Details
-
New Feature
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
MariaDB Server allows to set TLS specific requirements on a per-user basis using the `REQUIRE` keyword when creating a user.
But when a user was created with e.g. `REQUIRE X509` for two-way / mutual TLS a client can connect with that user without having to pass a client certificate, as Maxscale is not performing the related checks, and the actual backend servers only get to see the maxscale certificate, not the actual client certificate. So if the servers were set up with ssl-cert and ssl-key a user with REQUIRE X509 will always be able to connect. The actual client is not verified by maxscale, and maxscale can't forward it to the actual servers for verification either.
I had a look at the Proxy Protocol to see if it may be able to help with this, but it does only seem to have very rudimentary TLS features, so not being a help with this either.
Maxscale listeners can be set up with ssl_verify_peer_certificate=true, but that would enforce this on a per-listener basis, not on a per-user basis as with the REQUIRE X509 option to CREATE USER on the server side.
Maxscale can also only do REQUIRE X509 checks on a per-listener basis, but does not have any feature like the more sophisticated REQUIRE ISSUER or REQUIRE SUBJECT.
So it is far from being on par with the server side here, and can't act as a true transparent proxy as it can't mimic the same authentication behavior as the server when it comes to this aspect.