Explicitly set the dhparam option with socat to bypass the use of the old certs
Description
Environment
Smart Checklist
Activity
KennT December 16, 2020 at 10:54 AM
Using certs generated by OpenSSL 1.1.1 will work successfully so the issue is using certs generated from previous versions with OpenSSL 1.1.1
For those cases, manually using the dhparam option in socat is a workaround (although that involves changing the wsrep_sst_xtrabackup-v2.sh script).
The next version of 5.6/5.7 will have a fix that adds the dhparam option if the ssl_dhparams option is set in the [sst] section of the cnf file.
KennT December 15, 2020 at 7:29 AM
Additional notes:
(1) This only apples to encrypt=2 and encrypt=3 (which are not supported in 8.0). So this will apply to 5.6 and 5.7 only
(2) A fix is to use the dhparam option, this has to be done only on the node with openssl 1.1.1, unfortunately this requires a code change (since we added the dhparam parameter for socat builds < 1.7.3)
KennT December 10, 2020 at 6:35 AM
I am able to repro this locally with 5.7 on ubuntu focal
KennT December 10, 2020 at 5:48 AM
This appears in the logs:
2020-12-08T20:13:06.176759Z WSREP_SST: [DEBUG] Evaluating socat -u openssl-listen:16009,reuseaddr,cert=/tmp/results/PXC/mysql-test/std_data/galera-cert.pem,key=/tmp/results/PXC/mysql-test/std_data/galera-key.pem,verify=0,retry=30 stdio | xbstream -x $xbstream_eopts
2020/12/08 23:13:06 socat[30054] E SSL_CTX_set_tmp_dh(0x55b1716ebde0, 0x55b17170f1f0): error
Details
Details
Assignee
KennTReporter
KennTTime tracking
Affects versions
Priority
MediumSmart Checklist
Open Smart Checklist
Smart Checklist
There are several tests using SSL that are failing on newer distros (centos8/ubuntu focal)
galera.galera_sst_xtrabackup-v2_encrypt_with_key
galera.galera_sst_xtrabackup-v2_keyring
May be due to newer versions of OpenSSL, OpenSSL 1.1.1?