SSL disabled without socket.ssl in Galera

Bug #1290006 reported by Frank Papenmeier on 2014-03-09
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Galera
Status tracked in 3.x
2.x
High
Alex Yurchenko
3.x
High
Alex Yurchenko
Percona XtraDB Cluster
Status tracked in 5.6
5.5
Undecided
Unassigned
5.6
Undecided
Unassigned

Bug Description

I use the following setting in my my.cnf in order to use an SSL based replication:

wsrep_provider_options="gmcast.segment=1; socket.ssl_cert=/etc/mysql/galera-cert.pem; socket.ssl_key=/etc/mysql/galera-key.pem"

This worked fine until version 5.6.15-25.3

Today, I updated one node (3 nodes cluster, each running debian wheezy, package management via aptitude) to version 5.6.15-25.4
--> This node was not any more able to connect to the cluster.

The log file suggests that SSL is not intialized any more, possibly because too many arguments are passed to GCS and the socket_ssl.. options get cut off

Here is the relevant log file part from my old version running 5.6.15-25.3 (this worked fine) [I replaced my server name by xxx.myserver.com] --> one can see that the socket.ssl options are passed to GCS and that WSREP initialized the ssl context

--START--
2014-02-18 21:37:10 5790 [Note] WSREP: Passing config to GCS: base_host = xxx.myserver.com; base_port = 4567; cert.log_conflicts = no; gcache.dir = /var/lib/mysql/; gcache.keep_pages_size = 0; gcache.mem_size = 0; gcache.name = /var/lib/mysql//galera.cache; gcache.page_size = 128M; gcache.size = 128M; gcs.fc_debug = 0; gcs.fc_factor = 1; gcs.fc_limit = 16; gcs.fc_master_slave = NO; gcs.max_packet_size = 64500; gcs.max_throttle = 0.25; gcs.recv_q_hard_limit = 9223372036854775807; gcs.recv_q_soft_limit = 0.25; gcs.sync_donor = NO; gmcast.segment = 1; repl.causal_read_timeout = PT30S; repl.commit_order = 3; repl.key_format = FLAT8; repl.proto_max = 5; socket.ssl_cert = /etc/mysql/galera-cert.pem; socket.ssl_key = /etc/mysql/galera-key.pem
2014-02-18 21:37:10 5790 [Note] WSREP: Assign initial position for certification: -1, protocol version: -1
2014-02-18 21:37:10 5790 [Note] WSREP: wsrep_sst_grab()
2014-02-18 21:37:10 5790 [Note] WSREP: Start replication
2014-02-18 21:37:10 5790 [Note] WSREP: Setting initial position to 00000000-0000-0000-0000-000000000000:-1
2014-02-18 21:37:10 5790 [Note] WSREP: protonet asio version 0
2014-02-18 21:37:10 5790 [Note] WSREP: Using CRC-32C (optimized) for message checksums.
2014-02-18 21:37:10 5790 [Note] WSREP: initializing ssl context
2014-02-18 21:37:10 5790 [Note] WSREP: backend: asio
2014-02-18 21:37:10 5790 [Note] WSREP: GMCast version 0
2014-02-18 21:37:10 5790 [Note] WSREP: (70c02733-98dc-11e3-bdff-3ac2b0fdebaf, 'ssl://0.0.0.0:4567') listening at ssl://0.0.0.0:4567
--END--

And now the same part form the 5.6.15-25.4 version (this is buggy) [I replaced my server name by xxx.myserver.com] --> the socket.ssl options are not showing up in the "passing to GCS" line and SSL is not initialized as can be seen by the missing message and that it is listention at "tcp://" instead of "ssl://" at the last line

--START--
2014-03-09 11:22:19 21171 [Note] WSREP: Passing config to GCS: base_host = xxx.myserver.com; base_port = 4567; cert.log_conflicts = no; evs.inactive_check_period = PT0.5S; evs.inactive_timeout = PT15S; evs.join_retrans_period = PT1S; evs.max_install_timeouts = 1; evs.send_window = 4; evs.stats_report_period = PT1M; evs.suspect_timeout = PT5S; evs.user_send_window = 2; evs.view_forget_timeout = PT24H; gcache.dir = /var/lib/mysql/; gcache.keep_pages_size = 0; gcache.mem_size = 0; gcache.name = /var/lib/mysql//galera.cache; gcache.page_size = 128M; gcache.size = 128M; gcs.fc_debug = 0; gcs.fc_factor = 1.0; gcs.fc_limit = 16; gcs.fc_master_slave = no; gcs.max_packet_size = 64500; gcs.max_throttle = 0.25; gcs.recv_q_hard_limit = 9223372036854775807; gcs.recv_q_soft_limit = 0.25; gcs.sync_donor = no; gmcast.segment = 1; gmcast.version = 0; pc.announce_timeout = PT3S; pc.checksum = false; pc.ignore_quorum = false; pc.ignore_sb = false; pc.npvo = false; pc.version = 0; pc.wait_prim = true; pc.wait_prim_timeout = P30S; pc.weight = 1; prot
2014-03-09 11:22:20 21171 [Note] WSREP: Assign initial position for certification: 3564543, protocol version: -1
2014-03-09 11:22:20 21171 [Note] WSREP: wsrep_sst_grab()
2014-03-09 11:22:20 21171 [Note] WSREP: Start replication
2014-03-09 11:22:20 21171 [Note] WSREP: Setting initial position to 5dd126ae-2944-11e3-9d8e-a65147a95bff:3564543
2014-03-09 11:22:20 21171 [Note] WSREP: protonet asio version 0
2014-03-09 11:22:20 21171 [Note] WSREP: Using CRC-32C (optimized) for message checksums.
2014-03-09 11:22:20 21171 [Note] WSREP: backend: asio
2014-03-09 11:22:20 21171 [Note] WSREP: GMCast version 0
2014-03-09 11:22:20 21171 [Note] WSREP: (b247d820-a774-11e3-aaf3-0a8828502bb7, 'tcp://0.0.0.0:4567') listening at tcp://0.0.0.0:4567

--END--

Related branches

lp:galera
David Bennett: Pending requested 2014-07-25

@Frank,

Can you provide output of

show global variables like 'wsrep_provider_options';

@Frank,

Ok, I was able to reproduce this. It looks like socket.ssl = yes is required in wsrep-provider-options now. Setting that works now.

This is a regression in galera options handling.

Also, you can downgrade just the galera (since this is a galera issue) as a workaround (though setting socket.ssl = yes is easier).

#ifdef HAVE_ASIO_SSL_HPP
    // use ssl if either private key or cert file is specified
    bool use_ssl(conf_.has(Conf::SocketSslPrivateKeyFile) == true ||
                 conf_.has(Conf::SocketSslCertificateFile) == true);
    try
    {
        // overrides use_ssl is given explicitly
        use_ssl = conf_.get<bool>(Conf::SocketUseSsl);
    }
    catch (gu::NotFound& nf) { }

    if (use_ssl == true)
    {
        conf_.set(Conf::SocketUseSsl, true);
        log_info << "initializing ssl context";
        set_compression(conf_);
        set_cipher_list(ssl_context_.impl(), conf_);
        ssl_context_.set_verify_mode(asio::ssl::context::verify_peer);
        ssl_context_.set_password_callback(

since SocketUseSssl has default value of 'no' now, it disables
it.

summary: - Update 5.6.15-25.3 - > 5.6.15-25.4: SSL not working any more
+ SSL disabled without socket.ssl in Galera
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers