[MDEV-28233] rsync SST script silently runs unencrypted if stunnel is not installed Created: 2022-04-04  Updated: 2023-03-03

Status: Open
Project: MariaDB Server
Component/s: Encryption, Galera, Galera SST, SSL
Affects Version/s: 10.6.7, 10.7.3
Fix Version/s: 10.6

Type: Bug Priority: Major
Reporter: Hartmut Holzgraefe Assignee: Julius Goryavsky
Resolution: Unresolved Votes: 0
Labels: None


 Description   

When configuring Galera SST to use TLS encryption with the rsync SST method the stunnel tool is used to perform the actual encryption.

When stunnel is not installed though the wsrep_sst_rsync script just falls back to using unencrypted rsync, silently ignoring any TLS/SSL related settings in the [sst] configuration section. Especially even with ssl_mode=REQUIRED unencrypted rsync will be used.

SST will succeed either way, and the only difference is that with stunnel installed the log will show:

Mar 24 22:16:35 node-2 mariadbd[2208]: 2022-03-24 22:16:35 0 [Note] WSREP: Running: 'wsrep_sst_rsync --role 'joiner' --address 'galera-node-2' --datadir '/var/lib/mysql/' --parent '2208' --mysqld-args --wsrep_start_position=00000000-0000-0000-0000-000000000000:-1'
 
Mar 24 22:16:35 node-2 mariadbd[2219]: WSREP_SST: [INFO] Using stunnel for SSL encryption: CA: '/vagrant/ssl/ca-cert.pem', ssl-mode='VERIFY_CA' (20220324 22:16:35.672)

when the stunnel binary was found, whereas otherwise one will just see:

Mar 24 22:23:32 node-2 mariadbd[2029]: 2022-03-24 22:23:32 0 [Note] WSREP: Running: 'wsrep_sst_rsync --role 'joiner' --address 'galera-node-2' --datadir '/var/lib/mysql/' --parent '2029' --mysqld-args --wsrep_start_position=00000000-0000-0000-0000-000000000000:-1'
 
Mar 24 22:23:32 node-2 mariadbd[2029]: 2022-03-24 22:23:32 0 [Note] WSREP: Joiner monitor thread started to monitor
 
Mar 24 22:23:32 node-2 rsyncd[2139]: rsyncd version 3.1.3 starting, listening on port 4444

This is the only hint towards whether encryption is actually being used or not ...

 Comments   
Comment by Hartmut Holzgraefe [ 2022-04-04 ]

The problem comes down to this piece of code checking for stunnel presence when ssl_mode is being set in the [sst] section, giving feedback when it is found, but not when it is missing:

STUNNEL=""
 
if [ -n "$SSLMODE" -a "$SSLMODE" != 'DISABLED' ]; then
 
    if [ -z "${STUNNEL_BIN+x}" ]; then
 
        STUNNEL_BIN=$(commandex 'stunnel')
 
    fi
 
    if [ -n "$STUNNEL_BIN" ]; then
 
        wsrep_log_info "Using stunnel for SSL encryption: CA: '$SSTCA'," \
 
                       "CAPATH='$SSTCAP', ssl-mode='$SSLMODE'"
 
        STUNNEL="$STUNNEL_BIN $STUNNEL_CONF"
 
    fi
 
fi

and later only having checks for $STUNNEL being set, but not for $SSL_MODE anymore.

Generated at Thu Feb 08 09:59:07 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.