Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
1.3.0
-
None
Description
We have a MariaDB Galera Cluster (3 nodes, each is a docker image).
It's configuration is pretty standard except these changes:
[mysqld]
|
ssl-ca = /etc/mysql/certs/ca-cert.pem
|
ssl-cert = /etc/mysql/certs/servicesdb.crt
|
ssl-key = /etc/mysql/certs/servicesdb-privkey.pem
|
|
|
ssl-cipher = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
|
|
|
wsrep_provider = /usr/lib/libgalera_smm.so
|
wsrep_sst_method = rsync
|
default_storage_engine = innodb
|
binlog_format = row
|
innodb_autoinc_lock_mode = 2
|
innodb_flush_log_at_trx_commit = 0
|
query_cache_size = 0
|
query_cache_type = 0
|
Also we have a maxscale 1.3.0 with such configuration:
[maxscale]
|
syslog=1
|
log_to_shm=1
|
log_info=1
|
log_debug=1
|
log_augmentation=1
|
threads=8
|
logdir=/tmp/
|
|
|
[Galera Monitor]
|
type=monitor
|
module=galeramon
|
servers=galera-01,galera-02,galera-03
|
user=root
|
passwd=admin
|
monitor_interval=3000
|
#disable_master_failback=
|
|
|
[qla]
|
type=filter
|
module=qlafilter
|
options=/tmp/QueryLog
|
|
|
[fetch]
|
type=filter
|
module=regexfilter
|
match=fetch
|
replace=select
|
|
|
[hint]
|
type=filter
|
module=hintfilter
|
|
|
[Read Connection Router]
|
type=service
|
router=readconnroute
|
servers=galera-01,galera-02,galera-03
|
user=root
|
passwd=admin
|
router_options=synced
|
enable_root_user=1
|
localhost_match_wildcard_host=1
|
|
|
[RW Split Router]
|
type=service
|
router=readwritesplit
|
router_options=master_accept_reads=true
|
servers=galera-01,galera-02,galera-03
|
user=root
|
passwd=admin
|
localhost_match_wildcard_host=1
|
enable_root_user=1
|
|
|
[SSL Read Connection Router]
|
type=service
|
router=readconnroute
|
servers=galera-01,galera-02,galera-03
|
user=root
|
passwd=admin
|
router_options=synced
|
enable_root_user=1
|
localhost_match_wildcard_host=1
|
ssl=required
|
ssl_cert=/etc/certs/servicesdb.crt
|
ssl_key=/etc/certs/servicesdb-privkey.pem
|
ssl_ca_cert=/etc/certs/ca-cert.pem
|
|
|
[SSL RW Split Router]
|
type=service
|
router=readwritesplit
|
router_options=master_accept_reads=true
|
servers=galera-01,galera-02,galera-03
|
user=root
|
passwd=admin
|
localhost_match_wildcard_host=1
|
enable_root_user=1
|
ssl=required
|
ssl_cert=/etc/certs/servicesdb.crt
|
ssl_key=/etc/certs/servicesdb-privkey.pem
|
ssl_ca_cert=/etc/certs/ca-cert.pem
|
|
|
[Debug Interface]
|
type=service
|
router=debugcli
|
|
|
[CLI]
|
type=service
|
router=cli
|
user=root
|
passwd=admin
|
|
|
[MaxInfo]
|
type=service
|
router=maxinfo
|
|
|
[Read Connection Listener]
|
type=listener
|
service=Read Connection Router
|
protocol=MySQLClient
|
port=4006
|
socket=/tmp/readconn.sock
|
|
|
[RW Split Listener]
|
type=listener
|
service=RW Split Router
|
protocol=MySQLClient
|
port=4008
|
socket=/tmp/rwsplit.sock
|
|
|
[SSL Read Connection Listener]
|
type=listener
|
service=SSL Read Connection Router
|
protocol=MySQLClient
|
port=14006
|
socket=/tmp/sslreadconn.sock
|
|
|
[SSL RW Split Listener]
|
type=listener
|
service=SSL RW Split Router
|
protocol=MySQLClient
|
port=14008
|
socket=/tmp/sslrwsplit.sock
|
|
|
[Debug Listener]
|
type=listener
|
service=Debug Interface
|
protocol=telnetd
|
port=4442
|
|
|
[CLI Listener]
|
type=listener
|
service=CLI
|
protocol=maxscaled
|
#address=127.0.0.1
|
port=6603
|
|
|
[MaxInfo Listener]
|
type=listener
|
service=MaxInfo
|
protocol=HTTPD
|
port=8003
|
|
|
