Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10658

Support TLS SNI in MariaDB

Details

    Description

      Support for TLS SNI (“Server Name Indication”) in MariaDB would be a boon. OpenSSL and other TLS libraries make it pretty straightforward to do … would MariaDB consider adding support for this?

      Preferably, please be flexible as to how to specify the logic for fetching the certificate for a given domain name.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-28906 MySQL 8.0 desired compatibility

          • Major - Major loss of function.
          • Open

          Activity

            Ascending order - Click to sort in descending order
            View 5 older comments
            fgasper Felipe Gasper added a comment -

            ISTM an ideal SNI implementation can accommodate arbitrarily many domain names without making the server preload a certificate for each domain. Yet more ideally, allow server admins to specify custom lookup logic for each domain name—e.g., via a script.

            The Pure-FTPd project has a protocol for SNI support that could be useful here:
            https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS

            Maybe have a global variable `tls_sni_method` that can accept values:

            • `command`: path to a command that returns a key & chain for a given domain name
            • `socket`: path to a UNIX socket that does the same
            • `plugin`: specify some sort of plugin that could do the lookup in-process?
            fgasper Felipe Gasper added a comment - ISTM an ideal SNI implementation can accommodate arbitrarily many domain names without making the server preload a certificate for each domain. Yet more ideally, allow server admins to specify custom lookup logic for each domain name—e.g., via a script. The Pure-FTPd project has a protocol for SNI support that could be useful here: https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS Maybe have a global variable `tls_sni_method` that can accept values: `command`: path to a command that returns a key & chain for a given domain name `socket`: path to a UNIX socket that does the same `plugin`: specify some sort of plugin that could do the lookup in-process?
            sosiouxme Luke Meyer added a comment - - edited

            Is there a client-only version of this request? It seems like it ought to be comparatively trivial (maybe just require a client flag --enable-sni or something so those who don't want SNI aren't surprised).

            I assumed this had been done years ago, once "PaaS" and "DBaaS" terms were coined. Imagine my surprise when, after setting up, securing, and creating a passthrough route to my MariaDB instance on OpenShift, I found... there's no way to reach it with an external client. The router would know what to do with the request if the client would simply... TELL IT... which hostname it wants to reach.

            I tried to put stunnel in front instead, but haven't been able to get it to work yet. Not sure if that's my ignorance or if there's a technical reason it won't work.

            sosiouxme Luke Meyer added a comment - - edited Is there a client-only version of this request? It seems like it ought to be comparatively trivial (maybe just require a client flag --enable-sni or something so those who don't want SNI aren't surprised). I assumed this had been done years ago, once "PaaS" and "DBaaS" terms were coined. Imagine my surprise when, after setting up, securing, and creating a passthrough route to my MariaDB instance on OpenShift, I found... there's no way to reach it with an external client. The router would know what to do with the request if the client would simply... TELL IT... which hostname it wants to reach. I tried to put stunnel in front instead, but haven't been able to get it to work yet. Not sure if that's my ignorance or if there's a technical reason it won't work.
            stephane@skysql.com VAROQUI Stephane added a comment -

            After facing the issue i was looking for implementation in HaProxy, inspecting the MySQL protocol for _server_host is not valid unless you use commercial version with lua plugin to decode handshake. the alternative approach layer 7 chain to other layer 7 proxy is a pure wast of ressources and most layer7 proxy can not expose multi server certifcate in frontend . Exposing SNI in
            all clients would solved the issue the proper way , is this no yet possible using ssl-verify-server-cert or some other parameters after so many years ?

            stephane@skysql.com VAROQUI Stephane added a comment - After facing the issue i was looking for implementation in HaProxy, inspecting the MySQL protocol for _server_host is not valid unless you use commercial version with lua plugin to decode handshake. the alternative approach layer 7 chain to other layer 7 proxy is a pure wast of ressources and most layer7 proxy can not expose multi server certifcate in frontend . Exposing SNI in all clients would solved the issue the proper way , is this no yet possible using ssl-verify-server-cert or some other parameters after so many years ?
            raven888888 raven added a comment -

            Seems like mysql client v8.1.0 has added client-side add sni feature

            mysql v8.1.0

            MySQL now implements client-side Server Name Indication (SNI), which is an extension to the TLS protocol. Client applications can pass a server name to the libmysqlclient C API library with the new MYSQL_OPT_TLS_SNI_SERVERNAME option for mysql_options(). Similarly, each MySQL client program now includes a --tls-sni-servername command option to pass in a name. The new Tls_sni_server_name server status variable indicates the name if one is set for the session. Our thanks to Meta for the contribution. (Bug #33176362, WL #14839)

            Can I assume it is compatible with mariadb server? What I want to achieve is to use sni hostname to route the client request to different mariadb server instance backend (ip address)

            raven888888 raven added a comment - Seems like mysql client v8.1.0 has added client-side add sni feature mysql v8.1.0 MySQL now implements client-side Server Name Indication (SNI), which is an extension to the TLS protocol. Client applications can pass a server name to the libmysqlclient C API library with the new MYSQL_OPT_TLS_SNI_SERVERNAME option for mysql_options(). Similarly, each MySQL client program now includes a --tls-sni-servername command option to pass in a name. The new Tls_sni_server_name server status variable indicates the name if one is set for the session. Our thanks to Meta for the contribution. (Bug # 33176362 , WL # 14839 ) Can I assume it is compatible with mariadb server? What I want to achieve is to use sni hostname to route the client request to different mariadb server instance backend (ip address)
            Desdic Kim Gert Nielsen added a comment -

            This is a feature I would very much like to see

            Desdic Kim Gert Nielsen added a comment - This is a feature I would very much like to see

            People

              Unassigned Unassigned
              fgasper Felipe Gasper
              Votes:
              9 Vote for this issue
              Watchers:
              15 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.