[MXS-598] SSL RW Router / JDBC Exception Created: 2016-03-03  Updated: 2017-02-07  Resolved: 2017-02-07

Status: Closed
Project: MariaDB MaxScale
Component/s: N/A
Affects Version/s: 1.3.0
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Guillaume Lefranc Assignee: Timofey Turenko
Resolution: Fixed Votes: 0
Labels: None


 Description   

We have a MariaDB Galera Cluster (3 nodes, each is a docker image).
It's configuration is pretty standard except these changes:

[mysqld]
 
ssl-ca = /etc/mysql/certs/ca-cert.pem
 
ssl-cert = /etc/mysql/certs/servicesdb.crt
 
ssl-key = /etc/mysql/certs/servicesdb-privkey.pem
 
 
 
ssl-cipher = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
 
 
 
wsrep_provider = /usr/lib/libgalera_smm.so
 
wsrep_sst_method = rsync
 
default_storage_engine = innodb
 
binlog_format = row
 
innodb_autoinc_lock_mode = 2
 
innodb_flush_log_at_trx_commit = 0
 
query_cache_size = 0
 
query_cache_type = 0

Also we have a maxscale 1.3.0 with such configuration:

[maxscale]
 
syslog=1
 
log_to_shm=1
 
log_info=1
 
log_debug=1
 
log_augmentation=1
 
threads=8
 
logdir=/tmp/
 
 
 
[Galera Monitor]
 
type=monitor
 
module=galeramon
 
servers=galera-01,galera-02,galera-03
 
user=root
 
passwd=admin
 
monitor_interval=3000
 
#disable_master_failback=
 
 
 
[qla]
 
type=filter
 
module=qlafilter
 
options=/tmp/QueryLog
 
 
 
[fetch]
 
type=filter
 
module=regexfilter
 
match=fetch
 
replace=select
 
 
 
[hint]
 
type=filter
 
module=hintfilter
 
 
 
[Read Connection Router]
 
type=service
 
router=readconnroute
 
servers=galera-01,galera-02,galera-03
 
user=root
 
passwd=admin
 
router_options=synced
 
enable_root_user=1
 
localhost_match_wildcard_host=1
 
 
 
[RW Split Router]
 
type=service
 
router=readwritesplit
 
router_options=master_accept_reads=true
 
servers=galera-01,galera-02,galera-03
 
user=root
 
passwd=admin
 
localhost_match_wildcard_host=1
 
enable_root_user=1
 
 
 
[SSL Read Connection Router]
 
type=service
 
router=readconnroute
 
servers=galera-01,galera-02,galera-03
 
user=root
 
passwd=admin
 
router_options=synced
 
enable_root_user=1
 
localhost_match_wildcard_host=1
 
ssl=required
 
ssl_cert=/etc/certs/servicesdb.crt
 
ssl_key=/etc/certs/servicesdb-privkey.pem
 
ssl_ca_cert=/etc/certs/ca-cert.pem
 
 
 
[SSL RW Split Router]
 
type=service
 
router=readwritesplit
 
router_options=master_accept_reads=true
 
servers=galera-01,galera-02,galera-03
 
user=root
 
passwd=admin
 
localhost_match_wildcard_host=1
 
enable_root_user=1
 
ssl=required
 
ssl_cert=/etc/certs/servicesdb.crt 
ssl_key=/etc/certs/servicesdb-privkey.pem
 
ssl_ca_cert=/etc/certs/ca-cert.pem
 
 
 
[Debug Interface]
 
type=service
 
router=debugcli
 
 
 
[CLI]
 
type=service
 
router=cli
 
user=root
 
passwd=admin
 
 
 
[MaxInfo]
 
type=service
 
router=maxinfo
 
 
 
[Read Connection Listener]
 
type=listener
 
service=Read Connection Router
 
protocol=MySQLClient
 
port=4006
 
socket=/tmp/readconn.sock
 
 
 