[galera-01]
|
type=server
|
address=192.168.99.100
|
port=3307
|
protocol=MySQLBackend
|
|
|
[galera-02]
|
type=server
|
address=192.168.99.100
|
port=3308
|
protocol=MySQLBackend
|
|
|
[galera-03]
|
type=server
|
address=192.168.99.100
|
port=3309
|
protocol=MySQLBackend
|
And here comes the magic. Assuming we have an adhock connector class that uses the 1.3.6 version of the MariaDB Java connector:
import java.sql.DriverManager;
|
import java.sql.Connection;
|
import java.sql.SQLException;
|
|
|
public class Test {
|
public static void main(String ... args) {
|
try {
|
Class.forName("org.mariadb.jdbc.Driver");
|
} catch (ClassNotFoundException e) {
|
e.printStackTrace();
|
return;
|
}
|
Connection connection = null;
|
try {
|
connection = DriverManager.getConnection("jdbc:mariadb://192.168.99.100:14008/option_service?connectTimeout=100&useSSL=true&requireSSL=true&verifyServerCertificate=true", "root", "admin");
|
} catch (SQLException e) {
|
e.printStackTrace();
|
return;
|
}
|
if (connection != null) {
|
System.out.println("You made it, take control your database now!");
|
} else {
|
System.out.println("Failed to make connection!");
|
}
|
}
|
}
|
which I run with options (generated by IDE):
$JAVA_HOME/bin/java -Djavax.net.ssl.keyStore=optionservice.jks -Djavax.net.ssl.trustStore=optionservice.jks -Djavax.net.ssl.keyStorePassword=optionservice -Djavax.net.ssl.trustStorePassword=optionservice -Djavax.net.debug=all -Djavax.net.ssl.keyStoreType=jks -Dfile.encoding=UTF-8 -classpath "$JAVA_HOME/jre/lib/charsets.jar:$JAVA_HOME/jre/lib/deploy.jar:$JAVA_HOME/jre/lib/ext/cldrdata.jar:$JAVA_HOME/jre/lib/ext/dnsns.jar:$JAVA_HOME/jre/lib/ext/jaccess.jar:$JAVA_HOME/jre/lib/ext/jfxrt.jar:$JAVA_HOME/jre/lib/ext/localedata.jar:$JAVA_HOME/jre/lib/ext/nashorn.jar:$JAVA_HOME/jre/lib/ext/sunec.jar:$JAVA_HOME/jre/lib/ext/sunjce_provider.jar:$JAVA_HOME/jre/lib/ext/sunpkcs11.jar:$JAVA_HOME/jre/lib/ext/zipfs.jar:$JAVA_HOME/jre/lib/javaws.jar:$JAVA_HOME/jre/lib/jce.jar:$JAVA_HOME/jre/lib/jfr.jar:$JAVA_HOME/jre/lib/jfxswt.jar:$JAVA_HOME/jre/lib/jsse.jar:$JAVA_HOME/jre/lib/management-agent.jar:$JAVA_HOME/jre/lib/plugin.jar:$JAVA_HOME/jre/lib/resources.jar:$JAVA_HOME/jre/lib/rt.jar:$JAVA_HOME/lib/ant-javafx.jar:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/javafx-mx.jar:$JAVA_HOME/lib/jconsole.jar:$JAVA_HOME/lib/packager.jar:$JAVA_HOME/lib/sa-jdi.jar:$JAVA_HOME/lib/tools.jar:./mariadb-java-client-1.3.6.jar:." Test
|
For port 14008 which is SSL RW Router we get an exception "java.sql.SQLNonTransientConnectionException: Could not connect to 192.168.99.100:14008: Unrecognized SSL message, plaintext connection?". If I change port to 3307 (one of the nodes of the Galera Cluster) everything goes fine. I am sorry, I can't send you the full log because it contains certificate private data bit the last thing we can see when connecting through maxscale is this one:
*** ClientHello, TLSv1
|
RandomCookie: GMT: 1440083963 bytes = { 244, 193, 199, 91, 182, 201, 201, 35, 120, 100, 184, 51, 153, 203, 95, 67, 88, 107, 25, 72, 148, 113, 245, 120, 129, 120, 3, 164 }
|
Session ID: {}
|
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
Compression Methods: { 0 }
|
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
|
Extension ec_point_formats, formats: [uncompressed]
|
***
|
[write] MD5 and SHA1 hashes: len = 137
|
0000: 01 00 00 85 03 01 56 D6 F0 FB F4 C1 C7 5B B6 C9 ......V......[..
