maria-discuss team mailing list archive

Thread
Date

Re: MaxScale behaviour differs for TLs and non-TLS clients

To: Markus Mäkelä <markus.makela@xxxxxxxxxxx>
From: Pak Chan <pakchan9000@xxxxxxxxx>
Date: Thu, 12 Oct 2017 23:08:55 +0100
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <bc1bed2f-7c7b-bc8d-cfd3-3b2cd80ee417@mariadb.com>

Thanks for the response. I won't be able to get back to it until Monday, so
I'll see about decrypting the packet then and report the bug with the extra
information.

On 12 Oct 2017 22:49, "Markus Mäkelä" <markus.makela@xxxxxxxxxxx> wrote:

> Hi,
>
> Thank you for testing MaxScale and reporting your findings. We haven't
> seen the behavior you described and it is certainly not expected. One
> possibility I can think of is that for some reason, a TLS connection is
> created between the monitor and the Galera when a normal one should be
> used. Unless the servers are configured to use TLS, the monitor should
> create normal, plain connections.
>
> I think you can decrypt the packets with Wireshark as long as you have the
> private key and the certificate. This might be a helpful link in
> determining what the encrypted packet was: https://wiki.wireshark.org/SSL
>
> As this is not expected behavior, I would like to ask you to file a bug
> report on the MariaDB Jira under the MaxScale project. Hopefully we'll get
> to the bottom of this soon.
>
> Markus
>
> On 12/10/17 19:39, Pak Chan wrote:
>
> Hi,
>
> I'm (still) testing MaxScale, set up to connect only to the master node,
> on Ubuntu 16.04 fronting a Galera cluster. The cluster comprises of 2
> MariaDB 10.1 instances on different servers, with a Galera Arbitrator
> instance running on the MaxScale server. I'm testing this using the MariaDB
> client (mysql) from a fourth machine.
>
> My test scenario is to see what the client experiences if I stop and
> restart a MariaDB node part-way through a transaction. I start with the
> "slave" node, to give me a baseline for comparison, before doing it with
> the master node. However, the baseline case gives me different results,
> depending on whether the MySQL client is connecting via TLS or not.
>
> If I connect to MaxScale via TLS, the connection disappears when the
> "slave" node comes back (but not when it goes down). Watching it via a
> network packet trace, I can see that, just after the slave comes back up,
> MaxScale sends the client an encrypted packet to the mysql client, then
> sends a MySQL Quit command to the master node before disconnecting. The
> syslog contains the line "[galeramon] There are no cluster members".
>
> If I connect to MaxScale without TLS, the connection remains stable
> regardless of the number of times the slave node goes down and up, and the
> "galeramon" line doesn't appear in the syslog. (I discovered this when I
> disabled the TLS in order to see what the encrypted packet being sent to
> the client was...I still don't know what it is!)
>
> Has anyone else come across this behaviour?
>
> MaxScale is configured as follows (the commented-out configuration is
> uncommented when connecting via TLS):
>
> [dbnode1]
> type=server
> address=172.16.1.22
> port=3306
> protocol=MySQLBackend
>
> priority=1
>
>
> [dbnode2]
> type=server
> address=172.16.1.23
> port=3306
> protocol=MySQLBackend
>
> priority=2
>
>
> [Galera Monitor]
> type=monitor
> module=galeramon
> servers=dbnode1,dbnode2
> user=galeramon
> passwd=galeramon
> monitor_interval=1000
> available_when_donor=true
> use_priority=true
>
> [Galera Service]
> type=service
> router=readrouteconn
>
> router_options=master
>
> servers=dbnode1,dbnode2
> user=galeramon
> passwd=galeramon
>
> [MaxAdmin Service]
> type=service
> router=cli
>
> [Galera Listener]
> type=listener
> service=Galera Service
> protocol=MySQLClient
> port=3306
> #ssl=required
> #ssl_version=TLSv12
> #ssl_cert=/etc/mysql/ssl/server-cert.pem
> #ssl_key=/etc/mysql/ssl/server-key.pem
> #ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
> #ssl_cert_verify_depth=1
>
> [MaxAdmin Listener]
> type=listener
> service=MaxAdmin Service
> protocol=maxscaled
> socket=default
>
>
> PC
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>
>
> --
> Markus Mäkelä, Software Engineer
> MariaDB Corporation
> t: +358 40 7740484 <+358%2040%207740484> | Skype: markus.j.makela
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>
>

Follow ups

Re: MaxScale behaviour differs for TLs and non-TLS clients
From: Pak Chan, 2017-10-16

References

MaxScale behaviour differs for TLs and non-TLS clients
From: Pak Chan, 2017-10-12
Re: MaxScale behaviour differs for TLs and non-TLS clients
From: Markus Mäkelä, 2017-10-12