[MDEV-32473] MariaBackup requires disable-ssl-verify-server-cert Created: 2023-10-13  Updated: 2024-02-04  Resolved: 2023-11-21

Status: Closed
Project: MariaDB Server
Component/s: mariabackup, SSL
Affects Version/s: N/A
Fix Version/s: N/A

Type: Bug Priority: Critical
Reporter: Elena Stepanova Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Problem/Incident
is caused by MDEV-31857 enable --ssl-verify-server-cert by de... Closed

 Description   

With SSL changes targeted for 11.3, MariaBackup has become more complicated to run. If no certificates are provided to MariaBackup call, it fails to run both with and without --skip-ssl. It makes no difference whether the server is run with --skip-ssl or not, and whether the connection is made through TCP or socket. --disable-ssl-verify-server-cert helps in all cases (TCP or socket, server with skip-ssl or not).

If MariaBackup is called with certificates from MTR, the results are different, but also confusing. I cannot meaningfully summarize it.

--disable_abort_on_error
 
 
 
--echo #
 
--echo # Attempt 1: TCP, no special options
 
--exec $XTRABACKUP --backup -uroot --target-dir=$MYSQL_TMP_DIR/backup1 --port=$MASTER_MYPORT --protocol=tcp > $MYSQL_TMP_DIR/backup1.out 2>&1
 
--let $err= $sys_errno
 
if ($err)
 
{
 
  --cat_file $MYSQL_TMP_DIR/backup1.out
 
}
 
if ($err==0)
 
{
 
  --echo # All good
 
}
 
--echo #
 
--echo # Attempt 2: TCP, skip-ssl
 
--exec $XTRABACKUP --backup -uroot --target-dir=$MYSQL_TMP_DIR/backup2 --port=$MASTER_MYPORT --protocol=tcp --skip-ssl > $MYSQL_TMP_DIR/backup2.out 2>&1
 
--let $err= $sys_errno
 
if ($err)
 
{
 
  --cat_file $MYSQL_TMP_DIR/backup2.out
 
}
 
if ($err==0)
 
{
 
  --echo # All good
 
}
 
--echo #
 
--echo # Attempt 3: TCP, disable-ssl-verify-server-cert
 
--exec $XTRABACKUP --backup -uroot --target-dir=$MYSQL_TMP_DIR/backup3 --port=$MASTER_MYPORT --protocol=tcp --disable-ssl-verify-server-cert > $MYSQL_TMP_DIR/backup3.out 2>&1
 
--let $err= $sys_errno
 
if ($err)
 
{
 
  --cat_file $MYSQL_TMP_DIR/backup3.out
 
}
 
if ($err==0)
 
{
 
  --echo # All good
 
}
 
 
 
--echo #
 
--echo # Attempt 4: Socket, no special options
 
--exec $XTRABACKUP --backup -uroot --target-dir=$MYSQL_TMP_DIR/backup4 --socket=$MASTER_MYSOCK --protocol=socket > $MYSQL_TMP_DIR/backup4.out 2>&1
 
--let $err= $sys_errno
 
if ($err)
 
{
 
  --cat_file $MYSQL_TMP_DIR/backup4.out
 
}
 
if ($err==0)
 
{
 
  --echo # All good
 
}
 
--echo #
 
--echo # Attempt 5: Socket, skip-ssl
 
--exec $XTRABACKUP --backup -uroot --target-dir=$MYSQL_TMP_DIR/backup5 --socket=$MASTER_MYSOCK --protocol=socket --skip-ssl > $MYSQL_TMP_DIR/backup5.out 2>&1
 
--let $err= $sys_errno
 
if ($err)
 
{
 
  --cat_file $MYSQL_TMP_DIR/backup5.out
 
}
 
if ($err==0)
 
{
 
  --echo # All good
 
}
 
--echo #
 
--echo # Attempt 6: Socket, disable-ssl-verify-server-cert
 
--exec $XTRABACKUP --backup -uroot --target-dir=$MYSQL_TMP_DIR/backup6 --socket=$MASTER_MYSOCK --protocol=socket --disable-ssl-verify-server-cert > $MYSQL_TMP_DIR/backup6.out 2>&1
 
--let $err= $sys_errno
 
if ($err)
 
{
 
  --cat_file $MYSQL_TMP_DIR/backup6.out
 
}
 
if ($err==0)
 
{
 
  --echo # All good
 
}

bb-11.3-serg 9c96b8f5d48a181386807b1f3151154d21cc059c

 
# Attempt 1: TCP, no special options
 
[00] 2023-10-13 20:49:27 Connecting to MariaDB server host: localhost, user: root, password: not set, port: 16000, socket: /run/mysqld/mysqld.sock
 
[00] 2023-10-13 20:49:27 Failed to connect to MariaDB server: SSL connection error: SSL certificate is self-signed.
 
#
 
# Attempt 2: TCP, skip-ssl
 
[00] 2023-10-13 20:49:27 Connecting to MariaDB server host: localhost, user: root, password: not set, port: 16000, socket: /run/mysqld/mysqld.sock
 
[00] 2023-10-13 20:49:27 Failed to connect to MariaDB server: SSL connection error: SSL certificate is self-signed.
 
#
 
# Attempt 3: TCP, disable-ssl-verify-server-cert
 
# All good
 
#
 
# Attempt 4: Socket, no special options
 
[00] 2023-10-13 20:49:29 Connecting to MariaDB server host: localhost, user: root, password: not set, port: not set, socket: /mnt8t/src/bb-11.3-serg/mysql-test/var/tmp/mysqld.1.sock
 
[00] 2023-10-13 20:49:29 Failed to connect to MariaDB server: SSL connection error: SSL certificate is self-signed.
 
#
 
# Attempt 5: Socket, skip-ssl
 
[00] 2023-10-13 20:49:29 Connecting to MariaDB server host: localhost, user: root, password: not set, port: not set, socket: /mnt8t/src/bb-11.3-serg/mysql-test/var/tmp/mysqld.1.sock
 
[00] 2023-10-13 20:49:29 Failed to connect to MariaDB server: SSL connection error: SSL certificate is self-signed.
 
#
 
# Attempt 6: Socket, disable-ssl-verify-server-cert
 
# All good



 Comments   
Comment by Sergei Golubchik [ 2023-10-15 ]

I suppose, you had a passwordless root account.

In that case attempts 1, 3, 6 behave as expected. There's a special bit of code to disable --ssl-verify-server-cert if the password was not specified, but it's only done in mariadb, mariadb-admin, mariadb-binlog, mariadb-dump. Should it be also done in mariadb-backup?

The fact that --skip-ssl doesn't disable ssl (attempts 2 and 5) is a bug. I'll fix it.

Socket behavior (attempt 4) is a bug too.

Comment by Elena Stepanova [ 2023-10-15 ]

I tried a password-ed account, but only with --skip-ssl on the server side, in which case attempts 1, 2, 4, 5 also fail, but with 

[00] 2023-10-15 18:06:32 Failed to connect to MariaDB server: SSL connection error: SSL is required, but the server does not support it.

WIth ssl enabled on the server side it indeed works.

Generated at Thu Feb 08 10:31:37 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.