Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-4102

Support for passphrase protected certificate keys

    XMLWordPrintable

Details

    • New Feature
    • Status: Needs Feedback (View Workflow)
    • Minor
    • Resolution: Unresolved
    • None
    • N/A
    • N/A
    • None

    Description

      Feature - External Script for SSL Password

      • So that I can maintain security on my SSL certificate,
      • As a MaxScale user,
      • I want MaxScale to run an external script that provides the SSL password.

      Acceptance Test - Script Execution for SSL Password

      • Given MaxScale is configured to use an SSL certificate that requires a password
      • And an external script is available to provide the SSL password
      • When MaxScale starts or reloads its configuration
      • Then MaxScale runs the external script to retrieve the SSL password
      • And MaxScale uses the retrieved SSL password to unlock the SSL certificate

      Acceptance Test - Handling Script Execution Failure

      • Given MaxScale is configured to use an SSL certificate that requires a password
      • And an external script is available to provide the SSL password
      • When MaxScale starts or reloads its configuration
      • And the external script fails to execute or returns an error
      • Then MaxScale logs the error indicating the failure to retrieve the SSL password
      • And MaxScale does not start or continue loading the configuration

      Acceptance Test - Logging Successful Script Execution

      • Given MaxScale is configured to use an SSL certificate that requires a password
      • And an external script is available to provide the SSL password
      • When MaxScale successfully executes the external script
      • Then MaxScale logs a message indicating the successful retrieval of the SSL password
      • And MaxScale uses the retrieved SSL password to unlock the SSL certificate

      Acceptance Test - Security of SSL Password

      • Given MaxScale is configured to use an SSL certificate that requires a password
      • And an external script is available to provide the SSL password
      • When MaxScale retrieves the SSL password from the external script
      • Then the SSL password is not stored in plaintext in any logs or configuration files
      • And the SSL password is only used in-memory to unlock the SSL certificate

      Background

      Maxscale should support TLS certificates with password / passphrase protected keys.

      I haven't tested how it would deal with such keys, but I assume it would "suffer" from the same TLS library default behavior as the MariaDB server and would try to prompt the user for passwords / passphrases, so breaking automated service startups when faced with such keys.

      What makes things more complicated here is that unlike the server Maxscale does not only have to deal with a single certificate, but can have different certificates per server, listener, and for the REST API. Also the same key may be used in multiple places.

      Attachments

        Issue Links

          Activity

            People

              hholzgra Hartmut Holzgraefe
              hholzgra Hartmut Holzgraefe
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.