Galera

Merge lp:~jheiss/galera/galera into lp:galera

  1. galera
  2. Merge into 3.x
Proposed by Jason Heiss
Status: Needs review
Proposed branch: lp:~jheiss/galera/galera
Merge into: lp:galera
Diff against target: 84 lines (+24/-6)
3 files modified
docs/source/galeraparameters.rst (+17/-2)
docs/source/ssl.rst (+6/-3)
gcomm/src/gcomm/conf.hpp (+1/-1)
To merge this branch: bzr merge lp:~jheiss/galera/galera
Reviewer Review Type Date Requested Status
Alex Yurchenko Disapprove
Review via email: mp+194296@code.launchpad.net

Description of the change

I documented the ssl_ca configuration parameter and fixed a few typos I found in the process

To post a comment you must log in.
Revision history for this message
Jason Heiss (jheiss) wrote :

Alright, that's better. Sorry for the confusion.

Reply
Revision history for this message
Alex Yurchenko (ayurchen) wrote :

Jason, thanks for the patch. However we are not at all convinced that checking remote cert against CA authority is applicable to communication within Galera cluster.

The purpose of such operation in client-server communication is to establish the authenticity of server so that client can trust and accept server's public key.

The way SSL works in Galera cluster, both private and public keys are already present on the node. It does not have to *trust* the remote end. If this node and remote node keys don't match, there simply will be no connection.

In other words, it is sufficient that SSL in Galera cluster is used in "pre-shared key" manner, whereas in web client to web server communication it is used to DISTRIBUTE keys from an unknown source, and so needs CA authority check at that step (key distribution).

review: Disapprove
Reply
Revision history for this message
Jason Heiss (jheiss) wrote :

Sorry for the slow reply. This is an unusual use of SSL and it took me a while to think it through. I think I understand now that you are expecting users to deploy the cluster with all members sharing the same key and self-signed certificate (specifically self-signed, not just a shared cert issued by a third party).

I do see one potential problem though. The server code set_verify_mode(verify_peer), but it does not include verify_fail_if_no_peer_cert. So a rogue client could connect and present no client certificate and, it seems to me, be allowed to connect.

For the benefit of others, here's my thought process. Let's assume I'm running a cluster. When I add a node to the cluster I want these things to occur:

1: I want the cluster to be able to determine if the new node is authorized to join the cluster
  a: authentication of the new node
  b: authorization that the node is allowed to join
2: I want the new node to be able to determine that it is communicating with genuine members of the cluster
  a: authentication of the cluster members

How does galera achieve those goals?

1a: Whatever key and cert you specify with ssl_key and ssl_cert are used by galera for both client and server operations. So the new node joining the cluster presents that certificate as an SSL client cert to authenticate itself. The cluster members contacted by the new node can authenticate the new node by verifying that the client's certificate was issued by their cert. This works because everyone is sharing the same self-signed certificate. But I believe the problem I mentioned above would allow a rogue client to connect by not presenting a client certificate.

1b: Presuming the above issue is addressed clients must present a certificate, and that certificate must be signed by the certificate the cluster is using (i.e. self-signed). Since the cluster owner controls that certificate there shouldn't be any unauthorized certificates available for clients to present.

2: The client will verify the server's certificate against its certificate. Again presuming you've used a self-signed certificate specific to a single cluster the client can be sure it is communicating with authentic cluster members.

Reply
Revision history for this message
Alex Yurchenko (ayurchen) wrote :

The possibility of a node connecting without having any certificate is an interesting point and we'll look into it once more for the next release. (however I doubt that it is the case)

Reply

Unmerged revisions

169. By Jason Heiss

Document ssl_ca and fix a few related typos.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'docs/source/galeraparameters.rst'
2--- docs/source/galeraparameters.rst 2013-08-28 15:57:58 +0000
3+++ docs/source/galeraparameters.rst 2013-11-07 08:46:23 +0000
4@@ -43,6 +43,9 @@
5 | :ref:`socket.ssl_key | | 1.0 | n/a | No |
6 | <socket.ssl_key>` | | | | |
7 +---------------------------------------+-----------------------+-----------------------+--------------------+----------+
8+| :ref:`socket.ssl_ca | | 1.0 | n/a | No |
9+| <socket.ssl_ca>` | | | | |
10++---------------------------------------+-----------------------+-----------------------+--------------------+----------+
11 | :ref:`socket.ssl_compression | *yes* | 1.0 | n/a | No |
12 | <socket.ssl_compression>` | | | | |
13 +---------------------------------------+-----------------------+-----------------------+--------------------+----------+
14@@ -228,7 +231,7 @@
15 pair: Parameters; socket.ssl_cert
16
17 A path (absolute or relative to the working
18-directory )to an SSL certificate (in PEM format).
19+directory) to an SSL certificate (in PEM format).
20
21 .. rubric:: socket.ssl_key
22
23@@ -238,9 +241,21 @@
24 pair: Parameters; socket.ssl_key
25
26 A path (absolute or relative to the working
27-directory to a private key for a certificate
28+directory) to a private key for a certificate
29 (in PEM format).
30
31+.. rubric:: socket.ssl_ca
32+
33+.. _`socket.ssl_ca`:
34+
35+.. index::
36+ pair: Parameters; socket.ssl_ca
37+
38+A path (absolute or relative to the working
39+directory) to the certificate authority (CA) certificate
40+(in PEM format). Used to verify the certificates of peers.
41+Defaults to the value of ssl_cert if not specified.
42+
43 .. rubric:: socket.ssl_compression
44
45 .. _`socket.ssl_compression`:
46
47=== modified file 'docs/source/ssl.rst'
48--- docs/source/ssl.rst 2013-08-28 15:57:58 +0000
49+++ docs/source/ssl.rst 2013-11-07 08:46:23 +0000
50@@ -15,6 +15,9 @@
51 .. index::
52 pair: Parameters; socket.ssl_key
53
54+.. index::
55+ pair: Parameters; socket.ssl_ca
56+
57 *Galera Cluster* supports :abbr:`SSL (Secure Sockets Layer)`
58 for the encryption of replication traffic. Authentication
59 is not supported. SSL is a cluster-wide option and must be
60@@ -38,9 +41,9 @@
61
62 socket.ssl_cert = <path_to_cert_file>; socket.ssl_key = <path_to_key_file>
63
64-Other SSL configuration parameters include ``socket.ssl_compression`` and
65-``socket.ssl_cipher``. See :ref:`Galera Parameters <Galera Parameters>`
66-for details.
67+Other SSL configuration parameters include ``socket.ssl_ca``,
68+``socket.ssl_cipher`` and ``socket.ssl_compression``. See
69+:ref:`Galera Parameters <Galera Parameters>` for details.
70
71 .. note:: You cannot use a mixed cluster where some nodes have SSL and
72 some do not. We recommend configuring SSL when you are setting
73
74=== modified file 'gcomm/src/gcomm/conf.hpp'
75--- gcomm/src/gcomm/conf.hpp 2013-11-02 17:37:38 +0000
76+++ gcomm/src/gcomm/conf.hpp 2013-11-07 08:46:23 +0000
77@@ -65,7 +65,7 @@
78
79 /*!
80 * @brief File containing CA certificates in PEM format
81- * ("socket.ssl_verify_file")
82+ * ("socket.ssl_ca")
83 */
84 static std::string const SocketSslVerifyFile;
85

Subscribers

People subscribed via source and target branches