[MDEV-16915] socat certificate verification broken for Mariabackup SST with encrypt=2 Created: 2018-08-07  Updated: 2019-05-20  Resolved: 2019-05-20

Status: Closed
Project: MariaDB Server
Component/s: Galera SST
Affects Version/s: 10.1.35, 10.1.36, 10.1.37
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Mike Kelly Assignee: Jan Lindström (Inactive)
Resolution: Not a Bug Votes: 0
Labels: None
Environment:

CentOS 7

Issue Links:
Problem/Incident
is caused by MDEV-14612 Galera SST xtrabackup-v2/mariabackup ... Closed

 Description   

After upgrading from MariaDB 10.1.34 to 10.1.35, my Galera cluster members could no longer establish an SST with each other.

Downgrading all cluster members back to 10.1.34 got things working.

It seems that the behavior of the `mariabackup` SST method changed, and instead of passing the hostname of the peer to `socat`, it passes the IP address. That then seems to lead to socat exiting with an error on the donor:

2018/08/07 12:16:14 socat[27904] E certificate is valid but its commonName does not match hostname

 Comments   
Comment by Mike Kelly [ 2018-08-07 ]

This seems to be a regression (at least from my perspective) from the fix for MDEV-14612.

Comment by Mike Kelly [ 2018-11-01 ]

Is there any status update available on this?

Do you have any suggested change to my configuration, or need any additional information from me?

Comment by Geoff Montee (Inactive) [ 2018-12-20 ]

pioto,

If you set wsrep_sst_receive_address or wsrep_node_address on the joiner to the hostname used as the commonName in the joiner's certificate, then do you still see the issue?

http://galeracluster.com/documentation-webpages/mysqlwsrepoptions.html#wsrep-sst-receive-address

http://galeracluster.com/documentation-webpages/mysqlwsrepoptions.html#wsrep-node-address

Comment by Geoff Montee (Inactive) [ 2018-12-20 ]

Do we want to disable certificate verification for socat?:

http://www.dest-unreach.org/socat/doc/socat.html#OPTION_OPENSSL_VERIFY

Or should we revert MDEV-14612?

Comment by Geoff Montee (Inactive) [ 2018-12-20 ]

It looks like certificate verification is also disabled when encrypt=3 is set:

https://github.com/MariaDB/server/blob/312de43f40e221096b5565f6f4999eaadae09ef4/scripts/wsrep_sst_mariabackup.sh#L238

MariaDB doesn't really have any documentation about this encryption mode, but Percona notes this in their documentation for XtraBackup SSTs:

Set encrypt=3 to perform SST encryption based on SSL for just the key and certificate files as implemented in Galera.

It does not provide certificate validation. In order to work correctly, paths to the key and certificate files need to be specified as well, for example:

https://www.percona.com/doc/percona-xtradb-cluster/5.6/manual/xtrabackup_sst.html#encrypt

Comment by Geoff Montee (Inactive) [ 2018-12-21 ]

pioto,

If you want to try out encrypt=3, I added some details to the MariaDB documentation:

https://mariadb.com/kb/en/library/mariabackup-sst-method/#tls-using-openssl-encryption-with-galera-compatible-certificates-and-keys

Comment by Mike Kelly [ 2018-12-26 ]

Changing the wsrep_node_address setting from using the node's IP address to the node's FQDN seems to work here, though I can't say for sure if that's the "best" fix.

My configuration was already using encrypt=3 for sst.

Generated at Thu Feb 08 08:32:30 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.