From 13658fe23e02e04d9a9f7e0b33f5c1c28b22ee45 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Wed, 19 Feb 2020 10:19:20 +0200
Subject: [PATCH 1/3] MXS-2810: Fix CentOS 6 regression

MaxScale wasn't stopped if the system didn't use systemd.
---
 etc/postrm.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/etc/postrm.in b/etc/postrm.in
index a11ffb66d..2824942c8 100755
--- a/etc/postrm.in
+++ b/etc/postrm.in
@@ -7,6 +7,7 @@ if [ "$1" = "0" ] || [ "$1" = "remove" ]
 then
     if [ -f /etc/init.d/maxscale ]
     then
+        /etc/init.d/maxscale stop
         rm /etc/init.d/maxscale
     fi
 

From b241f7ed2a7cda24589acf22fabc51233e61d80a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Wed, 19 Feb 2020 14:25:42 +0200
Subject: [PATCH 2/3] MXS-2896: Fix monitor connection creation

The connection is now correctly null after a failed attempt to connect.
---
 server/core/monitor.cc | 61 +++++++++++++++++++++++-------------------
 1 file changed, 33 insertions(+), 28 deletions(-)

diff --git a/server/core/monitor.cc b/server/core/monitor.cc
index 6191bcdca..225072f5c 100644
--- a/server/core/monitor.cc
+++ b/server/core/monitor.cc
@@ -1462,49 +1462,54 @@ mxs_connect_result_t mon_ping_or_connect_to_db(MXS_MONITOR* mon, MXS_MONITORED_S
         }
         /** Otherwise close the handle. */
         mysql_close(database->con);
+        database->con = nullptr;
     }
 
-    mxs_connect_result_t conn_result = MONITOR_CONN_REFUSED;
-    if ((database->con = mysql_init(NULL)))
+    char* uname = mon->user;
+    char* passwd = mon->password;
+
+    if (database->server->monuser[0] && database->server->monpw[0])
     {
-        char* uname = mon->user;
-        char* passwd = mon->password;
+        uname = database->server->monuser;
+        passwd = database->server->monpw;
+    }
 
-        if (database->server->monuser[0] && database->server->monpw[0])
+    char* dpwd = decrypt_password(passwd);
+
+    mxs_connect_result_t conn_result = MONITOR_CONN_REFUSED;
+
+    for (int i = 0; i < mon->connect_attempts; i++)
+    {
+        MYSQL* mysql = mysql_init(nullptr);
+
+        mysql_optionsv(mysql, MYSQL_OPT_CONNECT_TIMEOUT, (void*) &mon->connect_timeout);
+        mysql_optionsv(mysql, MYSQL_OPT_READ_TIMEOUT, (void*) &mon->read_timeout);
+        mysql_optionsv(mysql, MYSQL_OPT_WRITE_TIMEOUT, (void*) &mon->write_timeout);
+        mysql_optionsv(mysql, MYSQL_PLUGIN_DIR, get_connector_plugindir());
+
+        time_t start = time(nullptr);
+        bool result = (mxs_mysql_real_connect(mysql, database->server, uname, dpwd) != nullptr);
+        time_t end = time(nullptr);
+
+        if (result)
         {
-            uname = database->server->monuser;
-            passwd = database->server->monpw;
+            database->con = mysql;
+            conn_result = MONITOR_CONN_NEWCONN_OK;
+            break;
         }
-
-        char* dpwd = decrypt_password(passwd);
-
-        mysql_optionsv(database->con, MYSQL_OPT_CONNECT_TIMEOUT, (void*) &mon->connect_timeout);
-        mysql_optionsv(database->con, MYSQL_OPT_READ_TIMEOUT, (void*) &mon->read_timeout);
-        mysql_optionsv(database->con, MYSQL_OPT_WRITE_TIMEOUT, (void*) &mon->write_timeout);
-        mysql_optionsv(database->con, MYSQL_PLUGIN_DIR, get_connector_plugindir());
-
-        time_t start = 0;
-        time_t end = 0;
-        for (int i = 0; i < mon->connect_attempts; i++)
+        else
         {
-            start = time(NULL);
-            bool result = (mxs_mysql_real_connect(database->con, database->server, uname, dpwd) != NULL);
-            end = time(NULL);
-
-            if (result)
-            {
-                conn_result = MONITOR_CONN_NEWCONN_OK;
-                break;
-            }
+            mysql_close(mysql);
         }
 
         if (conn_result == MONITOR_CONN_REFUSED && (int)difftime(end, start) >= mon->connect_timeout)
         {
             conn_result = MONITOR_CONN_TIMEOUT;
         }
-        MXS_FREE(dpwd);
     }
 
+    MXS_FREE(dpwd);
+
     return conn_result;
 }
 

From 0614a44a4da8df574199e23d6659d1f1ce602507 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Wed, 19 Feb 2020 14:27:06 +0200
Subject: [PATCH 3/3] Add monitor TLS test case

Added a test that verifies the server state is Down when the backend
doesn't support TLS.
---
 maxscale-system-test/CMakeLists.txt           |  3 ++
 .../maxscale.cnf.template.mxs2878_monitor_ssl | 47 +++++++++++++++++++
 maxscale-system-test/mxs2878_monitor_ssl.cpp  | 35 ++++++++++++++
 3 files changed, 85 insertions(+)
 create mode 100644 maxscale-system-test/cnf/maxscale.cnf.template.mxs2878_monitor_ssl
 create mode 100644 maxscale-system-test/mxs2878_monitor_ssl.cpp

diff --git a/maxscale-system-test/CMakeLists.txt b/maxscale-system-test/CMakeLists.txt
index dcb623a42..cce4e3546 100644
--- a/maxscale-system-test/CMakeLists.txt
+++ b/maxscale-system-test/CMakeLists.txt
@@ -988,6 +988,9 @@ add_test_executable(mxs2621_lower_case_tables.cpp mxs2621_lower_case_tables mxs2
 # MXS-2631: Duplicate system tables not ignored
 add_test_executable(mxs2631_ignore_system_tables.cpp mxs2631_ignore_system_tables mxs2631_ignore_system_tables LABELS schemarouter BREAKS_REPL REPL_BACKEND)
 
+# MXS-2878: Verify that TLS is required
+add_test_executable(mxs2878_monitor_ssl.cpp mxs2878_monitor_ssl mxs2878_monitor_ssl LABELS REPL_BACKEND)
+
 ############################################
 # END: Normal tests                        #
 ############################################
diff --git a/maxscale-system-test/cnf/maxscale.cnf.template.mxs2878_monitor_ssl b/maxscale-system-test/cnf/maxscale.cnf.template.mxs2878_monitor_ssl
new file mode 100644
index 000000000..e27f8da02
--- /dev/null
+++ b/maxscale-system-test/cnf/maxscale.cnf.template.mxs2878_monitor_ssl
@@ -0,0 +1,47 @@
+[maxscale]
+threads=###threads###
+
+[server1]
+type=server
+address=###node_server_IP_1###
+port=###node_server_port_1###
+protocol=MySQLBackend
+ssl=true
+
+[server2]
+type=server
+address=###node_server_IP_2###
+port=###node_server_port_2###
+protocol=MySQLBackend
+ssl=true
+
+[server3]
+type=server
+address=###node_server_IP_3###
+port=###node_server_port_3###
+protocol=MySQLBackend
+ssl=true
+
+[server4]
+type=server
+address=###node_server_IP_4###
+port=###node_server_port_4###
+protocol=MySQLBackend
+ssl=true
+
+[MySQL-Monitor]
+type=monitor
+module=mysqlmon
+servers=server1,server2,server3,server4
+user=maxskysql
+password=skysql
+
+[CLI]
+type=service
+router=cli
+
+[CLI-Listener]
+type=listener
+service=CLI
+protocol=maxscaled
+socket=default
diff --git a/maxscale-system-test/mxs2878_monitor_ssl.cpp b/maxscale-system-test/mxs2878_monitor_ssl.cpp
new file mode 100644
index 000000000..a86495ae3
--- /dev/null
+++ b/maxscale-system-test/mxs2878_monitor_ssl.cpp
@@ -0,0 +1,35 @@
+/**
+ * Covers the following bugs:
+ * MXS-2878: Monitor connections do not insist on SSL being used
+ * MXS-2896: Server wrongly in Running state after failure to connect
+ */
+
+#include "testconnections.h"
+#include <sstream>
+
+std::string join(StringSet st)
+{
+    std::ostringstream ss;
+
+    for (const auto& a : st)
+    {
+        ss << a << " ";
+    }
+
+    return ss.str();
+}
+
+int main(int argc, char** argv)
+{
+    TestConnections test(argc, argv);
+
+    for (auto srv : {"server1", "server2", "server3", "server4"})
+    {
+        StringSet expected = {"Down"};
+        auto status = test.maxscales->get_server_status(srv);
+        test.expect(status == expected,
+                    "Expected '%s' but got '%s'", join(expected).c_str(), join(status).c_str());
+    }
+
+    return test.global_result;
+}