|
0010: C9 23 78 64 B8 33 99 CB 5F 43 58 6B 19 48 94 71 .#xd.3.._CXk.H.q
|
0020: F5 78 81 78 03 A4 00 00 1E C0 09 C0 13 00 2F C0 .x.x........../.
|
0030: 04 C0 0E 00 33 00 32 C0 08 C0 12 00 0A C0 03 C0 ....3.2.........
|
0040: 0D 00 16 00 13 00 FF 01 00 00 3E 00 0A 00 34 00 ..........>...4.
|
0050: 32 00 17 00 01 00 03 00 13 00 15 00 06 00 07 00 2...............
|
0060: 09 00 0A 00 18 00 0B 00 0C 00 19 00 0D 00 0E 00 ................
|
0070: 0F 00 10 00 11 00 02 00 12 00 04 00 05 00 14 00 ................
|
0080: 08 00 16 00 0B 00 02 01 00 .........
|
main, WRITE: TLSv1 Handshake, length = 137
|
[Raw write]: length = 142
|
0000: 16 03 01 00 89 01 00 00 85 03 01 56 D6 F0 FB F4 ...........V....
|
0010: C1 C7 5B B6 C9 C9 23 78 64 B8 33 99 CB 5F 43 58 ..[...#xd.3.._CX
|
0020: 6B 19 48 94 71 F5 78 81 78 03 A4 00 00 1E C0 09 k.H.q.x.x.......
|
0030: C0 13 00 2F C0 04 C0 0E 00 33 00 32 C0 08 C0 12 .../.....3.2....
|
0040: 00 0A C0 03 C0 0D 00 16 00 13 00 FF 01 00 00 3E ...............>
|
0050: 00 0A 00 34 00 32 00 17 00 01 00 03 00 13 00 15 ...4.2..........
|
0060: 00 06 00 07 00 09 00 0A 00 18 00 0B 00 0C 00 19 ................
|
0070: 00 0D 00 0E 00 0F 00 10 00 11 00 02 00 12 00 04 ................
|
0080: 00 05 00 14 00 08 00 16 00 0B 00 02 01 00 ..............
|
[Raw read]: length = 5
|
0000: 46 00 00 02 FF F....
|
main, handling exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
|
main, SEND TLSv1.2 ALERT: fatal, description = unexpected_message
|
main, WRITE: TLSv1.2 Alert, length = 2
|
main, Exception sending alert: java.net.SocketException: Broken pipe
|
main, called closeSocket()
|
java.sql.SQLNonTransientConnectionException: Could not connect to 192.168.99.100:14008: Unrecognized SSL message, plaintext connection?
|
at org.mariadb.jdbc.internal.util.ExceptionMapper.get(ExceptionMapper.java:123)
|
at org.mariadb.jdbc.internal.util.ExceptionMapper.throwException(ExceptionMapper.java:69)
|
at org.mariadb.jdbc.Driver.connect(Driver.java:110)
|
at java.sql.DriverManager.getConnection(DriverManager.java:664)
|
at java.sql.DriverManager.getConnection(DriverManager.java:247)
|
at Test.main(Test.java:15)
|
Caused by: org.mariadb.jdbc.internal.util.dao.QueryException: Could not connect to 192.168.99.100:14008: Unrecognized SSL message, plaintext connection?
|
at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.handleConnectionPhases(AbstractConnectProtocol.java:439)
|
at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connect(AbstractConnectProtocol.java:351)
|
at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:664)
|
at org.mariadb.jdbc.internal.util.Utils.retrieveProxy(Utils.java:587)
|
at org.mariadb.jdbc.Driver.connect(Driver.java:105)
|
... 3 more
|
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
|
at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
|
at sun.security.ssl.InputRecord.read(InputRecord.java:527)
|
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
|
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
|
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
|
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
|
at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.handleConnectionPhases(AbstractConnectProtocol.java:417)
|
Please let me know if you need more additional information.