[MDEV-21730] Improve TLS/SSL error reporting Created: 2020-02-13  Updated: 2021-06-10  Resolved: 2021-05-27

Status: Closed
Project: MariaDB Server
Component/s: Galera, SSL
Fix Version/s: 10.4.19, 10.5.10, 10.6.0

Type: Task Priority: Critical
Reporter: Valerii Kravchuk Assignee: Jan Lindström (Inactive)
Resolution: Fixed Votes: 3
Labels: None

Issue Links:
PartOf
is part of MDEV-22131 allow transition from unencrypted to ... Closed

 Description   

Now when Galera node can not join the cluster becuase of some problem with certificates we get just this kind of error messages:

2020-02-10 15:01:01 0 [Note] WSREP: gcomm: connecting to group 'my_wsrep_cluster', peer 'node1:4567,node2:4567,node3:4567'
 
2020-02-10 15:01:01 0 [ERROR] WSREP: handshake with remote endpoint ssl://a.b.c.d:4567 failed: asio.ssl:336134278: 'certificate verify failed' ( 336134278: 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed')
 
...

It would be useful to get more detailed explanation about the problem. All elements of certificates must be checked and if one element fails (wrong CN, something else, in root or in one of intermediate certificates, etc), it must be reported what it is.

This would help a lot in troubleshooting.

As a side note, it would be useful to get node names and not their resolved IP-addresses in the messages.

 Comments   
Comment by Laurent Blume [ 2020-02-13 ]

I'd emphasize the need to have exactly the name used in the configuration in the messages, and not anything resolved. This will matter in case the CN check fails because the configuration uses the wrong name.
It's also very unclear what checks there are now on the client-side. Since the same configuration parameters are used both for server- and client-authentication, the logs must specify which part failed (was it the client failing to authenticate the server, or the server failing to authenticate the client?).

Comment by Seppo Jaakola [ 2021-05-05 ]

The TLS/SSL error messages have been worked on with the latest Galera 4.8 library, as part of other TLS - Galera interoperability refactoring. According to the actual author, Teemu:

"The error messages are the ones which are returned by SSL library, but the format should now be more human friendly.
And they contain additional information in case of certificate verification failure."

Comment by Seppo Jaakola [ 2021-05-05 ]

Pristine SSL library error messages are now logged with better readable format.
Additionally, certification related errors are logged as separately as well.

Comment by Jan Lindström (Inactive) [ 2021-05-27 ]

Galera library 26.4.8 improved TLS/SSL error printing.

Generated at Thu Feb 08 09:09:22 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.