Hi,
I'm in the process of setting up MaxScale on Ubuntu 16.04 fronting a
Galera cluster where the MariaDB database nodes (also on Ubuntu 16.04)
are set to use TLSv1.2. There is a "test" user and a "galeramon" user
on the database, both requiring SSL.
According to the documentation, I can configure this in MaxScale as
follows:
[dbnode1]
type=server
address=172.16.1.22
port=3306
protocol=MySQLBackend
ssl=required
ssl_version=TLSv12
ssl_cert=/etc/mysql/ssl/db-client-cert.pem
ssl_key=/etc/mysql/ssl/db-client-key.pem
ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
[dbnode2]
type=server
address=172.16.1.23
port=3306
protocol=MySQLBackend
ssl=required
ssl_version=TLSv12
ssl_cert=/etc/mysql/ssl/db-client-cert.pem
ssl_key=/etc/mysql/ssl/db-client-key.pem
ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
[Galera Monitor]
type=monitor
module=galeramon
servers=dbnode1,dbnode2
user=galeramon
passwd=galeramon
monitor_interval=1000
[Galera Service]
type=service
router=readwritesplit
servers=dbnode1,dbnode2
user=galeramon
passwd=galeramon
[MaxAdmin Service]
type=service
router=cli
[Galera Listener]
type=listener
service=Galera Service
protocol=MySQLClient
port=3306
authenticator=MySQL
ssl=required
ssl_version=TLSv12
ssl_cert=/etc/mysql/ssl/server-cert.pem
ssl_key=/etc/mysql/ssl/server-key.pem
ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
ssl_cert_verify_depth=9
[MaxAdmin Listener]
type=listener
service=MaxAdmin Service
protocol=maxscaled
socket=default
However, this never successfully connects. I ran a packet capture on
the connection, and found that the reason it was failing was that
MaxScale was trying to connect using TLSv1.0 despite the
specification. Changing the "ssl_version" setting to "MAX" had no effect.
The version of openssl and libssl1.0.0 on the server are both
1.0.2g-1ubuntu4.8, so it should support TLSv1.2. I installed MaxScale
with:
curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup
| sudo bash -s -- --mariadb-server-version=mariadb-10.1
sudo apt install maxscale
I can disable the TLS requirement for the "galeramon" user, which
allows MaxScale to start up, but the moment I log into the database
via MaxScale as the "test" user, the connection fails, as the
following transcript (from a different server) shows:
test@dbclient01:~$ mysql -h 172.16.2.1 -u test -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 31200
Server version: 10.0.0 2.1.9-maxscale
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current
input statement.
MySQL [(none)]> show databases;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id: 31200
Current database: *** NONE ***
ERROR 2003 (HY000): Authentication with backend failed. Session
will be closed.
MySQL [(none)]>
Is this a known issue, or is there something wrong with the
configuration? For the record, I can connect to a database instance
over TLSv1.2 from the MaxScale server using the mysql client with the
same ("db-client-*") certificate as specified above.
PC
_______________________________________________
Mailing list: https://launchpad.net/~maria-discuss
Post to : maria-discuss@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~maria-discuss
More help : https://help.launchpad.net/ListHelp
