search

zendesk / maxwell

Maxwell's daemon, a mysql-to-json kafka producer
https://maxwells-daemon.io/
Other
4.05k stars 1.01k forks source link

Protocol issue #1378

Open kaosmonk opened 5 years ago

kaosmonk commented 5 years ago

Hi guys,

I am trying to run Maxwell with SSL enabled and am experiencing issues when running it like that.

I've built Maxwell Docker image on op of OpenJDK 11.

My MySQL host does not support SSL thus I've set ssl = DISABLED while my replication host does thus replication_ssl = VERIFY_IDENTITY. Replication DB supports only protocols TLSv1.2 and higher. When Maxwell tries to connect to replication host, I am seeing following Client hello message:

javax.net.ssl|DEBUG|01|main|2019-11-08 08:53:48.187 UTC|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.1",
  "random"              : "C9 70 C6 52 88 51 3D C1 D0 05 FE C0 88 8E 04 6B 27 8A A2 68 A2 FD 99 BD 3D 1C BF EB EA 90 ED 82",
  "session id"          : "",
  "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(0xC005), TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(0xC00F), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(0xC004), TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(0xC00E), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [secp256r1, secp384r1, secp521r1]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.1, TLSv1]
    }
  ]
}
)

and of course a handshake failure:

javax.net.ssl|ERROR|01|main|2019-11-08 08:53:48.192 UTC|TransportContext.java:312|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
    at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:285)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:180)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
    at com.mysql.cj.protocol.ExportControlled.performTlsHandshake(ExportControlled.java:316)
    at com.mysql.cj.protocol.StandardSocketFactory.performTlsHandshake(StandardSocketFactory.java:188)
    at com.mysql.cj.protocol.a.NativeSocketConnection.performTlsHandshake(NativeSocketConnection.java:99)
    at com.mysql.cj.protocol.a.NativeProtocol.negotiateSSLConnection(NativeProtocol.java:331)
    at com.mysql.cj.protocol.a.NativeAuthenticationProvider.negotiateSSLConnection(NativeAuthenticationProvider.java:777)
    at com.mysql.cj.protocol.a.NativeAuthenticationProvider.proceedHandshakeWithPluggableAuthentication(NativeAuthenticationProvider.java:486)
    at com.mysql.cj.protocol.a.NativeAuthenticationProvider.connect(NativeAuthenticationProvider.java:202)
    at com.mysql.cj.protocol.a.NativeProtocol.connect(NativeProtocol.java:1348)
    at com.mysql.cj.NativeSession.connect(NativeSession.java:163)
    at com.mysql.cj.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:947)
    at com.mysql.cj.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:817)
    at com.mysql.cj.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:447)
    at com.mysql.cj.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:237)
    at com.mysql.cj.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:199)
    at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:677)
    at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:228)
    at snaq.db.ConnectionPool.create(ConnectionPool.java:256)
    at snaq.db.ConnectionPool.create(ConnectionPool.java:71)
    at snaq.util.ObjectPool.checkOut(ObjectPool.java:377)
    at snaq.db.ConnectionPool.getConnection(ConnectionPool.java:385)
    at com.zendesk.maxwell.MaxwellContext.getReplicationConnection(MaxwellContext.java:105)
    at com.zendesk.maxwell.MaxwellContext.getServerID(MaxwellContext.java:283)
    at com.zendesk.maxwell.MaxwellContext.<init>(MaxwellContext.java:92)
    at com.zendesk.maxwell.Maxwell.<init>(Maxwell.java:31)
    at com.zendesk.maxwell.Maxwell.main(Maxwell.java:234)}

)

which I believe is a result of protocol mismatch. But since I do not even get Server hello I am not sure if it's due to the protocol or something else? I have tried several options eg providing some JDBC_OPTS and JAVA_OPTS to enforce TLSv1.2 without a success. I've tried tweaking underlying java installation to enforce usage of higher protocols but without success. I have also tried couple of ideas I have had around mysql jdbc connector but failed again.

Is there anything I can do to make it use TLSv1.2?

Thanks in advance!

osheroff commented 5 years ago

can you show me how your replication DB is configured (for tls 1.2) so I can try to reproduce what you're seeing?

kaosmonk commented 5 years ago

Thanks for reaching out @osheroff I'll try to get that db config for you. I have tried running the latest Maxwell docker image based off Openjdk 8 with the same result. I am wondering to why it tries to only connect with TLSv1.1 since it should support TLSv1.2 from what I am reading.

Can you confirm that TLSv1.2 is supported? I am trying to understand if I can somehow make it talk TLSv1.2 to my database at all.

osheroff commented 4 years ago

I'm... not entirely sure. I believe that the jdbc connection should support it, https://dev.mysql.com/doc/relnotes/connector-j/5.1/en/news-5-1-44.html seems to indicate TLSv12 support. And we're certainly on a new enough jdbc driver. Whether the other library (mysql-binlog-connector) supports tls1.2, not sure. But we should get at least the primary connection working first...