Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-4699

Add global setting require_secure_transport

    XMLWordPrintable

Details

    • New Feature
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • None
    • 25.08.0
    • Core
    • None
    • MXS-SPRINT-217

    Description

      require_secure_transport is a static configuration option which, when enabled, forces all listeners, servers and the REST-API to be configured for SSL. Other MaxScale related connections are affected when reasonable, e.g. Kafka. Disabling ssl at runtime is also rejected.

      Original description:
      TL;DR: Prevent users from accidentally creating non-TLS listeners and servers and from disabling TLS at runtime

      MaxScale already requires that all clients that connect to a listener configured with TLS to use encryption. However, this does not prevent unencrypted listeners and server objects from being created. This is further made trickier by the fact that configuring all the required TLS certificates does not imply that TLS is enabled, the ssl=true parameter must be set for it to work.

      A global option similar to require_secure_transport would allow MaxScale to forbid creation of insecure listeners or servers that do not use TLS. Enabling it at runtime requires a check that all listeners and servers have TLS configured correctly, otherwise we would end up in a situation where the runtime configuration would not be functional if MaxScale was restarted. Similarly, all server and listener modifications would have to check that the resulting configuration still ends up with TLS enabled on all objects.

      Attachments

        Activity

          People

            esa.korhonen Esa Korhonen
            markus makela markus makela
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.