search

codership / mysql-wsrep

wsrep API patch for MySQL server
Other
65 stars 34 forks source link

SSL autoconfig for SST doesn't work when mysqld auto-generated certificates are used. #395

Open venkatesh-prasad-v opened 3 years ago

venkatesh-prasad-v commented 3 years ago

When the MySQL server generates its own SSL certificates, it uses the below Common Names for its certificates (See do_auto_cert_generation()).

  ca-certificate: MySQL_Server_5.7.34_Auto_Generated_CA_Certificate
  server-cert: MySQL_Server_5.7.34_Auto_Generated_Server_Certificate
  client-certificate: MySQL_Server_5.7.34_Auto_Generated_Client_Certificate

As per the recent SSL improvements in 5.7.34, the joiner generates and sends a secret message consisting of a random string + Common Name of the SSL certificate together within the address in State Transfer Request in order to authenticate the donor on connection.

However, the logic of fetching the Common Name from the certificate doesn't work well for the auto-generated SSL certificates, resulting in the SST failure.

WSREP_SST: [INFO] Encrypting with CERT: /home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/server-cert.pem, KEY: /home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/server-key.pem, CA: /home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/ca.pem (20211105 09:06:02.030)
...
WSREP_SST: [INFO] Evaluating xbstream -c ${INFO_FILE} | socat -u stdio openssl-connect:127.0.0.1:5020,cert=/home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/server-cert.pem,key=/home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/server-key.pem,cafile=/home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/ca.pem,verify=1,commonname='CN '; RC=( ${PIPESTATUS[@]} ) (20211105 09:06:02.045)
2021/11/05 09:06:02 socat[18518] E certificate is valid but its commonName does not match hostname
WSREP_SST: [ERROR] Error while sending data to joiner node:  exit codes: 0 1 (20211105 09:06:02.053)

This is because of the fact that the logic used in https://github.com/codership/mysql-wsrep/blob/wsrep_5.7.34-25.26/scripts/wsrep_sst_xtrabackup-v2.sh#L1099-L1101 doesn't work with auto-generated certificates.

$ openssl x509 -noout -subject -in <path/to/>server-cert.pem | tr "," "\n" | grep "CN =" | cut -d= -f2 
 CN

Here it used "CN " as the common name for the SST.

Steps to reproduce:

  1. Initialize the server with --ssl option to auto-generate the SSL certificates.
  2. Use the same auto-generated ssl-ca, ssl-cert and ssl-key certificates during the SST by specifying the options in the [sst] section of the joiner cnf file.
  3. Start the cluster.

Suggestion: The proper command should be 

$ openssl x509 -noout -subject -nameopt multiline -in <path/to/>server-cert.pem | grep commonName | cut -d= -f2- 
 MySQL_Server_5.7.34_Auto_Generated_Server_Certificate