Thanks for the suggestion, Markus. I've tried it now without doing commented out the ssl_version in the configuration, and it makes no difference. As I can connect to the Galera Listener on MaxScale via TLSv1.2 from a mysql client on another machine, thus proving that it does have TLSv1.2 support, it seems like it's a bug. I'll report it.
Thanks again. On 4 Oct 2017 7:56 p.m., "Markus Mäkelä" <markus.mak...@mariadb.com> wrote: > Hi, > > I think we've seen something similar happen when the explicit SSL version > is defined. I'd recommend removing the ssl_version parameter and trying > again. By default MaxScale uses the highest supported SSL version so it > should still default to TLSv1.2. > > I see no reason why defining an explicit SSL version shouldn't work and if > removing the ssl_version fixes the problem, I think there might be > something wrong with how MaxScale chooses the SSL version. In this case, I > would recommend that you open a bug report on the MariaDB jira: > https://jira.mariadb.org/browse/MXS > > Markus > > On 04/10/17 19:47, Pak Chan wrote: > > Hi, > > I'm in the process of setting up MaxScale on Ubuntu 16.04 fronting a > Galera cluster where the MariaDB database nodes (also on Ubuntu 16.04) are > set to use TLSv1.2. There is a "test" user and a "galeramon" user on the > database, both requiring SSL. > > According to the documentation, I can configure this in MaxScale as > follows: > > [dbnode1] > type=server > address=172.16.1.22 > port=3306 > protocol=MySQLBackend > ssl=required > ssl_version=TLSv12 > ssl_cert=/etc/mysql/ssl/db-client-cert.pem > ssl_key=/etc/mysql/ssl/db-client-key.pem > ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem > > [dbnode2] > type=server > address=172.16.1.23 > port=3306 > protocol=MySQLBackend > ssl=required > ssl_version=TLSv12 > ssl_cert=/etc/mysql/ssl/db-client-cert.pem > ssl_key=/etc/mysql/ssl/db-client-key.pem > ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem > > > [Galera Monitor] > type=monitor > module=galeramon > servers=dbnode1,dbnode2 > user=galeramon > passwd=galeramon > monitor_interval=1000 > > [Galera Service] > type=service > router=readwritesplit > servers=dbnode1,dbnode2 > user=galeramon > passwd=galeramon > > [MaxAdmin Service] > type=service > router=cli > > [Galera Listener] > type=listener > service=Galera Service > protocol=MySQLClient > port=3306 > authenticator=MySQL > ssl=required > ssl_version=TLSv12 > ssl_cert=/etc/mysql/ssl/server-cert.pem > ssl_key=/etc/mysql/ssl/server-key.pem > ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem > ssl_cert_verify_depth=9 > > [MaxAdmin Listener] > type=listener > service=MaxAdmin Service > protocol=maxscaled > socket=default > > > However, this never successfully connects. I ran a packet capture on the > connection, and found that the reason it was failing was that MaxScale was > trying to connect using TLSv1.0 despite the specification. Changing the > "ssl_version" setting to "MAX" had no effect. > > The version of openssl and libssl1.0.0 on the server are both > 1.0.2g-1ubuntu4.8, so it should support TLSv1.2. I installed MaxScale with: > > curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo > bash -s -- --mariadb-server-version=mariadb-10.1 > sudo apt install maxscale > > > I can disable the TLS requirement for the "galeramon" user, which allows > MaxScale to start up, but the moment I log into the database via MaxScale > as the "test" user, the connection fails, as the following transcript (from > a different server) shows: > > test@dbclient01:~$ mysql -h 172.16.2.1 -u test -p > Enter password: > Welcome to the MariaDB monitor. Commands end with ; or \g. > Your MySQL connection id is 31200 > Server version: 10.0.0 2.1.9-maxscale > > Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. > > Type 'help;' or '\h' for help. Type '\c' to clear the current input > statement. > > MySQL [(none)]> show databases; > ERROR 2006 (HY000): MySQL server has gone away > No connection. Trying to reconnect... > Connection id: 31200 > Current database: *** NONE *** > > ERROR 2003 (HY000): Authentication with backend failed. Session will be > closed. > MySQL [(none)]> > > > Is this a known issue, or is there something wrong with the configuration? > For the record, I can connect to a database instance over TLSv1.2 from the > MaxScale server using the mysql client with the same ("db-client-*") > certificate as specified above. > > PC > > > _______________________________________________ > Mailing list: https://launchpad.net/~maria-discuss > Post to : maria-discuss@lists.launchpad.net > Unsubscribe : https://launchpad.net/~maria-discuss > More help : https://help.launchpad.net/ListHelp > > > -- > Markus Mäkelä, Software Engineer > MariaDB Corporation > t: +358 40 7740484 <+358%2040%207740484> | Skype: markus.j.makela > > > _______________________________________________ > Mailing list: https://launchpad.net/~maria-discuss > Post to : maria-discuss@lists.launchpad.net > Unsubscribe : https://launchpad.net/~maria-discuss > More help : https://help.launchpad.net/ListHelp > >
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
