← Back to team overview

maria-discuss team mailing list archive

Re: MaxScale Server SSL version

 

Thanks for the suggestion, Markus.

I've tried it now without doing commented out the ssl_version in the
configuration, and it makes no difference. As I can connect to the Galera
Listener on MaxScale via TLSv1.2 from a mysql client on another machine,
thus proving that it does have TLSv1.2 support, it seems like it's a bug.
I'll report it.

Thanks again.

On 4 Oct 2017 7:56 p.m., "Markus Mäkelä" <markus.makela@xxxxxxxxxxx> wrote:

> Hi,
>
> I think we've seen something similar happen when the explicit SSL version
> is defined. I'd recommend removing the ssl_version parameter and trying
> again. By default MaxScale uses the highest supported SSL version so it
> should still default to TLSv1.2.
>
> I see no reason why defining an explicit SSL version shouldn't work and if
> removing the ssl_version fixes the problem, I think there might be
> something wrong with how MaxScale chooses the SSL version. In this case, I
> would recommend that you open a bug report on the MariaDB jira:
> https://jira.mariadb.org/browse/MXS
>
> Markus
>
> On 04/10/17 19:47, Pak Chan wrote:
>
> Hi,
>
> I'm in the process of setting up MaxScale on Ubuntu 16.04 fronting a
> Galera cluster where the MariaDB database nodes (also on Ubuntu 16.04) are
> set to use TLSv1.2. There is a "test" user and a "galeramon" user on the
> database, both requiring SSL.
>
> According to the documentation, I can configure this in MaxScale as
> follows:
>
> [dbnode1]
> type=server
> address=172.16.1.22
> port=3306
> protocol=MySQLBackend
> ssl=required
> ssl_version=TLSv12
> ssl_cert=/etc/mysql/ssl/db-client-cert.pem
> ssl_key=/etc/mysql/ssl/db-client-key.pem
> ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
>
> [dbnode2]
> type=server
> address=172.16.1.23
> port=3306
> protocol=MySQLBackend
> ssl=required
> ssl_version=TLSv12
> ssl_cert=/etc/mysql/ssl/db-client-cert.pem
> ssl_key=/etc/mysql/ssl/db-client-key.pem
> ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
>
>
> [Galera Monitor]
> type=monitor
> module=galeramon
> servers=dbnode1,dbnode2
> user=galeramon
> passwd=galeramon
> monitor_interval=1000
>
> [Galera Service]
> type=service
> router=readwritesplit
> servers=dbnode1,dbnode2
> user=galeramon
> passwd=galeramon
>
> [MaxAdmin Service]
> type=service
> router=cli
>
> [Galera Listener]
> type=listener
> service=Galera Service
> protocol=MySQLClient
> port=3306
> authenticator=MySQL
> ssl=required
> ssl_version=TLSv12
> ssl_cert=/etc/mysql/ssl/server-cert.pem
> ssl_key=/etc/mysql/ssl/server-key.pem
> ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
> ssl_cert_verify_depth=9
>
> [MaxAdmin Listener]
> type=listener
> service=MaxAdmin Service
> protocol=maxscaled
> socket=default
>
>
> However, this never successfully connects. I ran a packet capture on the
> connection, and found that the reason it was failing was that MaxScale was
> trying to connect using TLSv1.0 despite the specification. Changing the
> "ssl_version" setting to "MAX" had no effect.
>
> The version of openssl and libssl1.0.0 on the server are both
> 1.0.2g-1ubuntu4.8, so it should support TLSv1.2. I installed MaxScale with:
>
> curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo
> bash -s -- --mariadb-server-version=mariadb-10.1
> sudo apt install maxscale
>
>
> I can disable the TLS requirement for the "galeramon" user, which allows
> MaxScale to start up, but the moment I log into the database via MaxScale
> as the "test" user, the connection fails, as the following transcript (from
> a different server) shows:
>
> test@dbclient01:~$ mysql -h 172.16.2.1 -u test -p
> Enter password:
> Welcome to the MariaDB monitor.  Commands end with ; or \g.
> Your MySQL connection id is 31200
> Server version: 10.0.0 2.1.9-maxscale
>
> Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
>
> Type 'help;' or '\h' for help. Type '\c' to clear the current input
> statement.
>
> MySQL [(none)]> show databases;
> ERROR 2006 (HY000): MySQL server has gone away
> No connection. Trying to reconnect...
> Connection id:    31200
> Current database: *** NONE ***
>
> ERROR 2003 (HY000): Authentication with backend failed. Session will be
> closed.
> MySQL [(none)]>
>
>
> Is this a known issue, or is there something wrong with the configuration?
> For the record, I can connect to a database instance over TLSv1.2 from the
> MaxScale server using the mysql client with the same ("db-client-*")
> certificate as specified above.
>
> PC
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>
>
> --
> Markus Mäkelä, Software Engineer
> MariaDB Corporation
> t: +358 40 7740484 <+358%2040%207740484> | Skype: markus.j.makela
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>
>

References