SSL disabled without socket.ssl in Galera

Bug #1290006 reported by Frank Papenmeier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Galera
Status tracked in 3.x
2.x
Fix Released
High
Alex Yurchenko
3.x
Fix Released
High
Alex Yurchenko
Percona XtraDB Cluster moved to https://jira.percona.com/projects/PXC
Status tracked in 5.6
5.5
Fix Released
Undecided
Unassigned
5.6
Fix Released
Undecided
Unassigned

Bug Description

I use the following setting in my my.cnf in order to use an SSL based replication:

wsrep_provider_options="gmcast.segment=1; socket.ssl_cert=/etc/mysql/galera-cert.pem; socket.ssl_key=/etc/mysql/galera-key.pem"

This worked fine until version 5.6.15-25.3

Today, I updated one node (3 nodes cluster, each running debian wheezy, package management via aptitude) to version 5.6.15-25.4
--> This node was not any more able to connect to the cluster.

The log file suggests that SSL is not intialized any more, possibly because too many arguments are passed to GCS and the socket_ssl.. options get cut off

Here is the relevant log file part from my old version running 5.6.15-25.3 (this worked fine) [I replaced my server name by xxx.myserver.com] --> one can see that the socket.ssl options are passed to GCS and that WSREP initialized the ssl context

--START--
2014-02-18 21:37:10 5790 [Note] WSREP: Passing config to GCS: base_host = xxx.myserver.com; base_port = 4567; cert.log_conflicts = no; gcache.dir = /var/lib/mysql/; gcache.keep_pages_size = 0; gcache.mem_size = 0; gcache.name = /var/lib/mysql//galera.cache; gcache.page_size = 128M; gcache.size = 128M; gcs.fc_debug = 0; gcs.fc_factor = 1; gcs.fc_limit = 16; gcs.fc_master_slave = NO; gcs.max_packet_size = 64500; gcs.max_throttle = 0.25; gcs.recv_q_hard_limit = 9223372036854775807; gcs.recv_q_soft_limit = 0.25; gcs.sync_donor = NO; gmcast.segment = 1; repl.causal_read_timeout = PT30S; repl.commit_order = 3; repl.key_format = FLAT8; repl.proto_max = 5; socket.ssl_cert = /etc/mysql/galera-cert.pem; socket.ssl_key = /etc/mysql/galera-key.pem
2014-02-18 21:37:10 5790 [Note] WSREP: Assign initial position for certification: -1, protocol version: -1
2014-02-18 21:37:10 5790 [Note] WSREP: wsrep_sst_grab()
2014-02-18 21:37:10 5790 [Note] WSREP: Start replication
2014-02-18 21:37:10 5790 [Note] WSREP: Setting initial position to 00000000-0000-0000-0000-000000000000:-1
2014-02-18 21:37:10 5790 [Note] WSREP: protonet asio version 0
2014-02-18 21:37:10 5790 [Note] WSREP: Using CRC-32C (optimized) for message checksums.
2014-02-18 21:37:10 5790 [Note] WSREP: initializing ssl context
2014-02-18 21:37:10 5790 [Note] WSREP: backend: asio
2014-02-18 21:37:10 5790 [Note] WSREP: GMCast version 0
2014-02-18 21:37:10 5790 [Note] WSREP: (70c02733-98dc-11e3-bdff-3ac2b0fdebaf, 'ssl://0.0.0.0:4567') listening at ssl://0.0.0.0:4567
--END--

And now the same part form the 5.6.15-25.4 version (this is buggy) [I replaced my server name by xxx.myserver.com] --> the socket.ssl options are not showing up in the "passing to GCS" line and SSL is not initialized as can be seen by the missing message and that it is listention at "tcp://" instead of "ssl://" at the last line

