SSL connection between replicators fails when using SSL connection to DBMS

[GoogleCodeExporter]

What steps will reproduce the problem?

1. Set up MySQL 5.6 instances to use SSL.  Follow the steps described in the 
MySQL manual at the following URL:  
http://dev.mysql.com/doc/refman/5.6/en/creating-ssl-certs.html.  Note the 
location of the MySQL certificate file, e.g., /etc/mysql/ssl/root-ca.crt.

2. Use the attached gen-certs.sh script to generate a self-signed certificate 
and put it in Java truststore and keystore files ready for installation. 

3. Edit /etc/tungsten/my.cnf and add the following content: 
[client]
ssl
ssl-ca=/etc/mysql/certs/root-ca.crt

4. Run tpm with options to enable SSL to MySQL and between replicators.  That 
is, including the following options or similar: 

tpm install repltest \
  --topology=master-slave \
  --replication-user=tungsten_ssl \
  --replication-password=secret \
  --datasource-enable-ssl=true \
  --enable-thl-ssl=true \
...

What is the expected output?

Master and slave replicators should go online. 

What do you see instead?

After installation master appears to be ONLINE and slave is in 
ONLINE:SYNCHRONIZING state.  The master THL server has actually failed with the 
following error: 

INFO   | jvm 1    | 2014/09/27 20:51:32 | 2014-09-27 20:51:32,011 [repltest - 
THL Server [thl:0.0.0.0:2112]] WARN  thl.Server THL server stopped by 
IOException; thread exiting
INFO   | jvm 1    | 2014/09/27 20:51:32 | javax.net.ssl.SSLException: No 
available certificate or key corresponds to the SSL cipher suites which are 
enabled.
INFO   | jvm 1    | 2014/09/27 20:51:32 |   at 
sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java
:327)
INFO   | jvm 1    | 2014/09/27 20:51:32 |   at 
sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)
INFO   | jvm 1    | 2014/09/27 20:51:32 |   at 
com.continuent.tungsten.common.sockets.ServerSocketService.accept(ServerSocketSe
rvice.java:150)
INFO   | jvm 1    | 2014/09/27 20:51:32 |   at 
com.continuent.tungsten.replicator.thl.Server.run(Server.java:116)
INFO   | jvm 1    | 2014/09/27 20:51:32 |   at 
java.lang.Thread.run(Thread.java:701)
INFO   | jvm 1    | 2014/09/27 20:51:32 | 2014-09-27 20:51:32,014 [repltest - 
THL Server [thl:0.0.0.0:2112]] INFO  thl.Server Closing connector handlers for 
THL Server: store=thl
INFO   | jvm 1    | 2014/09/27 20:51:32 | 2014-09-27 20:51:32,014 [repltest - 
THL Server [thl:0.0.0.0:2112]] INFO  thl.Server Closing socket: store=thl 
host=/0.0.0.0:2112 port=2112
INFO   | jvm 1    | 2014/09/27 20:51:32 | 2014-09-27 20:51:32,014 [repltest - 
THL Server [thl:0.0.0.0:2112]] INFO  thl.Server THL thread done: store=thl

What is the possible cause?

Actually there are a couple of problems. 

1.) The replication service is apparently picking up the MySQL certificate 
rather than the key and self-signed cert the replicator is supposed to use.  
This causes SSL communications to fail in the master on startup and kills the 
listener thread of the THL server. 

2.) The failure of the THL server should cause the replicator to go offline but 
it does not.  We don't process th SSLException correctly.  This hides the true 
cause of the slave replication problems. 

What is the proposed solution?

JSSE has known problems to deal with multiple keys in a single keystore.  
Specifically it selects the first key of the request type and ignores the alias 
under which such keys are stored.  It appears we need to implement our own 
version of class X509KeyManager to handle such key conflicts.  There are two 
possible implementations: 

a.) Use multiple keystores, which seems to introduce a lot of complexity with 
little files all over the place. 
b.) Select aliases correctly within a single keystore. 

The latter solution seems simpler to manage.  

Additional information

This bug appeared while testing Issue 933. 

Use labels and text to provide additional information.

Original issue reported on code.google.com by robert.h...@continuent.com on 28 Sep 2014 at 4:06

Attachments:

• gen-certs.sh

[GoogleCodeExporter]

Original comment by linas.vi...@continuent.com on 3 Oct 2014 at 2:25

• Added labels: FixedIn-3.1.0
• Removed labels: FixedIn

[GoogleCodeExporter]

Original comment by linas.vi...@continuent.com on 19 Dec 2014 at 7:03

• Removed labels: FixedIn-3.0.0

[GoogleCodeExporter]

Original comment by linas.vi...@continuent.com on 19 Jan 2015 at 2:18

• Added labels: FixedIn-4.0.1
• Removed labels: FixedIn-3.1.0