[MDEV-37338] Let Galera check ISSUER / SUBJECT of certificates of other nodes - Jira

XML

Word

Printable

Details

Type: New Feature
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Fix Version/s: None
Component/s: Galera, SSL
Labels:
None

Description

To be able to check whether a joining node should really allowed to be in the cluster we can right now only rely on two things:

wsrep_allowlist which only checks IP addresses, and so can be subject to IP spoofing attacks
When using TLS between nodes all nodes need to have server certificates for which signing information can be validated; this helps with self signed certificates which would need to share the same `ssl_ca`; but not so much with certificates signed by a public CA

We already have a request to add server name verification in https://jira.mariadb.org/browse/MDEV-34263

But I'd like to request to add features to be able to verify that the certificate has a certain ISSUER or SUBJECT string, similar to what we already have for client connections with CREATE USER ... REQUIRE ISSUER/SUBJECT ....

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Hartmut Holzgraefe

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-07-29 10:45

Updated:: 2025-07-29 11:05

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.