[RW Split Listener]
 
type=listener
 
service=RW Split Router
 
protocol=MySQLClient
 
port=4008
 
socket=/tmp/rwsplit.sock
 
 
 
[SSL Read Connection Listener]
 
type=listener
 
service=SSL Read Connection Router
 
protocol=MySQLClient
 
port=14006
 
socket=/tmp/sslreadconn.sock
 
 
 
[SSL RW Split Listener]
 
type=listener
 
service=SSL RW Split Router
 
protocol=MySQLClient
 
port=14008
 
socket=/tmp/sslrwsplit.sock
 
 
 
[Debug Listener]
 
type=listener
 
service=Debug Interface
 
protocol=telnetd
 
port=4442
 
 
 
[CLI Listener]
 
type=listener
 
service=CLI
 
protocol=maxscaled
 
#address=127.0.0.1
 
port=6603
 
 
 
[MaxInfo Listener]
 
type=listener
 
service=MaxInfo
 
protocol=HTTPD
 
port=8003
 
 
 
[galera-01]
 
type=server
 
address=192.168.99.100
 
port=3307
 
protocol=MySQLBackend
 
 
 
[galera-02]
 
type=server
 
address=192.168.99.100
 
port=3308
 
protocol=MySQLBackend
 
 
 
[galera-03]
 
type=server
 
address=192.168.99.100
 
port=3309
 
protocol=MySQLBackend

And here comes the magic. Assuming we have an adhock connector class that uses the 1.3.6 version of the MariaDB Java connector:

import java.sql.DriverManager;
 
import java.sql.Connection;
 
import java.sql.SQLException;
 
 
 
public class Test {
 
    public static void main(String ... args) {
 
        try {
 
            Class.forName("org.mariadb.jdbc.Driver");
 
        } catch (ClassNotFoundException e) {
 
            e.printStackTrace();
 
            return;
 
        }
 
        Connection connection = null;
 
        try {
 
            connection = DriverManager.getConnection("jdbc:mariadb://192.168.99.100:14008/option_service?connectTimeout=100&useSSL=true&requireSSL=true&verifyServerCertificate=true", "root", "admin");
 
        } catch (SQLException e) {
 
            e.printStackTrace();
 
            return;
 
        }
 
        if (connection != null) {
 
            System.out.println("You made it, take control your database now!");
 
        } else {
 
            System.out.println("Failed to make connection!");
 
        }
 
    }
 
}

which I run with options (generated by IDE):

$JAVA_HOME/bin/java -Djavax.net.ssl.keyStore=optionservice.jks -Djavax.net.ssl.trustStore=optionservice.jks -Djavax.net.ssl.keyStorePassword=optionservice -Djavax.net.ssl.trustStorePassword=optionservice -Djavax.net.debug=all -Djavax.net.ssl.keyStoreType=jks -Dfile.encoding=UTF-8 -classpath "$JAVA_HOME/jre/lib/charsets.jar:$JAVA_HOME/jre/lib/deploy.jar:$JAVA_HOME/jre/lib/ext/cldrdata.jar:$JAVA_HOME/jre/lib/ext/dnsns.jar:$JAVA_HOME/jre/lib/ext/jaccess.jar:$JAVA_HOME/jre/lib/ext/jfxrt.jar:$JAVA_HOME/jre/lib/ext/localedata.jar:$JAVA_HOME/jre/lib/ext/nashorn.jar:$JAVA_HOME/jre/lib/ext/sunec.jar:$JAVA_HOME/jre/lib/ext/sunjce_provider.jar:$JAVA_HOME/jre/lib/ext/sunpkcs11.jar:$JAVA_HOME/jre/lib/ext/zipfs.jar:$JAVA_HOME/jre/lib/javaws.jar:$JAVA_HOME/jre/lib/jce.jar:$JAVA_HOME/jre/lib/jfr.jar:$JAVA_HOME/jre/lib/jfxswt.jar:$JAVA_HOME/jre/lib/jsse.jar:$JAVA_HOME/jre/lib/management-agent.jar:$JAVA_HOME/jre/lib/plugin.jar:$JAVA_HOME/jre/lib/resources.jar:$JAVA_HOME/jre/lib/rt.jar:$JAVA_HOME/lib/ant-javafx.jar:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/javafx-mx.jar:$JAVA_HOME/lib/jconsole.jar:$JAVA_HOME/lib/packager.jar:$JAVA_HOME/lib/sa-jdi.jar:$JAVA_HOME/lib/tools.jar:./mariadb-java-client-1.3.6.jar:." Test

