You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As per the recent SSL improvements in 5.7.34, the joiner generates and sends a
secret message consisting of a random string + Common Name of the SSL
certificate together within the address in State Transfer Request in order
to authenticate the donor on connection.
However, the logic of fetching the Common Name from the certificate
doesn't work well for the SSL certificates with utf-8 common name, resulting
in the SST failure.
WSREP_SST: [INFO] Encrypting with CERT: /home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/server-cert.pem, KEY: /home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/server-key.pem, CA: /home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/ca.pem (20211105 10:51:58.893)
...
WSREP_SST: [INFO] Streaming GTID file before SST (20211105 10:51:58.910)
WSREP_SST: [INFO] Evaluating xbstream -c ${INFO_FILE} | socat -u stdio openssl-connect:127.0.0.1:5020,cert=/home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/server-cert.pem,key=/home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/server-key.pem,cafile=/home/venki/work/pxc/refresh/codership-mysql-wsrep/bld/pxc-node/cert/ca.pem,verify=1,commonname='\D0\9E\D0\BF\D0\B8\D1\81\D0\B0\D0\BD\D0\B8\D0\B5 \D1\81\D0\B0\D0\B9\D1\82\D0\B0'; RC=( ${PIPESTATUS[@]} ) (20211105 10:51:58.912)
2021/11/05 10:51:58 socat[27977] E certificate is valid but its commonName does not match hostname
As per the recent SSL improvements in 5.7.34, the joiner generates and sends a
secret message consisting of a random string + Common Name of the SSL
certificate together within the address in State Transfer Request in order
to authenticate the donor on connection.
However, the logic of fetching the Common Name from the certificate
doesn't work well for the SSL certificates with utf-8 common name, resulting
in the SST failure.
This is because of the fact that the logic used in https://github.com/codership/mysql-wsrep/blob/wsrep_5.7.34-25.26/scripts/wsrep_sst_xtrabackup-v2.sh#L1099-L1101 doesn't consider utf-8 chars.
In our experiment, we generated SSL certificates with the below common name and SST failed when I used them.
The text was updated successfully, but these errors were encountered: