Details
Major Description
Updated Description
With MXS-5239 fixed, some clients now receive authentication errors due to REQUIRE SSL being correctly validated. To make it clear that this is the cause, the authentication warnings logged by MaxScale should include this information.
Original Description
Original title: SSL connection issue with MaxScale starting from version 24.02.4
Hello,
I upgraded MariaDB from version 11.5.2 to 11.6.2 and MaxScale from version 24.02.3 to 24.02.4 (OpenSSL was also updated from 3.0.14.1 to 3.0.15.1) on Debian 11 and 12.
I was using MaxScale for a Galera cluster of 3 machines with SSL authentication configured using a self-signed certificate.
After the update, authentication is no longer working. I found the following error in the logs:
2024-12-28 16:14:26 warning: (1208) [MariaDBProtocol] Authentication failed for user 'xxxx'@[127.0.0.1] to service 'Read-Write-Service'. Originating listener: 'Read-Write-Listener'. MariaDB error: 'Access denied for user 'xxxx'@'127.0.0.1' (using password: YES)'. |
The user account xxxx was defined with the REQUIRE SSL option and a wildcard ('xxxx'@'%' REQUIRE SSL).
If I disable the REQUIRE SSL option on the account, the problem is resolved, which leads me to suspect that the issue is related to SSL. When I attempt to connect using the MariaDB client, there is no issue, further suggesting that the problem is related with MaxScale and not with MariaDB itself (moreoever, the Galera cluster itself is functioning correctly):
mariadb -u xxxx -p -h MyHost --ssl-ca=/etc/ssl/mysql/ca-cert.pem --ssl-cert=/etc/ssl/mysql/client-cert.pem --ssl-key=/etc/ssl/mysql/client-key.pem
|
=> is OK
My maxscale.cnf (simplified for the example):
[maxscale]
|
threads=auto
|
|
|
[srv3]
|
type=server
|
address=MyHost
|
port=3306 |
protocol=MariaDBBackend
|
priority=3 |
ssl=true |
ssl_cert=/etc/ssl/mysql/client-cert.pem
|
ssl_key=/etc/ssl/mysql/client-key.pem
|
ssl_ca=/etc/ssl/mysql/ca-cert.pem
|
|
|
[Galera-Monitor]
|
type=monitor
|
module=galeramon
|
servers=srv3
|
user=maxscale_monitor_user
|
password=XXX
|
monitor_interval=2s
|
use_priority=true |
|
|
[Read-Write-Service]
|
type=service
|
router=readconnroute
|
servers=srv3
|
router_options=master
|
user=maxscale_service_user
|
password=XXX
|
|
|
[Read-Write-Listener]
|
type=listener
|
service=Read-Write-Service
|
protocol=MariaDBClient
|
port=4006 |
If I downgrade to version 24.02.3 or upgrade to 24.08.0, the problem disappears.
I suspected the issue might be related to the hostname since it is a self-signed certificate, so I replaced the address 127.0.0.1 in the config field with the hostname specified in the certificate ("MyHost" in this example), but there was no change. I also tried setting "ssl_verify_peer_certificate" and "ssl_verify_peer_host" to "false" in the configuration, but that didn't resolve the issue either (as expected, since the documentation states that these options are false by default).
I am wondering if this issue could be related to MXS-5402 https://jira.mariadb.org/browse/MXS-5402 ?
I am available to provide you further information if needed.