Hi,
I'm in the process of setting up MaxScale on Ubuntu 16.04 fronting a Galera cluster where the MariaDB database nodes (also on Ubuntu 16.04) are set to use TLSv1.2. There is a "test" user and a "galeramon" user on the database, both requiring SSL.
According to the documentation, I can configure this in MaxScale as follows:
ssl_cert=/etc/mysql/ssl/db-client-cert.pem
ssl_key=/etc/mysql/ssl/db-client-key.pem
ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
[dbnode2]
type=server
address=172.16.1.23
port=3306
protocol=MySQLBackend
ssl=required
ssl_version=TLSv12
ssl_cert=/etc/mysql/ssl/db-client-cert.pem
ssl_key=/etc/mysql/ssl/db-client-key.pem
ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
[Galera Monitor]
type=monitor
module=galeramon
servers=dbnode1,dbnode2
user=galeramon
passwd=galeramon
monitor_interval=1000
[Galera Service]
type=service
router=readwritesplit
servers=dbnode1,dbnode2
user=galeramon
passwd=galeramon
[MaxAdmin Service]
type=service
router=cli
[Galera Listener]
type=listener
service=Galera Service
protocol=MySQLClient
port=3306
authenticator=MySQL
ssl=required
ssl_version=TLSv12
ssl_cert=/etc/mysql/ssl/server-cert.pem
ssl_key=/etc/mysql/ssl/server-key.pem
ssl_ca_cert=/etc/mysql/ssl/ca-cert.pem
ssl_cert_verify_depth=9
[MaxAdmin Listener]
type=listener
service=MaxAdmin Service
protocol=maxscaled
socket=default
However, this never successfully connects. I ran a packet capture on the connection, and found that the reason it was failing was that MaxScale was trying to connect using TLSv1.0 despite the specification. Changing the "ssl_version" setting to "MAX" had no effect.
The version of openssl and libssl1.0.0 on the server are both 1.0.2g-1ubuntu4.8, so it should support TLSv1.2. I installed MaxScale with:
sudo apt install maxscale
I can disable the TLS requirement for the "galeramon" user, which allows MaxScale to start up, but the moment I log into the database via MaxScale as the "test" user, the connection fails, as the following transcript (from a different server) shows:
test@dbclient01:~$ mysql -h 172.16.2.1 -u test -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 31200
Server version: 10.0.0 2.1.9-maxscale
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id: 31200
Current database: *** NONE ***
ERROR 2003 (HY000): Authentication with backend failed. Session will be closed.
MySQL [(none)]>
Is this a known issue, or is there something wrong with the configuration? For the record, I can connect to a database instance over TLSv1.2 from the MaxScale server using the mysql client with the same ("db-client-*") certificate as specified above.
PC