Created attachment 1876783[details]
Contains MariaDB configuration and patch for wsrep_sst_mariabackup.sh
Description of problem:
The recent mariadb-server package update in RHEL 8.5 breaks State Snapshot Transfers (SST) when using the 'mariabackup' SST method with socat.
Version-Release number of selected component (if applicable):
3:10.3.32-2.module+el8.5.0+14124+14ced695
How reproducible:
Always.
Steps to Reproduce:
1. Configure Galera multi-master replication between three nodes using the 'mariabackup' SST method, and further configure the use of socat's TLS implementation for these SSTs (e.g. encrypt=2 under the [sst] section). See the attached configuration files.
2. Bootstrap the cluster from one of the nodes.
3. Attempt to join one of the other nodes to the cluster.
Actual results:
The joining node will correctly start the socat service, listening on TCP port 4444, in order to receive the SST. The donor node however will refuse to connect to the joining node with this error in /var/log/mariadb/mariadb.log:
WSREP_SST: [INFO] Evaluating '/usr//bin/mbstream' -c 'xtrabackup_galera_info' | socat -u stdio openssl-connect:webmail6.ciphermail.com:4444,cert='/etc/pki/tls/private/ciphermail.pem',cafile='/etc/pki/tls/certs/ciphermail-ca.crt',commonname='',pf=ip6; RC=( ${PIPESTATUS[@]} ) (20220502 11:30:49.172)
2022/05/02 11:30:49 socat[393629] E Failed to set SNI host ""
Expected results:
The donor node should connect to the joining node's socat service on TCP port 4444, verify that the CA certificate matches the trusted CA certificate, and verify that the Common Name matches the node's name as listed in wsrep_cluster_address. It should not attempt to use an empty string as the Common Name or SNI host.
Additional info:
The fix we currently use ourselves and plan to provide to our customers is to apply the same logic to the CN_option variable when using encrypt=2 as is done in case encrypt=3 or encrypt=4 is used. See the attached patch.
You set commonname to '', for whatever reason. For the users convenience Socat tries to set the SNI name to commonname, but OpenSSL lib apparently does not allow explicit empty SNI name.
Try option nosni to prevent Socat from setting the SNI name!
Created attachment 1876783 [details] Contains MariaDB configuration and patch for wsrep_sst_mariabackup.sh Description of problem: The recent mariadb-server package update in RHEL 8.5 breaks State Snapshot Transfers (SST) when using the 'mariabackup' SST method with socat. Version-Release number of selected component (if applicable): 3:10.3.32-2.module+el8.5.0+14124+14ced695 How reproducible: Always. Steps to Reproduce: 1. Configure Galera multi-master replication between three nodes using the 'mariabackup' SST method, and further configure the use of socat's TLS implementation for these SSTs (e.g. encrypt=2 under the [sst] section). See the attached configuration files. 2. Bootstrap the cluster from one of the nodes. 3. Attempt to join one of the other nodes to the cluster. Actual results: The joining node will correctly start the socat service, listening on TCP port 4444, in order to receive the SST. The donor node however will refuse to connect to the joining node with this error in /var/log/mariadb/mariadb.log: WSREP_SST: [INFO] Evaluating '/usr//bin/mbstream' -c 'xtrabackup_galera_info' | socat -u stdio openssl-connect:webmail6.ciphermail.com:4444,cert='/etc/pki/tls/private/ciphermail.pem',cafile='/etc/pki/tls/certs/ciphermail-ca.crt',commonname='',pf=ip6; RC=( ${PIPESTATUS[@]} ) (20220502 11:30:49.172) 2022/05/02 11:30:49 socat[393629] E Failed to set SNI host "" Expected results: The donor node should connect to the joining node's socat service on TCP port 4444, verify that the CA certificate matches the trusted CA certificate, and verify that the Common Name matches the node's name as listed in wsrep_cluster_address. It should not attempt to use an empty string as the Common Name or SNI host. Additional info: The fix we currently use ourselves and plan to provide to our customers is to apply the same logic to the CN_option variable when using encrypt=2 as is done in case encrypt=3 or encrypt=4 is used. See the attached patch.