Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15568

SST + SSL/TLS broken due to socat CN check

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Not a Bug
    • Affects Version/s: 10.1.28
    • Fix Version/s: N/A
    • Component/s: Galera SST
    • Labels:
      None
    • Environment:
      CentOS 7.2

      Description

      Folks,

      Configuring a running MariaDB Cluster 10.1.28 with self-signed SSL certs with different CNs cause the SST break due to socat 1.7.3 which has extra certificate check introduced:

      WSREP_SST: [INFO] Evaluating mbstream -c ${INFO_FILE} | socat -u stdio openssl-connect:192.168.50.15:4444,cert=/etc/my.cnf.d/certs/server-cert.pem,key=/etc/my.cnf.d/certs/server-key.pem,cafile=/etc/my.cnf.d/certs/ca-cert.pem; RC=( ${PIPESTATUS[@]} ) (20180313 21:08:36.885)
      2018/03/13 21:08:36 socat[25873] E certificate is valid but its commonName does not match hostname
      

      Is there any treatment that can be done to avoid this issue, adding, e.g. --verify=0?

      After generating the certificates:

      $ openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
      server-cert.pem: OK
      client-cert.pem: OK
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jplindst Jan Lindström
              Reporter:
              wagnerbianchi Wagner Bianchi (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration