From 374d5b28d1d7b78307dd426feab0557e3577275f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Mon, 11 Nov 2019 14:26:13 +0200 Subject: [PATCH 1/4] MXS-2759: Optimize user loading query The SQL for the second recursive CTE table can be optimized by adding a where condition on the recursive part that rules out users that are not roles. The functionality remains the same as only roles can be granted to users. --- server/modules/authenticator/MySQLAuth/dbusers.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/modules/authenticator/MySQLAuth/dbusers.cc b/server/modules/authenticator/MySQLAuth/dbusers.cc index ca4360df2..3dfde6cae 100644 --- a/server/modules/authenticator/MySQLAuth/dbusers.cc +++ b/server/modules/authenticator/MySQLAuth/dbusers.cc @@ -77,7 +77,7 @@ const char* mariadb_102_users_query = "), users AS (" // Select the root row, the actual user " SELECT t.user, t.host, t.db, t.select_priv, t.password, t.default_role AS role FROM t" - " WHERE t.is_role <> 'Y'" + " WHERE t.is_role = 'N'" " UNION" // Recursively select all roles for the users " SELECT u.user, u.host, t.db, t.select_priv, u.password, r.role FROM t" @@ -85,6 +85,7 @@ const char* mariadb_102_users_query = " ON (t.user = u.role)" " LEFT JOIN mysql.roles_mapping AS r" " ON (t.user = r.user)" + " WHERE t.is_role = 'Y'" ")" "SELECT DISTINCT t.user, t.host, t.db, t.select_priv, t.password FROM users AS t %s"; From b5ada0db7ee47ff04b9808e4c4b0d7742ef08784 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Mon, 11 Nov 2019 14:46:19 +0200 Subject: [PATCH 2/4] MXS-2762: Document ssl_version changes --- Documentation/Getting-Started/Configuration-Guide.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md index c1a298025..95332c4a7 100644 --- a/Documentation/Getting-Started/Configuration-Guide.md +++ b/Documentation/Getting-Started/Configuration-Guide.md @@ -1852,10 +1852,14 @@ This parameter controls the level of encryption used. Accepted values are: * TLSv10 * TLSv11 * TLSv12 + * TLSv13 * MAX -The default is to use the highest level of encryption available. For OpenSSL 1.0 -and newer this is TLSv1.2. +The default is to use the highest level of encryption available that both the +client and server support. MaxScale supports TLSv1.0, TLSv1.1, TLSv1.2 and +TLSv1.3 depending on the OpenSSL library version. + +The `TLSv13` value was added in MaxScale 2.3.15 ([MXS-2762](https://jira.mariadb.org/browse/MXS-2762)). ### `ssl_cert_verify_depth` From fb23f3eb3e83d079412cd2b753e3f301ba443d06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Thu, 28 Nov 2019 18:42:25 +0200 Subject: [PATCH 3/4] OpenSSL 1.1 supports TLSv1.1 and TLSv1.2 TLSv1.0 is the only version that newer OpenSSL versions do not support. --- server/core/listener.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/core/listener.cc b/server/core/listener.cc index 755a83c40..677cf3a7d 100644 --- a/server/core/listener.cc +++ b/server/core/listener.cc @@ -288,7 +288,7 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl) case SERVICE_TLS11: -#ifdef OPENSSL_1_0 +#if defined (OPENSSL_1_0) || defined (OPENSSL_1_1) ssl->method = (SSL_METHOD*)TLSv1_1_method(); #else MXS_ERROR("TLSv1.1 is not supported on this system."); @@ -297,7 +297,7 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl) break; case SERVICE_TLS12: -#ifdef OPENSSL_1_0 +#if defined (OPENSSL_1_0) || defined (OPENSSL_1_1) ssl->method = (SSL_METHOD*)TLSv1_2_method(); #else MXS_ERROR("TLSv1.2 is not supported on this system."); From cd9b82ba09da11481e7606e504d33d5121d5a2be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Thu, 28 Nov 2019 18:57:42 +0200 Subject: [PATCH 4/4] Print OpenSSL errors on CA cert errors This helps figure out why the certificate is not OK. --- server/core/listener.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/core/listener.cc b/server/core/listener.cc index 677cf3a7d..01f47a9a7 100644 --- a/server/core/listener.cc +++ b/server/core/listener.cc @@ -383,7 +383,7 @@ bool SSL_LISTENER_init(SSL_LISTENER* ssl) /* Load the CA certificate into the SSL_CTX structure */ if (!SSL_CTX_load_verify_locations(ctx, ssl->ssl_ca_cert, NULL)) { - MXS_ERROR("Failed to set Certificate Authority file"); + MXS_ERROR("Failed to set Certificate Authority file: %s", get_ssl_errors()); rval = false; }