--START--
2014-03-09 11:22:19 21171 [Note] WSREP: Passing config to GCS: base_host = xxx.myserver.com; base_port = 4567; cert.log_conflicts = no; evs.inactive_check_period = PT0.5S; evs.inactive_timeout = PT15S; evs.join_retrans_period = PT1S; evs.max_install_timeouts = 1; evs.send_window = 4; evs.stats_report_period = PT1M; evs.suspect_timeout = PT5S; evs.user_send_window = 2; evs.view_forget_timeout = PT24H; gcache.dir = /var/lib/mysql/; gcache.keep_pages_size = 0; gcache.mem_size = 0; gcache.name = /var/lib/mysql//galera.cache; gcache.page_size = 128M; gcache.size = 128M; gcs.fc_debug = 0; gcs.fc_factor = 1.0; gcs.fc_limit = 16; gcs.fc_master_slave = no; gcs.max_packet_size = 64500; gcs.max_throttle = 0.25; gcs.recv_q_hard_limit = 9223372036854775807; gcs.recv_q_soft_limit = 0.25; gcs.sync_donor = no; gmcast.segment = 1; gmcast.version = 0; pc.announce_timeout = PT3S; pc.checksum = false; pc.ignore_quorum = false; pc.ignore_sb = false; pc.npvo = false; pc.version = 0; pc.wait_prim = true; pc.wait_prim_timeout = P30S; pc.weight = 1; prot
2014-03-09 11:22:20 21171 [Note] WSREP: Assign initial position for certification: 3564543, protocol version: -1
2014-03-09 11:22:20 21171 [Note] WSREP: wsrep_sst_grab()
2014-03-09 11:22:20 21171 [Note] WSREP: Start replication
2014-03-09 11:22:20 21171 [Note] WSREP: Setting initial position to 5dd126ae-2944-11e3-9d8e-a65147a95bff:3564543
2014-03-09 11:22:20 21171 [Note] WSREP: protonet asio version 0
2014-03-09 11:22:20 21171 [Note] WSREP: Using CRC-32C (optimized) for message checksums.
2014-03-09 11:22:20 21171 [Note] WSREP: backend: asio
2014-03-09 11:22:20 21171 [Note] WSREP: GMCast version 0
2014-03-09 11:22:20 21171 [Note] WSREP: (b247d820-a774-11e3-aaf3-0a8828502bb7, 'tcp://0.0.0.0:4567') listening at tcp://0.0.0.0:4567

--END--

Related branches

Revision history for this message
Raghavendra D Prabhu (raghavendra-prabhu) wrote :

@Frank,

Can you provide output of

show global variables like 'wsrep_provider_options';

Revision history for this message
Raghavendra D Prabhu (raghavendra-prabhu) wrote :

@Frank,

Ok, I was able to reproduce this. It looks like socket.ssl = yes is required in wsrep-provider-options now. Setting that works now.

This is a regression in galera options handling.

Revision history for this message
Raghavendra D Prabhu (raghavendra-prabhu) wrote :

Also, you can downgrade just the galera (since this is a galera issue) as a workaround (though setting socket.ssl = yes is easier).

Revision history for this message
Raghavendra D Prabhu (raghavendra-prabhu) wrote :

#ifdef HAVE_ASIO_SSL_HPP
    // use ssl if either private key or cert file is specified
    bool use_ssl(conf_.has(Conf::SocketSslPrivateKeyFile) == true ||
                 conf_.has(Conf::SocketSslCertificateFile) == true);
    try
    {
        // overrides use_ssl is given explicitly
        use_ssl = conf_.get<bool>(Conf::SocketUseSsl);
    }
    catch (gu::NotFound& nf) { }

    if (use_ssl == true)
    {
        conf_.set(Conf::SocketUseSsl, true);
        log_info << "initializing ssl context";
        set_compression(conf_);
        set_cipher_list(ssl_context_.impl(), conf_);
        ssl_context_.set_verify_mode(asio::ssl::context::verify_peer);
        ssl_context_.set_password_callback(

since SocketUseSssl has default value of 'no' now, it disables
it.

summary: - Update 5.6.15-25.3 - > 5.6.15-25.4: SSL not working any more
+ SSL disabled without socket.ssl in Galera
Revision history for this message
Alex Yurchenko (ayurchen) wrote :
Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PXC-1643

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.