Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Incomplete
-
2.1.9
-
None
-
Ubuntu 16.04, MariaDB Galera, MariaDB 10.1.28
-
2017-45, 2017-46
Description
Hi,
I'm in the process of setting up MaxScale on Ubuntu 16.04 fronting a Galera cluster where the MariaDB database nodes (also on Ubuntu 16.04) are set to use TLSv1.2. I have another Ubuntu 16.04 server, which is where I'm testing from (using a MariaDB "mysql" client, set up with the same client certificate as is used by MaxScale to connect to the Galera cluster). There is a "test" user (requiring SSL) and a "galeramon" user on the database.
According to the documentation, I can configure this in MaxScale as follows:
[dbnode1]
|
type=server
|
address=172.16.1.22 |
port=3306 |
protocol=MySQLBackend
|
ssl=required
|
ssl_version=TLSv12
|
ssl_cert=/etc/mysql/ssl/db-client-cert.pem
|
ssl_key=/etc/mysql/ssl/db-client-key.pem
|
ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
|
|
|
[dbnode2]
|
type=server
|
address=172.16.1.23 |
port=3306 |
protocol=MySQLBackend
|
ssl=required
|
ssl_version=TLSv12
|
ssl_cert=/etc/mysql/ssl/db-client-cert.pem
|
ssl_key=/etc/mysql/ssl/db-client-key.pem
|
ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
|
|
|
[Galera Monitor]
|
type=monitor
|
module=galeramon
|
servers=dbnode1,dbnode2
|
user=galeramon
|
passwd=galeramon
|
monitor_interval=1000 |
|
|
[Galera Service]
|
type=service
|
router=readwritesplit
|
servers=dbnode1,dbnode2
|
user=galeramon
|
passwd=galeramon
|
|
|
[MaxAdmin Service]
|
type=service
|
router=cli
|
|
|
[Galera Listener]
|
type=listener
|
service=Galera Service
|
protocol=MySQLClient
|
port=3306 |
authenticator=MySQL
|
ssl=required
|
ssl_version=TLSv12
|
ssl_cert=/etc/mysql/ssl/server-cert.pem
|
ssl_key=/etc/mysql/ssl/server-key.pem
|
ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
|
ssl_cert_verify_depth=9 |
|
[MaxAdmin Listener]
|
type=listener
|
service=MaxAdmin Service
|
protocol=maxscaled
|
socket=default |
However, this never successfully connects. I ran a tcpdump packet capture on the connection, and found that the reason it was failing was that MaxScale was trying to connect using TLSv1.0 despite the specification. Changing the "ssl_version" setting in the "dbnode*" sections to "MAX" had no effect; neither did commenting out that setting altogether.
I've attached a log of a sample session.
The version of openssl and libssl1.0.0 on the server are both 1.0.2g-1ubuntu4.8, so it should support TLSv1.2. I installed MaxScale with:
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=mariadb-10.1 |
sudo apt install maxscale
|
I can disable the TLS requirement for the "galeramon" user, which allows MaxScale to start up, but the moment I log into the database via MaxScale as the "test" user, the connection fails, as the following transcript (from a different server) shows:
test@dbclient01:~$ mysql -h 172.16.2.1 -u test -p |
Enter password:
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MySQL connection id is 31200 |
Server version: 10.0.0 2.1.9-maxscale |
|
|
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. |
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. |
|
|
MySQL [(none)]> show databases;
|
ERROR 2006 (HY000): MySQL server has gone away |
No connection. Trying to reconnect...
|
Connection id: 31200 |
Current database: *** NONE ***
|
|
|
ERROR 2003 (HY000): Authentication with backend failed. Session will be closed. |
MySQL [(none)]>
|
I can connect to a database instance over TLSv1.2 from the mysql client on another machine using the mysql client with the same ("db-client-*") certificate as specified above, and I can connect to the MaxScale "Galera Listener" using the same mysql client, also over TLSv1.2 (as indicated via tcpdump packet captures), so the "ssl_version" setting is being honoured by the MaxScale listener, just not the MySQLBackend server.