For port 14008 which is SSL RW Router we get an exception "java.sql.SQLNonTransientConnectionException: Could not connect to 192.168.99.100:14008: Unrecognized SSL message, plaintext connection?". If I change port to 3307 (one of the nodes of the Galera Cluster) everything goes fine. I am sorry, I can't send you the full log because it contains certificate private data bit the last thing we can see when connecting through maxscale is this one:

*** ClientHello, TLSv1
 
RandomCookie:  GMT: 1440083963 bytes = { 244, 193, 199, 91, 182, 201, 201, 35, 120, 100, 184, 51, 153, 203, 95, 67, 88, 107, 25, 72, 148, 113, 245, 120, 129, 120, 3, 164 }
 
Session ID:  {}
 
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
 
Compression Methods:  { 0 }
 
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
 
Extension ec_point_formats, formats: [uncompressed]
 
***
 
[write] MD5 and SHA1 hashes:  len = 137
 
0000: 01 00 00 85 03 01 56 D6   F0 FB F4 C1 C7 5B B6 C9  ......V......[..
 
0010: C9 23 78 64 B8 33 99 CB   5F 43 58 6B 19 48 94 71  .#xd.3.._CXk.H.q
 
0020: F5 78 81 78 03 A4 00 00   1E C0 09 C0 13 00 2F C0  .x.x........../.
 
0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........
 
0040: 0D 00 16 00 13 00 FF 01   00 00 3E 00 0A 00 34 00  ..........>...4.
 
0050: 32 00 17 00 01 00 03 00   13 00 15 00 06 00 07 00  2...............
 
0060: 09 00 0A 00 18 00 0B 00   0C 00 19 00 0D 00 0E 00  ................
 
0070: 0F 00 10 00 11 00 02 00   12 00 04 00 05 00 14 00  ................
 
0080: 08 00 16 00 0B 00 02 01   00                       .........
 
main, WRITE: TLSv1 Handshake, length = 137
 
[Raw write]: length = 142
 
0000: 16 03 01 00 89 01 00 00   85 03 01 56 D6 F0 FB F4  ...........V....
 
0010: C1 C7 5B B6 C9 C9 23 78   64 B8 33 99 CB 5F 43 58  ..[...#xd.3.._CX
 
0020: 6B 19 48 94 71 F5 78 81   78 03 A4 00 00 1E C0 09  k.H.q.x.x.......
 
0030: C0 13 00 2F C0 04 C0 0E   00 33 00 32 C0 08 C0 12  .../.....3.2....
 
0040: 00 0A C0 03 C0 0D 00 16   00 13 00 FF 01 00 00 3E  ...............>
 
0050: 00 0A 00 34 00 32 00 17   00 01 00 03 00 13 00 15  ...4.2..........
 
0060: 00 06 00 07 00 09 00 0A   00 18 00 0B 00 0C 00 19  ................
 
0070: 00 0D 00 0E 00 0F 00 10   00 11 00 02 00 12 00 04  ................
 
0080: 00 05 00 14 00 08 00 16   00 0B 00 02 01 00        ..............
 
