Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Galera-4 (26.4.16) not working with MariaDB 11.0.5 or 11.1.4 when using socket.ssl_cipher #656

Open
klau2005 opened this issue Mar 15, 2024 · 5 comments
Open

Galera-4 (26.4.16) not working with MariaDB 11.0.5 or 11.1.4 when using socket.ssl_cipher #656

klau2005 opened this issue Mar 15, 2024 · 5 comments

Comments

@klau2005
Copy link

klau2005 commented Mar 15, 2024
edited
Loading

We are running a 3 node Galera cluster, each node running MariaDB 10.11.7 on Ubuntu 22.04. Both Galera and MariaDB were installed via apt from the official repositories. The cluster is configured with SSL for both server and replication traffic. Below an excerpt of the Galera configuration file related to WSREP and SSL:

wsrep_provider_options = "gcache.keep_pages_size=1G;gcache.page_size=1G;socket.ssl_cert=<cert_path>;socket.ssl_key=<key_path>;socket.ssl_ca=<ca_path>;socket.ssl_cipher=TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"

This setup works perfect with the above versions. After upgrading one node to MariaDB 11.0.5 or 11.1.4, that node fails to start and the error in the log is:

2024-03-15 13:58:38 0 [ERROR] WSREP: Failed to initialize parameter 'socket.ssl_cipher', value TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SH
A256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHAC
HA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 , flags (read_only | bool)
2024-03-15 13:58:38 0 [Note] WSREP: Deinitializing config service v1
2024-03-15 13:58:38 0 [ERROR] WSREP: Failed to initialize provider options

I tried to restrict that list to only one cipher in the hope that maybe it somehow stopped wanting all the ciphers listed in there. Same error. Only when I removed the parameter completely did the error go away. However, that is not what we want as we have to have SSL enabled for the replication traffic.
@tvdijen
Copy link

tvdijen commented Aug 12, 2024
edited
Loading

@klau2005 I ran into this same issue.. Have you figured it out, or are you still waiting for a response?

FWI: I filed a bug-report and MariaDB too: https://jira.mariadb.org/browse/MDEV-34738

@klau2005
Copy link
Author

Hi @tvdijen ,
Unfortunately I couldn't find any solution for the issue and we are still running the cluster with that parameter commented. I don't see any activity here either so it will probably remain like this for a while...

@tvdijen
Copy link

tvdijen commented Aug 12, 2024

Thanks! I'll keep you posted on activity at MariaDB

@janlindstrom
Copy link
Contributor

Hi, Have you opened MDEV for MariaDB. At least 11.4 this could be related to new ssl feature.

@tvdijen
Copy link

tvdijen commented Aug 13, 2024

Hi, Have you opened MDEV for MariaDB. At least 11.4 this could be related to new ssl feature.

https://jira.mariadb.org/browse/MDEV-34738

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tvdijen @janlindstrom @klau2005