[MDEV-30402] Encrypted mariabackup SST breaks on distributions with newer socat v1.7.4.x Created: 2023-01-13  Updated: 2023-06-21  Resolved: 2023-04-13

Status: Closed
Project: MariaDB Server
Component/s: Galera SST, SSL
Affects Version/s: 10.4.27, 10.5.18, 10.6.11, 10.7.7, 10.8.6, 10.9.4, 10.10.2, 10.11.1
Fix Version/s: 11.1.1, 10.11.3, 10.4.29, 10.5.20, 10.6.13, 10.8.8, 10.9.6, 10.10.4

Type: Bug Priority: Critical
Reporter: Hartmut Holzgraefe Assignee: Julius Goryavsky
Resolution: Fixed Votes: 1
Labels: None
Environment:

Ubuntu 22.04, RHEL 8.7, or any other distribution that comes with socat version >= 1.7.4.0


 Description   

socat version 1.7.4.0 has added this new feature:

	OPENSSL-CONNECT now automatically uses the SNI feature, option
 
	openssl-no-sni turns it off. Option openssl-snihost overrides the value
 
	of option openssl-commonname or the server name.
 
	Tests: OPENSSL_SNI OPENSSL_NO_SNI
 
	Thanks to Travis Burtrum for providing the initial patch

This leads to setups using encrypted mariabackup SST method with encrypt=4 (haven't tested other encryption modes yet) to fail with

E Failed to set SNI host ""

on the donor side on distributions that have already upgraded to the new socat version, e.g. RHEL 8 and Ubuntu 22.04 "Jammy" which both come with 1.7.4.1

For now I have been able to fix this by adding the new no-sni=1 option to the donor side socat call when detecting socat version 1.7.4+, but I don't understand the situation well enough yet to say whether this may not be a bit too brute force after all ...

diff --git a/wsrep_sst_mariabackup b/wsrep_sst_mariabackup
 
index 63ef8be..d60d6d5 100755
 
--- a/wsrep_sst_mariabackup
 
+++ b/new/wsrep_sst_mariabackup
 
@@ -339,6 +339,10 @@ get_transfer()
 
                         "Use workaround for socat $SOCAT_VERSION bug"
 
                 fi
 
             fi
 
+            get_socat_ver
 
+            if check_for_version "$SOCAT_VERSION" '1.7.4.0'; then
 
+                tcmd="$tcmd,no-sni=1"
 
+            fi
 
         fi
 
 
         if [ "${sockopt#*,dhparam=}" = "$sockopt" ]; then



 Comments   
Comment by Julius Goryavsky [ 2023-04-13 ]

Fixed, https://github.com/MariaDB/server/commit/d1a4315f4cb096c2fd81c96bc4afc6bb618bae49

Generated at Thu Feb 08 10:15:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.