0

I have a MariaDB Server on a CentOS 8 machine (mariadb-10.3.17) and a client (openSUSE Leap 15.1) with mariadb 10.2.31

I have configured the server with TLS as follows: 

[mysqld]
...
ssl_cert = /etc/pki/tls/certs/dbsrv.example.com_crt.pem
ssl_key = /etc/pki/tls/private/dbsrv.example.com_key.pem
ssl_ca  = /etc/pki/tls/certs/dbsrv.example.com_chain.pem
ssl-cipher = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES
...

The dbsrv.example.com_chain.pem file contains the chain certificate (intermediate certificate and CA certificate)

I want to enable TLS for all clients, including the client on the MariaDB server VM.
Thus, I have this section in the /etc/my.cnf.d/client.cnf of the server

[client]
default-character-set = utf8mb4
ssl_cert = /etc/pki/tls/certs/dbsrv.example.com_crt.pem
ssl_key = /etc/pki/tls/private/dbsrv.example.com_key.pem
ssl_ca = /etc/pki/tls/certs/dbsrv.example.com_chain.pem
ssl-verify-server-cert = true

Yes, the certificates are the same, since we talk about the same machine!

And I have this section on the /etc/my.cnf.d/clients.cnf of the openSUSE

[client]
default-character-set = utf8mb4
ssl_cert = /etc/my.cnf.d/certificates/jumphost.example.com_chain.pem
ssl_key = /etc/my.cnf.d/certificates/jumphost.example.com_key.pem
ssl-verify-server-cert = true

This setup is not working. When I try to connect from the client on the server (as root user) I get this error:

Enter password: 
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed

If I make the client as follows: 


[client]
default-character-set = utf8mb4
ssl_cert = /etc/my.cnf.d/certificates/jumphost.example.com_chain.pem
ssl_key = /etc/my.cnf.d/certificates/jumphost.example.com_key.pem

(meaning, if I remove the ssl-verify-server-cert = true, I can connect from the mysql client on the server but not from the openSUSE. 


So, my questions are:  
1. Why is client from the server not connected? My suspicion is on the private key permissions. But then, if I make the private key readable by anyone, it's not secure anymore.  

I fixed this by creating a new dba group and added the users that can access mysql command and the relevant certificates. The Private Key is owned from `root:dba` and the permissions are `640`

2. What I am setting wrong and I cannot have 2-way verification on my TLS connections?  

Log files are not helpful (no error messages) and the -v doesn't help either, no information.
ptselios
  • 41
  • 1
  • 6

1 Answers1

0

1) This is to do with key permissions, as you suspect.

2) They are not.

3) You seem to be misunderstanding how this works. On the server you need:

  • SSL cert

  • SSL key

On the client you need the signing CA cert.

The client validates the server's authenticity, not the other way around.

Gordan Bobić
  • 971
  • 4
  • 11
  • I want 2 way verification, on some clients. The permissions are fixed now and I will reflect it in the question as well. Still the 2-way is not working (for both clients) and TLS connection from the Jumphost is not working at all. – ptselios Apr 13 '20 at 08:32