search

codership / galera

Synchronous multi-master replication library
GNU General Public License v2.0
448 stars 176 forks source link

Galera-4 (26.4.16) not working with MariaDB 11.0.5 or 11.1.4 when using socket.ssl_cipher #656

Open klau2005 opened 8 months ago

klau2005 commented 8 months ago

We are running a 3 node Galera cluster, each node running MariaDB 10.11.7 on Ubuntu 22.04. Both Galera and MariaDB were installed via apt from the official repositories. The cluster is configured with SSL for both server and replication traffic. Below an excerpt of the Galera configuration file related to WSREP and SSL:

wsrep_provider_options = "gcache.keep_pages_size=1G;gcache.page_size=1G;socket.ssl_cert=;socket.ssl_key=;socket.ssl_ca=;socket.ssl_cipher=TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"

This setup works perfect with the above versions. After upgrading one node to MariaDB 11.0.5 or 11.1.4, that node fails to start and the error in the log is:

2024-03-15 13:58:38 0 [ERROR] WSREP: Failed to initialize parameter 'socket.ssl_cipher', value TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SH A256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHAC HA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 , flags (read_only | bool) 2024-03-15 13:58:38 0 [Note] WSREP: Deinitializing config service v1 2024-03-15 13:58:38 0 [ERROR] WSREP: Failed to initialize provider options

I tried to restrict that list to only one cipher in the hope that maybe it somehow stopped wanting all the ciphers listed in there. Same error. Only when I removed the parameter completely did the error go away. However, that is not what we want as we have to have SSL enabled for the replication traffic.

tvdijen commented 3 months ago

@klau2005 I ran into this same issue.. Have you figured it out, or are you still waiting for a response?

FWI: I filed a bug-report and MariaDB too: https://jira.mariadb.org/browse/MDEV-34738

klau2005 commented 3 months ago

Hi @tvdijen , Unfortunately I couldn't find any solution for the issue and we are still running the cluster with that parameter commented. I don't see any activity here either so it will probably remain like this for a while...

tvdijen commented 3 months ago

Thanks! I'll keep you posted on activity at MariaDB

janlindstrom commented 3 months ago

Hi, Have you opened MDEV for MariaDB. At least 11.4 this could be related to new ssl feature.

tvdijen commented 3 months ago

Hi, Have you opened MDEV for MariaDB. At least 11.4 this could be related to new ssl feature.

https://jira.mariadb.org/browse/MDEV-34738