRANT USAGE ON *.* TO 'replicator'@'%' REQUIRE SSL;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> SHOW GRANTS FOR "replicator";

Test connection again from slave, this should no fail!

Create directory and copy master CA certificate to slave:

mkdir -p /etc/pki/tls/certs/mariadb
cd /etc/pki/tls/certs/mariadb

Test connection from slave to master using SSL:

mysql -u replicator -p'yourpassword' -hns1.polaire.nl --ssl-ca /etc/pki/tls/certs/mariadb/ca.pem --ssl-verify-server

Show cipher in use:

<MariaDB [(none)]> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+---------------------------+
| Variable_name | Value                     |
+---------------+---------------------------+
| Ssl_cipher    | DHE-RSA-AES256-GCM-SHA384 |
+---------------+---------------------------+
1 row in set (0.05 sec)

On the master server enable client key verification:

MariaDB [(none)]> GRANT USAGE ON *.* TO 'replicator'@'%' REQUIRE SUBJECT '/CN=ns2.polaire.nl';

MariaDB [(none)]> SHOW GRANTS FOR "replicator";

Client connection test should fail again!

Now create a key and certificate for the slave:

cd /etc/pki/tls/certs/mariadb
openssl req -x509 -sha256 -newkey rsa:4096 \
-keyout slave-private.pem -out slave-public.pem \
-subj '/CN=ns2.polaire.nl' -nodes -days 3650

chmod 400 slave-private.pem
chown mysql slave-private.pem

Append public key to CA on both master and slave:

cat slave-public.pem >> ca.pem

Restart master server:

systemctl restart mariadb

Test connection, this should work!

mysql -u replicator -p'yourpass' -hns1.polaire.nl \
    --ssl-ca /etc/pki/tls/certs/mariadb/ca.pem \
    --ssl-cert /etc/pki/tls/certs/mariadb/slave-public.pem \
    --ssl-key /etc/pki/tls/certs/mariadb/slave-private.pem

Create backup on master:

mysqldump -u root -p --single-transaction --all-databases --master-data=1 > /tmp/master_backup.sql

Copy the dump to the slave.

Edit /etc/my.cnf on the slave:

[mysqld]
log_bin = mysql-bin
server_id = 20
log_slave_updates = 1
relay_log = mysql-relay-bin
read_only = 1

Import the backup on the slave:

MariaDB [(none)]> source /tmp/master_backup.sql

Configure replication:

CHANGE MASTER TO
Master_Host='ns1.polaire.nl',
Master_User='replicator',
Master_Password='yourpassword',
Master_SSL=1,
Master_SSL_CA = '/etc/pki/tls/certs/mariadb/ca.pem',
Master_SSL_CERT = '/etc/pki/tls/certs/mariadb/slave-public.pem',
Master_SSL_KEY = '/etc/pki/tls/certs/mariadb/slave-private.pem',
Master_SSL_Verify_Server_Cert = 1;
Query OK, 0 rows affected (0.08 sec)

Start slave:

MariaDB [(none)]> slave start;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> show slave status \G