Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
connection node_2;
connection node_1;
connection node_1;
connection node_2;
connection node_2;
connection node_1;
connection node_2;
include/assert_grep.inc [SST used OpenSSL-based encryption]
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
connection node_2;
connection node_1;
connection node_1;
connection node_2;
connection node_2;
connection node_1;
connection node_2;
include/assert_grep.inc [SST used stunnel for SSL encryption]
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
!include ../galera_2nodes.cnf

# Role-specific SSL certificates for SST: the joiner (TLS server) uses
# the server cert/key, the donor (TLS client) uses the client cert/key.
# No generic ssl-cert/ssl-key is set, so SST can only succeed if the
# role-specific options are honored.
[mysqld]
wsrep_sst_method=mariabackup
wsrep_sst_auth="root:"
wsrep_debug=1
ssl-ca=@ENV.MYSQL_TEST_DIR/std_data/cacert.pem

[sst]
ssl-mode=VERIFY_CA
ssl-server-cert=@ENV.MYSQL_TEST_DIR/std_data/server-cert.pem
ssl-server-key=@ENV.MYSQL_TEST_DIR/std_data/server-key.pem
ssl-client-cert=@ENV.MYSQL_TEST_DIR/std_data/client-cert.pem
ssl-client-key=@ENV.MYSQL_TEST_DIR/std_data/client-key.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
#
# mariabackup SST honors separate client/server SSL certificates by role.
#
# STEPS:
# - Start a 2-node cluster with only role-specific SST certificates set
# (joiner=server cert/key, donor=client cert/key), no generic ssl-cert.
# - Force node 2 to rejoin via a fresh SST.
# - Confirm node 2 rejoins and the transfer was OpenSSL-encrypted.
#
--source include/galera_cluster.inc
--source include/have_innodb.inc
--source include/have_mariabackup.inc

--let $node_1=node_1
--let $node_2=node_2
--source include/auto_increment_offset_save.inc

--connection node_2
--source include/shutdown_mysqld.inc

# Force a fresh SST on node 2.
--remove_file $MYSQLTEST_VARDIR/mysqld.2/data/grastate.dat

--source include/start_mysqld.inc
--source include/wait_until_connected_again.inc

--connection node_1
--let $wait_condition = SELECT VARIABLE_VALUE = 2 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_cluster_size'
--source include/wait_condition.inc

# The joiner must have used OpenSSL-based transfer for the SST.
--connection node_2
--let $assert_text = SST used OpenSSL-based encryption
--let $assert_select = Using openssl based encryption with socat
--let $assert_match = Using openssl based encryption with socat
--let $assert_file = $MYSQLTEST_VARDIR/log/mysqld.2.err
--let $assert_only_after = CURRENT_TEST
--source include/assert_grep.inc

--source include/auto_increment_offset_restore.inc
16 changes: 16 additions & 0 deletions mysql-test/suite/galera/t/galera_sst_rsync_ssl_role_certs.cnf
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
!include ../galera_2nodes.cnf

# Role-specific SSL certificates for rsync/stunnel SST: the joiner
# (stunnel server) uses the server cert/key, the donor (stunnel client)
# uses the client cert/key. No generic ssl-cert/ssl-key is set, so SST
# can only succeed if the role-specific options are honored.
[mysqld]
wsrep_sst_method=rsync
ssl-ca=@ENV.MYSQL_TEST_DIR/std_data/cacert.pem

[sst]
ssl-mode=VERIFY_CA
ssl-server-cert=@ENV.MYSQL_TEST_DIR/std_data/server-cert.pem
ssl-server-key=@ENV.MYSQL_TEST_DIR/std_data/server-key.pem
ssl-client-cert=@ENV.MYSQL_TEST_DIR/std_data/client-cert.pem
ssl-client-key=@ENV.MYSQL_TEST_DIR/std_data/client-key.pem
40 changes: 40 additions & 0 deletions mysql-test/suite/galera/t/galera_sst_rsync_ssl_role_certs.test
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
#
# rsync SST honors separate client/server SSL certificates by role.
#
# STEPS:
# - Start a 2-node cluster with only role-specific SST certificates set
# (joiner=server cert/key, donor=client cert/key), no generic ssl-cert.
# - Force node 2 to rejoin via a fresh SST.
# - Confirm node 2 rejoins and the transfer went through stunnel (SSL).
#
--source include/galera_cluster.inc
--source include/have_innodb.inc
--source include/have_stunnel.inc

--let $node_1=node_1
--let $node_2=node_2
--source include/auto_increment_offset_save.inc

--connection node_2
--source include/shutdown_mysqld.inc

# Force a fresh SST on node 2.
--remove_file $MYSQLTEST_VARDIR/mysqld.2/data/grastate.dat

--source include/start_mysqld.inc
--source include/wait_until_connected_again.inc

--connection node_1
--let $wait_condition = SELECT VARIABLE_VALUE = 2 FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME = 'wsrep_cluster_size'
--source include/wait_condition.inc

# The joiner must have used stunnel (SSL) for the SST transfer.
--connection node_2
--let $assert_text = SST used stunnel for SSL encryption
--let $assert_select = Using stunnel for SSL encryption
--let $assert_match = Using stunnel for SSL encryption
--let $assert_file = $MYSQLTEST_VARDIR/log/mysqld.2.err
--let $assert_only_after = CURRENT_TEST
--source include/assert_grep.inc

--source include/auto_increment_offset_restore.inc
14 changes: 14 additions & 0 deletions scripts/wsrep_sst_common.sh
Original file line number Diff line number Diff line change
Expand Up @@ -1644,6 +1644,20 @@ check_server_ssl_config()
"of the tca[path], tcert and/or tkey in the [sst] section"
fi
fi
# Role-specific overrides: the joiner is the TLS server (listener),
# the donor the TLS client (connector). Allow a distinct cert, key
# and CA per role for setups where they differ.
if [ "$WSREP_SST_OPT_ROLE" = 'joiner' ]; then
tcert=$(parse_cnf "$encgroups" 'ssl-server-ca' "$tcert")
tcap=$(parse_cnf "$encgroups" 'ssl-server-capath' "$tcap")
tpem=$(parse_cnf "$encgroups" 'ssl-server-cert' "$tpem")
tkey=$(parse_cnf "$encgroups" 'ssl-server-key' "$tkey")
else
tcert=$(parse_cnf "$encgroups" 'ssl-client-ca' "$tcert")
tcap=$(parse_cnf "$encgroups" 'ssl-client-capath' "$tcap")
tpem=$(parse_cnf "$encgroups" 'ssl-client-cert' "$tpem")
tkey=$(parse_cnf "$encgroups" 'ssl-client-key' "$tkey")
fi
if [ -n "$tcert" ]; then
if [ "${tcert%/}" != "$tcert" -o -d "$tcert" ]; then
tcap="$tcert"
Expand Down