Commit 64c115b8 authored by Martin Stefany's avatar Martin Stefany Committed by Nirbhay Choubey

Use hostname instead of IP in donor's socat

Using IP address in donor's socat with TLS/SSL and certificate
which doesn't contain IP address in CN or SubjectAltName causes
transfer to fail with message:

socat[5799] E certificate is valid but its commonName does not
match hostname.

This patch tries to reverse resolve IP address to hostname and
use it for transfer. If reverse resolution fails, IP address is
still used as fall-back, so proper A/AAAA and PTR records are
important, but not mandatory.

Certain certificates cannot contain IP addresses, e.g. FreeIPA's
Dogtag doesn't allow it, so in my case I would need to use self-
signed certificates instead, use verify=0 with socat or don't use
TLS/SSL at all. Issue is mentioned in MDEV-9403.
parent 7ff44b1a
...@@ -34,6 +34,7 @@ ssystag="" ...@@ -34,6 +34,7 @@ ssystag=""
XTRABACKUP_PID="" XTRABACKUP_PID=""
SST_PORT="" SST_PORT=""
REMOTEIP="" REMOTEIP=""
REMOTEHOST=""
tcert="" tcert=""
tpem="" tpem=""
tkey="" tkey=""
...@@ -208,7 +209,7 @@ get_transfer() ...@@ -208,7 +209,7 @@ get_transfer()
tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=${tpem},cafile=${tcert}${sockopt} stdio" tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=${tpem},cafile=${tcert}${sockopt} stdio"
else else
wsrep_log_info "Encrypting with cert=${tpem}, cafile=${tcert}" wsrep_log_info "Encrypting with cert=${tpem}, cafile=${tcert}"
tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},cafile=${tcert}${sockopt}" tcmd="socat -u stdio openssl-connect:${REMOTEHOST}:${TSST_PORT},cert=${tpem},cafile=${tcert}${sockopt}"
fi fi
elif [[ $encrypt -eq 3 ]];then elif [[ $encrypt -eq 3 ]];then
wsrep_log_info "Using openssl based encryption with socat: with key and crt" wsrep_log_info "Using openssl based encryption with socat: with key and crt"
...@@ -231,7 +232,7 @@ get_transfer() ...@@ -231,7 +232,7 @@ get_transfer()
tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},key=${tkey},verify=0${sockopt}" tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},key=${tkey},verify=0${sockopt}"
else else
wsrep_log_info "Encrypting with cert=${tpem}, key=${tkey}, cafile=${tcert}" wsrep_log_info "Encrypting with cert=${tpem}, key=${tkey}, cafile=${tcert}"
tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},key=${tkey},cafile=${tcert}${sockopt}" tcmd="socat -u stdio openssl-connect:${REMOTEHOST}:${TSST_PORT},cert=${tpem},key=${tkey},cafile=${tcert}${sockopt}"
fi fi
fi fi
...@@ -495,6 +496,10 @@ setup_ports() ...@@ -495,6 +496,10 @@ setup_ports()
if [[ "$WSREP_SST_OPT_ROLE" == "donor" ]];then if [[ "$WSREP_SST_OPT_ROLE" == "donor" ]];then
SST_PORT=$(echo $WSREP_SST_OPT_ADDR | awk -F '[:/]' '{ print $2 }') SST_PORT=$(echo $WSREP_SST_OPT_ADDR | awk -F '[:/]' '{ print $2 }')
REMOTEIP=$(echo $WSREP_SST_OPT_ADDR | awk -F ':' '{ print $1 }') REMOTEIP=$(echo $WSREP_SST_OPT_ADDR | awk -F ':' '{ print $1 }')
REMOTEHOST=$(getent hosts $REMOTEIP | awk '{ print $2 }')
if [[ -z $REMOTEHOST ]];then
REMOTEHOST=$REMOTEIP
fi
lsn=$(echo $WSREP_SST_OPT_ADDR | awk -F '[:/]' '{ print $4 }') lsn=$(echo $WSREP_SST_OPT_ADDR | awk -F '[:/]' '{ print $4 }')
sst_ver=$(echo $WSREP_SST_OPT_ADDR | awk -F '[:/]' '{ print $5 }') sst_ver=$(echo $WSREP_SST_OPT_ADDR | awk -F '[:/]' '{ print $5 }')
else else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment