Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-14091

Support for passphrase protected keys

Details

    • New Feature
    • Status: In Review (View Workflow)
    • Critical
    • Resolution: Unresolved
    • 12.0
    • SSL
    • None
    • 10.3.3-1

    Description

      When using a password-protected key, MariaDB server can not start because the server waits for a key to be entered:

      Enter PEM pass phrase:

      Since this doesn't work if server is started as a service or as background process, an additional option --ssl-passphrase should be implemented (as in Connector/C).

      Update, 17 Feb 2025

      We take OpenSSL approach, where --passin/passout parameters to the command line tool can specify a file ("file:" prefix), environment variable ("env:" prefix) , clear-text password("pass:" prefix)

      Attachments

        Issue Links

          blocks

          New Feature - A new feature of the product, which has yet to be developed. MXS-4102 Support for passphrase protected certificate keys

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          is duplicated by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-17290 Mechanism for encrypting ssl_key

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            hholzgra Hartmut Holzgraefe added a comment -

            Shouldn't we rather consider a way to configure this similar to how Apache and PostgreSQL do this, to be able to avoid that the passphrase is visible in my.cnf or in "ps" output?

            Both Apache and Postgres take the approach to have a setting to define an external process that will provide the actual passphrase, see e.g.

            https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog

            or

            https://www.postgresql.org/docs/11/runtime-config-connection.html#id-1.6.6.6.4.3.10.1.3

            or for a bit more background discussion:

            https://www.2ndquadrant.com/en/blog/postgresql-passphrase-protected-ssl-keys-systemd/

            hholzgra Hartmut Holzgraefe added a comment - Shouldn't we rather consider a way to configure this similar to how Apache and PostgreSQL do this, to be able to avoid that the passphrase is visible in my.cnf or in "ps" output? Both Apache and Postgres take the approach to have a setting to define an external process that will provide the actual passphrase, see e.g. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslpassphrasedialog or https://www.postgresql.org/docs/11/runtime-config-connection.html#id-1.6.6.6.4.3.10.1.3 or for a bit more background discussion: https://www.2ndquadrant.com/en/blog/postgresql-passphrase-protected-ssl-keys-systemd/
            serg Sergei Golubchik added a comment -

            Yes, I agree, it makes sense. May be not exactly like that, but in general, yes

            serg Sergei Golubchik added a comment - Yes, I agree, it makes sense. May be not exactly like that, but in general, yes
            serg Sergei Golubchik added a comment -

            here's a very first thought. A new my_getopt prefix. It currently recognizes loose-, skip-, enable-, disable-, maximum-, autoset-.

            A new prefix could be, like, read-. For example, instead of --long-query-time=1.234 one would be able to do --read-long-query-time=/file/with/the/value or --read-long-query-time=|executable/returning/a/value.

            serg Sergei Golubchik added a comment - here's a very first thought. A new my_getopt prefix. It currently recognizes loose- , skip- , enable- , disable- , maximum- , autoset- . A new prefix could be, like, read- . For example, instead of --long-query-time=1.234 one would be able to do --read-long-query-time=/file/with/the/value or --read-long-query-time=|executable/returning/a/value .
            hholzgra Hartmut Holzgraefe added a comment -

            Gave it a try, more or less using the PostgreSQL approach (not supporting the %p placeholder yet though):

            https://github.com/hholzgra/mariadb-server/commit/3b1c654dad6bf1d5a90d0c0351c402aff042d707

            hholzgra Hartmut Holzgraefe added a comment - Gave it a try, more or less using the PostgreSQL approach (not supporting the %p placeholder yet though): https://github.com/hholzgra/mariadb-server/commit/3b1c654dad6bf1d5a90d0c0351c402aff042d707
            wlad Vladislav Vaintroub added a comment - - edited

            hholzgra, how do you want to handle it?

            Can you chose of these 2 options?

            wlad Vladislav Vaintroub added a comment - - edited hholzgra , how do you want to handle it? someone else, e.g me can take this over and fix the suggested implementation (it is missing some important things, for example a test, an encrypted key pem generation code in https://github.com/MariaDB/server/blob/main/mysql-test/lib/generate-ssl-certs.sh , and encrypted key itself in in mysql-test/std_data). you can open a github pull request, get it reviewed and pushed Can you chose of these 2 options?

            People

              serg Sergei Golubchik
              georg Georg Richter
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.