Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-1462

MaxScale erroneously connects to MySQLBackend servers via TLS1.0 rather than TLS1.2

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Incomplete
    • Affects Version/s: 2.1.9
    • Fix Version/s: N/A
    • Component/s: mariadbbackend
    • Labels:
      None
    • Environment:
      Ubuntu 16.04, MariaDB Galera, MariaDB 10.1.28
    • Sprint:
      2017-45, 2017-46

      Description

      Hi,

      I'm in the process of setting up MaxScale on Ubuntu 16.04 fronting a Galera cluster where the MariaDB database nodes (also on Ubuntu 16.04) are set to use TLSv1.2. I have another Ubuntu 16.04 server, which is where I'm testing from (using a MariaDB "mysql" client, set up with the same client certificate as is used by MaxScale to connect to the Galera cluster). There is a "test" user (requiring SSL) and a "galeramon" user on the database.

      According to the documentation, I can configure this in MaxScale as follows:

      [dbnode1]
      type=server
      address=172.16.1.22
      port=3306
      protocol=MySQLBackend
      ssl=required
      ssl_version=TLSv12
      ssl_cert=/etc/mysql/ssl/db-client-cert.pem
      ssl_key=/etc/mysql/ssl/db-client-key.pem
      ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
       
      [dbnode2]
      type=server
      address=172.16.1.23
      port=3306
      protocol=MySQLBackend
      ssl=required
      ssl_version=TLSv12
      ssl_cert=/etc/mysql/ssl/db-client-cert.pem
      ssl_key=/etc/mysql/ssl/db-client-key.pem
      ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
       
      [Galera Monitor]
      type=monitor
      module=galeramon
      servers=dbnode1,dbnode2
      user=galeramon
      passwd=galeramon
      monitor_interval=1000
       
      [Galera Service]
      type=service
      router=readwritesplit
      servers=dbnode1,dbnode2
      user=galeramon
      passwd=galeramon
       
      [MaxAdmin Service]
      type=service
      router=cli
       
      [Galera Listener]
      type=listener
      service=Galera Service
      protocol=MySQLClient
      port=3306
      authenticator=MySQL
      ssl=required
      ssl_version=TLSv12
      ssl_cert=/etc/mysql/ssl/server-cert.pem
      ssl_key=/etc/mysql/ssl/server-key.pem
      ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
      ssl_cert_verify_depth=9
       
      [MaxAdmin Listener]
      type=listener
      service=MaxAdmin Service
      protocol=maxscaled
      socket=default
      

      However, this never successfully connects. I ran a tcpdump packet capture on the connection, and found that the reason it was failing was that MaxScale was trying to connect using TLSv1.0 despite the specification. Changing the "ssl_version" setting in the "dbnode*" sections to "MAX" had no effect; neither did commenting out that setting altogether.

      I've attached a log of a sample session.

      The version of openssl and libssl1.0.0 on the server are both 1.0.2g-1ubuntu4.8, so it should support TLSv1.2. I installed MaxScale with:

      curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=mariadb-10.1
      sudo apt install maxscale
      

      I can disable the TLS requirement for the "galeramon" user, which allows MaxScale to start up, but the moment I log into the database via MaxScale as the "test" user, the connection fails, as the following transcript (from a different server) shows:

      test@dbclient01:~$ mysql -h 172.16.2.1 -u test -p
      Enter password:
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MySQL connection id is 31200
      Server version: 10.0.0 2.1.9-maxscale
       
      Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MySQL [(none)]> show databases;
      ERROR 2006 (HY000): MySQL server has gone away
      No connection. Trying to reconnect...
      Connection id:    31200
      Current database: *** NONE ***
       
      ERROR 2003 (HY000): Authentication with backend failed. Session will be closed.
      MySQL [(none)]>
      

      I can connect to a database instance over TLSv1.2 from the mysql client on another machine using the mysql client with the same ("db-client-*") certificate as specified above, and I can connect to the MaxScale "Galera Listener" using the same mysql client, also over TLSv1.2 (as indicated via tcpdump packet captures), so the "ssl_version" setting is being honoured by the MaxScale listener, just not the MySQLBackend server.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              markus makela markus makela
              Reporter:
              PC Pak Chan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: