Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.6.15, 11.1.3
-
None
Description
According to https://mariadb.com/kb/en/replication-with-secure-connections/#setting-tls-client-options-in-an-option-file TLS certificate options like MASTER_SSL_CA, MASTER_SSL_CERT and MASTER_SSL_KEY can either be set explicitly in a CHANGE MASTER command, or will be fetched from respective options in the [client] or [client-mariadb] section of the config file(s).
I could not get this to work (tried with 10.6 and 11.1 so far), and looking at the server code I don't see yet how it could possibly use any client section settings either.
I verified that the client options are set correctly by setting up:
[client-mariadb]
|
ssl
|
ssl-ca=/vagrant/files/ssl/ca-cert.pem
|
ssl-cert=/vagrant/files/ssl/slave-1-cert.pem
|
ssl-key=/vagrant/files/ssl/slave-1-key.pem
|
and creating a replication user requiring to-way/mutual TLS using:
CREATE USER repl@'%' IDENTIFIED BY 'Secret23!' REQUIRE x509;
|
GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO repl@'%';
|
I verified that from the slave host I can connect to the master using that user, and that it fails when not reading the option file(s), due to the client no longer offering a client certificate for two-way TLS:
root@slave-1:~# mysql --user=repl --password=Secret23! --host=master --execute="SHOW STATUS LIKE 'Ssl_Version'"
|
|
+---------------+---------+
|
| Variable_name | Value |
|
+---------------+---------+
|
| Ssl_version | TLSv1.2 |
|
+---------------+---------+
|
|
root@slave-1:~# mysql --no-defaults --user=repl --password=Secret23! --host=master --execute="SHOW STATUS LIKE 'Ssl_Version'"
|
|
ERROR 1045 (28000): Access denied for user 'repl'@'slave-1' (using password: YES)
|
|
Same problem when setting up the slave with just
CHANGE MASTER TO MASTER_HOST='master'
|
, MASTER_USER='repl'
|
, MASTER_PASSWORD='Secret23!'
|
, MASTER_USE_GTID=slave_pos
|
, MASTER_SSL=1;
|
START SLAVE;
|
SHOW SLAVE STATUS\G
|
|
[...]
|
Last_IO_Errno: 1045
|
Last_IO_Error: error connecting to master 'repl@master:3306' - retry-time: 60 maximum-retries: 100000 message: Access denied for user 'repl'@'slave-1' (using password: YES)
|
[...]
|
When explicitly adding
, MASTER_SSL_CA='/vagrant/files/ssl/ca-cert.pem'
|
, MASTER_SSL_KEY='/vagrant/files/ssl/slave-1-key.pem'
|
, MASTER_SSL_CERT='/vagrant/files/ssl/slave-1-cert.pem'
|
the slave can start just fine.
I also verified with WireShark that in the failed case no client certificate was offered to the server during TLS handshake.
Attachments
Issue Links
- causes
-
MXS-4718 Add replication_custom_options to enable replication TLS certification check
- Closed