state transfer with SSL disabled in wsrep_provider_options crashes Receiver and Donor node

General

Escalation

General

Escalation

Description

Hey,

When setting socket.ssl = NO in wsrep_provider_options without explicitly specifying if SSL is used in the [SST] part of my.cnf, not only will the state transfer fail, but it will crash the donor node as well as the receiver node.

The respective parts of my.cnf

Logs from the donor:

Logs of the receiver:

To us it looks like the cause is:

When setting socket.ssl = NO, the donor does not expect SSL Traffic in state transfer connections.
But unless explicitly configuring [SST] to not use SSL, it will use SSL.
This makes sent/received packages unreadable for both ends
This causes crashes on the donor and the receiver.

On a three node cluster, where

Node 3 dropped out and tried to re-join with an automatic state transfer from Node 2
Node 3 will crash and hang
Node 2 will also crash and hang
Node 1 will be left alone and therefore transition into Non-Primary.

How we would it expect to behave:

Error handling on sender and receiver side
Maybe even explicitly detecting misalignment on SSL-config and print an error hinting to this
but definitely not crashing MySQL.

Environment

Ubuntu 20

Linked issues

relates to

PXC-3163

clustercheck can't connect with ssl default

Smart Checklist

Activity

Show:

Anton Matvienko January 16, 2023 at 12:07 PM

Not reproduced in 5.7

yoann.lacancellera September 26, 2022 at 1:51 PM
Edited

Hello,

Thank you for your report.

I reproduced using:

With setting pxc_encrypt_cluster_traffic=OFF everywhere, I could not make it crash with IST or SST.

With pxc_encrypt_cluster_traffic=ON on node2, it does crash.

Donor node:

Joiner node:

As indicated, it does only crash when node2 tries using SSL: "IST receiver addr using ssl://127.0.0.1:28857".

Note:

without "socket.ssl=NO;", it does not join cluster
specifying tkey, tca, tcert did not introduce the crash on its own. Even when adding "encrypt=4"
catching and kill -9 joiner or donor IST process does not introduce crash on donor side.

Done

Details
Assignee
Anton Matvienko
Reporter
Isobel Smith
Labels
server-eng-ext
Fix versions
8.0.32-24 (Q1 2023)
Affects versions
Not 5.7.x
8.0.30-22 (Q3 2022)
Priority
Medium

Smart Checklist

Created May 7, 2022 at 11:58 AM

Updated March 6, 2024 at 8:56 PM

Resolved February 20, 2023 at 10:19 AM

state transfer with SSL disabled in wsrep_provider_options crashes Receiver and Donor node

Description

Environment

Linked issues

relates to

Smart Checklist

Activity

Anton Matvienko January 16, 2023 at 12:07 PM

yoann.lacancellera September 26, 2022 at 1:51 PMEdited

DetailsAssigneeAnton MatvienkoAnton MatvienkoReporterIsobel SmithIsobel SmithLabelsserver-eng-extFix versions8.0.32-24 (Q1 2023)Affects versionsNot 5.7.x8.0.30-22 (Q3 2022)PriorityMedium

Details

Assignee

Reporter

Labels

Fix versions

Affects versions

Priority

Smart ChecklistOpen Smart Checklist

Smart Checklist

yoann.lacancellera September 26, 2022 at 1:51 PM
Edited

Details
Assignee
Anton Matvienko
Reporter
Isobel Smith
Labels
server-eng-ext
Fix versions
8.0.32-24 (Q1 2023)
Affects versions
Not 5.7.x
8.0.30-22 (Q3 2022)
Priority
Medium

Smart Checklist