Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28233

rsync SST script silently runs unencrypted if stunnel is not installed




      When configuring Galera SST to use TLS encryption with the rsync SST method the stunnel tool is used to perform the actual encryption.

      When stunnel is not installed though the wsrep_sst_rsync script just falls back to using unencrypted rsync, silently ignoring any TLS/SSL related settings in the [sst] configuration section. Especially even with ssl_mode=REQUIRED unencrypted rsync will be used.

      SST will succeed either way, and the only difference is that with stunnel installed the log will show:

      Mar 24 22:16:35 node-2 mariadbd[2208]: 2022-03-24 22:16:35 0 [Note] WSREP: Running: 'wsrep_sst_rsync --role 'joiner' --address 'galera-node-2' --datadir '/var/lib/mysql/' --parent '2208' --mysqld-args --wsrep_start_position=00000000-0000-0000-0000-000000000000:-1'
      Mar 24 22:16:35 node-2 mariadbd[2219]: WSREP_SST: [INFO] Using stunnel for SSL encryption: CA: '/vagrant/ssl/ca-cert.pem', ssl-mode='VERIFY_CA' (20220324 22:16:35.672)

      when the stunnel binary was found, whereas otherwise one will just see:

      Mar 24 22:23:32 node-2 mariadbd[2029]: 2022-03-24 22:23:32 0 [Note] WSREP: Running: 'wsrep_sst_rsync --role 'joiner' --address 'galera-node-2' --datadir '/var/lib/mysql/' --parent '2029' --mysqld-args --wsrep_start_position=00000000-0000-0000-0000-000000000000:-1'
      Mar 24 22:23:32 node-2 mariadbd[2029]: 2022-03-24 22:23:32 0 [Note] WSREP: Joiner monitor thread started to monitor
      Mar 24 22:23:32 node-2 rsyncd[2139]: rsyncd version 3.1.3 starting, listening on port 4444

      This is the only hint towards whether encryption is actually being used or not ...




            sysprg Julius Goryavsky
            hholzgra Hartmut Holzgraefe
            0 Vote for this issue
            1 Start watching this issue



              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.