Details
-
New Feature
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
24.02.3
-
None
-
None
-
Centos 9 Stream
Maxscale 24.02.3
MariaDB 10.11.7
Description
We are integrating Teleport for user authentication, where users connect to MariaDB through MaxScale’s ReadWriteSplit service using their client certificates. Our MariaDB configuration enforces REQUIRE SUBJECT '/CN=username' for user authentication.
Issue:
MaxScale requires specifying its own client certificate in the server parameters for MariaDB. Consequently, connections to MariaDB are established using MaxScale’s certificate, which conflicts with our authentication policy that relies on the client’s original certificate CN.
Request:
We need MaxScale to support client certificate passthrough, allowing the original client certificate, including its CN, to be forwarded to MariaDB. This feature is essential for maintaining our security protocols and ensuring seamless integration with Teleport.
Impact:
Without this capability, we cannot enforce user-specific authentication based on client certificates, compromising our security requirements.
Conclusion:
Implementing client certificate passthrough in MaxScale is crucial for our authentication strategy. We request the development team to consider adding this feature to facilitate secure and compliant user authentication.
Current Configuration:
default_options_server: &default_options_server
|
type: server
|
port: 3306
|
protocol: MariaDBBackend
|
proxy_protocol: "true"
|
ssl: "true"
|
ssl_cert: "{{ maxscale_client_cert_path }}"
|
ssl_key: "{{ maxscale_client_key_path }}"
|
ssl_ca: "{{ maxscale_root_ca_path }}"
|
|
|
default_options_listener: &default_options_listener
|
type: listener
|
protocol: mariadbclient
|
address: 0.0.0.0
|
ssl: "true"
|
ssl_cert: "{{ maxscale_server_cert_path }}"
|
ssl_key: "{{ maxscale_server_key_path }}"
|
ssl_ca: "{{ maxscale_root_ca_path }}"
|
To achieve the desired functionality, an option like ssl_passthrough: "true" would be beneficial.
Thank you.