FS#49085 - [mariadb] mysqld "hangs" on startup if ssl-verify-server-cert = TRUE in my.cnf

Attached to Project: Arch Linux
Opened by Sarah Harvey (worldwise001) - Tuesday, 26 April 2016, 07:51 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Saturday, 10 December 2016, 19:01 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Christian Hesse (eworm)
Bartłomiej Piotrowski (Barthalion)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
mysqld (mariadb) appears to hang on startup if ssl is enabled and you set "ssl-verify-server-cert = TRUE" in [client] portion in /etc/mysql/my.cnf .

This is due to how /usr/bin/mysqld-post works in checking the response from the mysqld server; it greps for two possible strings and sleeps forever (thus timing out) if neither of those exist.

Specifically "/usr/bin/mysqladmin -uUNKNOWN_USER ping" would return this:

/usr/bin/mysqladmin: connect to server at 'localhost' failed
error: 'SSL connection error: SSL certificate validation failure'

Since it is unlikely anyone would add localhost as a possible SubjectAltName entry or as the CommonName, the possible fix is either to grep for a portion of the above string, or change the command in mysqld-post to the following:

"/usr/bin/mysqladmin -uUNKNOWN_USER --ssl-verify-server-cert=FALSE ping"

Additional info:
* Version: mariadb 10.1.13-1
* uname -a: Linux db 4.5.1-1-ARCH #1 SMP PREEMPT Thu Apr 14 19:19:32 CEST 2016 x86_64 GNU/Linux

Steps to reproduce:

0. Set up a PKI (easy-rsa is a reasonable way to generate test certificates)
1. Set the following under [mysqld] in /etc/mysqld/my.cnf

ssl-ca = /etc/ssl/private/example.com/ca.crt
ssl-cert = /etc/ssl/private/example.com/foo.crt
ssl-key = /etc/ssl/private/example.com/foo.key

2. Set up the following under [client] in /etc/mysqld/my.cnf
ssl = TRUE
ssl-ca = /etc/ssl/private/example.com/ca.crt
ssl-verify-server-cert = TRUE

3. (as root) systemctl restart mysqld

3a. Alternatively run: /usr/bin/mysqladmin -uUNKNOWN_USER ping
This task depends upon

Closed by  Bartłomiej Piotrowski (Barthalion)
Saturday, 10 December 2016, 19:01 GMT
Reason for closing:  Fixed
Additional comments about closing:  We moved to upstream systemd units since this report, as MariaDB correctly notified systemd that it has started.

Loading...