← Back to team overview

maria-discuss team mailing list archive

Re: MaxScale Server SSL version

 

Hi,

I think we've seen something similar happen when the explicit SSL version is defined. I'd recommend removing the ssl_version parameter and trying again. By default MaxScale uses the highest supported SSL version so it should still default to TLSv1.2.

I see no reason why defining an explicit SSL version shouldn't work and if removing the ssl_version fixes the problem, I think there might be something wrong with how MaxScale chooses the SSL version. In this case, I would recommend that you open a bug report on the MariaDB jira: https://jira.mariadb.org/browse/MXS

Markus


On 04/10/17 19:47, Pak Chan wrote:
Hi,

I'm in the process of setting up MaxScale on Ubuntu 16.04 fronting a Galera cluster where the MariaDB database nodes (also on Ubuntu 16.04) are set to use TLSv1.2. There is a "test" user and a "galeramon" user on the database, both requiring SSL.

According to the documentation, I can configure this in MaxScale as follows:

    [dbnode1]
    type=server
    address=172.16.1.22
    port=3306
    protocol=MySQLBackend
    ssl=required
    ssl_version=TLSv12
    ssl_cert=/etc/mysql/ssl/db-client-cert.pem
    ssl_key=/etc/mysql/ssl/db-client-key.pem
    ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem

    [dbnode2]
    type=server
    address=172.16.1.23
    port=3306
    protocol=MySQLBackend
    ssl=required
    ssl_version=TLSv12
    ssl_cert=/etc/mysql/ssl/db-client-cert.pem
    ssl_key=/etc/mysql/ssl/db-client-key.pem
    ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem


    [Galera Monitor]
    type=monitor
    module=galeramon
    servers=dbnode1,dbnode2
    user=galeramon
    passwd=galeramon
    monitor_interval=1000

    [Galera Service]
    type=service
    router=readwritesplit
    servers=dbnode1,dbnode2
    user=galeramon
    passwd=galeramon

    [MaxAdmin Service]
    type=service
    router=cli

    [Galera Listener]
    type=listener
    service=Galera Service
    protocol=MySQLClient
    port=3306
    authenticator=MySQL
    ssl=required
    ssl_version=TLSv12
    ssl_cert=/etc/mysql/ssl/server-cert.pem
    ssl_key=/etc/mysql/ssl/server-key.pem
    ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
    ssl_cert_verify_depth=9
    [MaxAdmin Listener]
    type=listener
    service=MaxAdmin Service
    protocol=maxscaled
    socket=default


However, this never successfully connects. I ran a packet capture on the connection, and found that the reason it was failing was that MaxScale was trying to connect using TLSv1.0 despite the specification. Changing the "ssl_version" setting to "MAX" had no effect.

The version of openssl and libssl1.0.0 on the server are both 1.0.2g-1ubuntu4.8, so it should support TLSv1.2. I installed MaxScale with:

    curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup
    | sudo bash -s -- --mariadb-server-version=mariadb-10.1
    sudo apt install maxscale


I can disable the TLS requirement for the "galeramon" user, which allows MaxScale to start up, but the moment I log into the database via MaxScale as the "test" user, the connection fails, as the following transcript (from a different server) shows:

    test@dbclient01:~$ mysql -h 172.16.2.1 -u test -p
    Enter password:
    Welcome to the MariaDB monitor.  Commands end with ; or \g.
    Your MySQL connection id is 31200
    Server version: 10.0.0 2.1.9-maxscale

    Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

    Type 'help;' or '\h' for help. Type '\c' to clear the current
    input statement.

    MySQL [(none)]> show databases;
    ERROR 2006 (HY000): MySQL server has gone away
    No connection. Trying to reconnect...
    Connection id: 31200
    Current database: *** NONE ***

    ERROR 2003 (HY000): Authentication with backend failed. Session
    will be closed.
    MySQL [(none)]>


Is this a known issue, or is there something wrong with the configuration? For the record, I can connect to a database instance over TLSv1.2 from the MaxScale server using the mysql client with the same ("db-client-*") certificate as specified above.

PC


_______________________________________________
Mailing list: https://launchpad.net/~maria-discuss
Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~maria-discuss
More help   : https://help.launchpad.net/ListHelp

--
Markus Mäkelä, Software Engineer
MariaDB Corporation
t: +358 40 7740484 | Skype: markus.j.makela


Follow ups

References