Support for TLS SNI (“Server Name Indication”) in MariaDB would be a boon. OpenSSL and other TLS libraries make it pretty straightforward to do … would MariaDB consider adding support for this?
Preferably, please be flexible as to how to specify the logic for fetching the certificate for a given domain name.
ISTM an ideal SNI implementation can accommodate arbitrarily many domain names without making the server preload a certificate for each domain. Yet more ideally, allow server admins to specify custom lookup logic for each domain name—e.g., via a script.
Maybe have a global variable `tls_sni_method` that can accept values:
`command`: path to a command that returns a key & chain for a given domain name
`socket`: path to a UNIX socket that does the same
`plugin`: specify some sort of plugin that could do the lookup in-process?
Felipe Gasper
added a comment - ISTM an ideal SNI implementation can accommodate arbitrarily many domain names without making the server preload a certificate for each domain. Yet more ideally, allow server admins to specify custom lookup logic for each domain name—e.g., via a script.
The Pure-FTPd project has a protocol for SNI support that could be useful here:
https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS
Maybe have a global variable `tls_sni_method` that can accept values:
`command`: path to a command that returns a key & chain for a given domain name
`socket`: path to a UNIX socket that does the same
`plugin`: specify some sort of plugin that could do the lookup in-process?
Is there a client-only version of this request? It seems like it ought to be comparatively trivial (maybe just require a client flag --enable-sni or something so those who don't want SNI aren't surprised).
I assumed this had been done years ago, once "PaaS" and "DBaaS" terms were coined. Imagine my surprise when, after setting up, securing, and creating a passthrough route to my MariaDB instance on OpenShift, I found... there's no way to reach it with an external client. The router would know what to do with the request if the client would simply... TELL IT... which hostname it wants to reach.
I tried to put stunnel in front instead, but haven't been able to get it to work yet. Not sure if that's my ignorance or if there's a technical reason it won't work.
Luke Meyer
added a comment - - edited Is there a client-only version of this request? It seems like it ought to be comparatively trivial (maybe just require a client flag --enable-sni or something so those who don't want SNI aren't surprised).
I assumed this had been done years ago, once "PaaS" and "DBaaS" terms were coined. Imagine my surprise when, after setting up, securing, and creating a passthrough route to my MariaDB instance on OpenShift, I found... there's no way to reach it with an external client. The router would know what to do with the request if the client would simply... TELL IT... which hostname it wants to reach.
I tried to put stunnel in front instead, but haven't been able to get it to work yet. Not sure if that's my ignorance or if there's a technical reason it won't work.
After facing the issue i was looking for implementation in HaProxy, inspecting the MySQL protocol for _server_host is not valid unless you use commercial version with lua plugin to decode handshake. the alternative approach layer 7 chain to other layer 7 proxy is a pure wast of ressources and most layer7 proxy can not expose multi server certifcate in frontend . Exposing SNI in
all clients would solved the issue the proper way , is this no yet possible using ssl-verify-server-cert or some other parameters after so many years ?
VAROQUI Stephane
added a comment - After facing the issue i was looking for implementation in HaProxy, inspecting the MySQL protocol for _server_host is not valid unless you use commercial version with lua plugin to decode handshake. the alternative approach layer 7 chain to other layer 7 proxy is a pure wast of ressources and most layer7 proxy can not expose multi server certifcate in frontend . Exposing SNI in
all clients would solved the issue the proper way , is this no yet possible using ssl-verify-server-cert or some other parameters after so many years ?
MySQL now implements client-side Server Name Indication (SNI), which is an extension to the TLS protocol. Client applications can pass a server name to the libmysqlclient C API library with the new MYSQL_OPT_TLS_SNI_SERVERNAME option for mysql_options(). Similarly, each MySQL client program now includes a --tls-sni-servername command option to pass in a name. The new Tls_sni_server_name server status variable indicates the name if one is set for the session. Our thanks to Meta for the contribution. (Bug #33176362, WL #14839)
Can I assume it is compatible with mariadb server? What I want to achieve is to use sni hostname to route the client request to different mariadb server instance backend (ip address)
raven
added a comment - Seems like mysql client v8.1.0 has added client-side add sni feature
mysql v8.1.0
MySQL now implements client-side Server Name Indication (SNI), which is an extension to the TLS protocol. Client applications can pass a server name to the libmysqlclient C API library with the new MYSQL_OPT_TLS_SNI_SERVERNAME option for mysql_options(). Similarly, each MySQL client program now includes a --tls-sni-servername command option to pass in a name. The new Tls_sni_server_name server status variable indicates the name if one is set for the session. Our thanks to Meta for the contribution. (Bug # 33176362 , WL # 14839 )
Can I assume it is compatible with mariadb server? What I want to achieve is to use sni hostname to route the client request to different mariadb server instance backend (ip address)
Task
Major
ISTM an ideal SNI implementation can accommodate arbitrarily many domain names without making the server preload a certificate for each domain. Yet more ideally, allow server admins to specify custom lookup logic for each domain name—e.g., via a script.
The Pure-FTPd project has a protocol for SNI support that could be useful here:
https://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS
Maybe have a global variable `tls_sni_method` that can accept values: