Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15568

SST + SSL/TLS broken due to socat CN check

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Not a Bug
    • 10.1.28
    • N/A
    • Galera SST
    • None
    • CentOS 7.2

    Description

      Folks,

      Configuring a running MariaDB Cluster 10.1.28 with self-signed SSL certs with different CNs cause the SST break due to socat 1.7.3 which has extra certificate check introduced:

      WSREP_SST: [INFO] Evaluating mbstream -c ${INFO_FILE} | socat -u stdio openssl-connect:192.168.50.15:4444,cert=/etc/my.cnf.d/certs/server-cert.pem,key=/etc/my.cnf.d/certs/server-key.pem,cafile=/etc/my.cnf.d/certs/ca-cert.pem; RC=( ${PIPESTATUS[@]} ) (20180313 21:08:36.885)
      2018/03/13 21:08:36 socat[25873] E certificate is valid but its commonName does not match hostname
      

      Is there any treatment that can be done to avoid this issue, adding, e.g. --verify=0?

      After generating the certificates:

      $ openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
      server-cert.pem: OK
      client-cert.pem: OK
      

      Attachments

        Issue Links

          Activity

            People

              jplindst Jan Lindström (Inactive)
              wagnerbianchi Wagner Bianchi (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.