0

I have a CentOS 8 with MariaDB (10.3.17).
The server is setup with TLS and I have configured the server to use 2-Way TLS, following the MariaDB examples: https://mariadb.com/kb/en/securing-connections-for-client-and-server/#enabling-one-way-tls-for-mariadb-clients

However, I cannot make the 2-Way TLS to work when I use the localhost connection.

So, what I have:

mariadb-server

port = 3306
ssl_cert = /etc/pki/tls/certs/dbsrv.example.com_crt.pem
ssl_key = /etc/pki/tls/private/dbsrv.example.com_key.pem
ssl_ca  = /etc/pki/tls/certs/dbsrv.example.com_chain.pem
ssl-cipher = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES

On the client I have this:

[client]
default-character-set = utf8mb4
ssl_cert = /etc/pki/tls/certs/dbsrv.example.com_crt.pem
ssl_key = /etc/pki/tls/private/dbsrv.example.com_key.pem
ssl_ca = /etc/pki/tls/certs/dbsrv.example.com_chain.pem
ssl-verify-server-cert = true

The _chain certificates have the Intermediate certificate (whichi signed the _crt files) and the CA certificate. The CA certificate is added to the host's trust store (although it's not used from mariadb as far as I understand)

The CN of the certificates are: 

subject=C ... CN = dbsrv.example.com, ...
subject=C ... CN = jumphost.example.com, ...
subject=C ... CN = MyCA-Int, ...

Now the problem.

When I connect with localhost I get this error message: 

mysql  -u root -p
Enter password: 
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed

But if I connect though TCP, it works: 

mysql -h dbsrv.example.com -u root -p      
Enter password: 

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 30
Server version: 10.3.17-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \s
--------------
mysql  Ver 15.1 Distrib 10.3.17-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:          30
Current database:
Current user:           root@dbsrv.example.com
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.3.17-MariaDB MariaDB Server
Protocol version:       10
Connection:             dbsrv.example.com via TCP/IP
...

If I remove the ssl-verify-server-cert = true from the client configuration it works as well, but it's not what I want. 

mysql  -u root -p              
Enter password: 

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 31
Server version: 10.3.17-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \s
--------------
mysql  Ver 15.1 Distrib 10.3.17-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:          31
Current database:
Current user:           root@localhost
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.3.17-MariaDB MariaDB Server
Protocol version:       10
Connection:             Localhost via UNIX socket

----------------------------

```bash
mysql -h dbsrv.example.com -u root -p
Enter password: 

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 32
Server version: 10.3.17-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \s
--------------
mysql  Ver 15.1 Distrib 10.3.17-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:          32
Current database:
Current user:           root@dbsrv.example.com
SSL:                    Cipher in use is TLS_AES_256_GCM_SHA384
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server:                 MariaDB
Server version:         10.3.17-MariaDB MariaDB Server
Protocol version:       10
Connection:             dbsrv.example.com via TCP/IP

So, how can I make it work with the localhost connection as well?

ptselios
  • 41
  • 1
  • 6
  • If I'm not mistaken, there is a relation between certificates and domain names. So, it might be hard to obtain a certificate for "localhost". Why would you want SSL for a local connection? Do you fear a "man in the middle" attack? – Gerard H. Pille Apr 13 '20 at 10:08
  • No, I simply don't want to change the current trend. DBAs connect with `mysql -u -p ` and they are not very adamant to use the -h FQDN. And at the same time I need 2-Way verification due to the security policy. So, I need to find a way to make it work with both, without using any nasty aliases. – ptselios Apr 13 '20 at 10:11
  • I think you mean your DBAs are "very adamant not to use the -h FQDN". Having been a DBA for a number of decades myself, I fully understand they are hard to work with. What about putting the FQDN in /etc/my.cnf? Just in case nobody can tell you how to use SSL with localhost. – Gerard H. Pille Apr 13 '20 at 10:27
  • I didn't think this. Probably a good solution. (ps yes, not was meant to be there :) ) – ptselios Apr 13 '20 at 10:30
  • LOL. "No, I simply don't want to change the current trend." Not only adamant DBA's, I see. – Gerard H. Pille Apr 13 '20 at 10:37
  • So, it could be possible after all. What do you think of this: https://letsencrypt.org/docs/certificates-for-localhost/ ? – Gerard H. Pille Apr 13 '20 at 10:43
  • I am close to this. Since I have control on the CA, I might use the localhost as an SAN and see if it works. If does, I will use it. Otherwise, I will have one more discussion with the DBA. Besides, we have to use TLS and there is no exception on this... – ptselios Apr 13 '20 at 11:16
  • 1
    I am very curious to know what the benefits could be in using an encrypted local connection. You are aware of the performance cost? – Gerard H. Pille Apr 13 '20 at 11:52
  • Personally, I cannot see **any** benefit on this. Not even in the 2-Way verification. I can limit the access to the mysql port via the machine or network firewall. The security team seems not to understand the term "local', or there is something else I completely miss! Regarding the performance cost, it's not that high, the server is on 15-25% CPU utilization and in terms of performance looks OK, at least for now. – ptselios Apr 13 '20 at 12:10
  • 1
    The loss of performance will only be apparent when a DBA needs to do a large transfer of information to or from the DB. For instance, a backup. Keep this in mind. Protecting (which this is NOT) yourself against one of your DBA's ???? Is your "security" team qualified? – Gerard H. Pille Apr 13 '20 at 12:14
  • Let's just say that they are a bit paranoid... In the meantime I prepare a different solution. I talked with the DBAs and they agree that we can limit the TLS connections to very specific users and very specific hosts. We don't have '%' anyehere in the permissions, so, we might end up with a solution that will enable 2-Way TLS only for remote connections and only for root. Which makes more sense. So, now time will be spent on preparing a presentation for the obvious. – ptselios Apr 13 '20 at 14:25

0 Answers0