[Raw read]: length = 5
 
0000: 46 00 00 02 FF                                     F....
 
main, handling exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
 
main, SEND TLSv1.2 ALERT:  fatal, description = unexpected_message
 
main, WRITE: TLSv1.2 Alert, length = 2
 
main, Exception sending alert: java.net.SocketException: Broken pipe
 
main, called closeSocket()
 
java.sql.SQLNonTransientConnectionException: Could not connect to 192.168.99.100:14008: Unrecognized SSL message, plaintext connection?
 
	at org.mariadb.jdbc.internal.util.ExceptionMapper.get(ExceptionMapper.java:123)
 
	at org.mariadb.jdbc.internal.util.ExceptionMapper.throwException(ExceptionMapper.java:69)
 
	at org.mariadb.jdbc.Driver.connect(Driver.java:110)
 
	at java.sql.DriverManager.getConnection(DriverManager.java:664)
 
	at java.sql.DriverManager.getConnection(DriverManager.java:247)
 
	at Test.main(Test.java:15)
 
Caused by: org.mariadb.jdbc.internal.util.dao.QueryException: Could not connect to 192.168.99.100:14008: Unrecognized SSL message, plaintext connection?
 
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.handleConnectionPhases(AbstractConnectProtocol.java:439)
 
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connect(AbstractConnectProtocol.java:351)
 
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:664)
 
	at org.mariadb.jdbc.internal.util.Utils.retrieveProxy(Utils.java:587)
 
	at org.mariadb.jdbc.Driver.connect(Driver.java:105)
 
	... 3 more
 
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
 
	at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
 
	at sun.security.ssl.InputRecord.read(InputRecord.java:527)
 
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
 
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
 
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
 
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
 
	at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.handleConnectionPhases(AbstractConnectProtocol.java:417)

Please let me know if you need more additional information.

 Comments   
Comment by Johan Wikman [ 2016-03-23 ]

Could you try with 1.4.0? A number of SSL improvements were made for that.

Comment by Johan Wikman [ 2016-06-06 ]

tanj, did you try with 1.4?

Comment by markus makela [ 2016-06-06 ]

I was able to reproduce this with JayDeBeApi.

>>> jaydebeapi.connect("org.mariadb.jdbc.Driver", ["jdbc:mariadb://" + host + ":" + port + "/test?useSSL=true&requireSSL=true&verifyServerCert=false", user, password],"./maxscale/java/mariadb-java-client-1.3.3.ar")
 
Traceback (most recent call last):
 
  File "<stdin>", line 1, in <module>
 
  File "/usr/local/lib/python2.7/dist-packages/jaydebeapi/__init__.py", line 359, in connect
 
    jconn = _jdbc_connect(jclassname, jars, libs, *driver_args)
 
  File "/usr/local/lib/python2.7/dist-packages/jaydebeapi/__init__.py", line 183, in _jdbc_connect_jpype
 
    return jpype.java.sql.DriverManager.getConnection(*driver_args)
 
jpype._jexception.SQLNonTransientConnectionExceptionPyRaisable: java.sql.SQLNonTransientConnectionException: Could not connect to 192.168.121.5:4006: Unrecognized SSL message, plaintext connection?
 
>>>

This was in the error log.

2016-06-06 15:53:19   info   : User @192.168.121.1 failed to connect to service 'RW Split Router' with SSL.
 
2016-06-06 15:53:22   error  : SSL operation failed in dcb_accept_SSL, dcb 0x7f9204011bf0 in state DCB_STATE_POLLING fd 16 return code -1. More details may follow.
 
2016-06-06 15:53:22   error  : error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
 
2016-06-06 15:53:22   info   : User @192.168.121.1 failed to connect to service 'RW Split Router' with SSL.

Comment by Johan Wikman [ 2016-06-07 ]

Moved to 2.1

Comment by Johan Wikman [ 2017-02-07 ]

Closing as this affects version 1.3 and no later reports have been received.

Please re-open this bug or create a new one if this is still an issue for later versions.

Generated at Thu Feb 08 04:00:31 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.