Comments (1)
The underlying pathology of this took some digging. All of the following need to be true:
- The .NET client has made a TLS connection to proxysql in the recent past (connstr contains
SslMode=Required
- The .NET client needs to make another connection (either the connection pool is full, or connstr contains
Pooling=False
) - MS does a bunch of TLS caching (https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman)
This shows up on the Windows side as a warning in the System event log (se attached):
The remote server has requested TLS client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This TLS connection request may succeed or fail, depending on the server's policy settings.
I suspect that this very esoteric bug started when this was merged: 28f09bf
which causes this code branch to execute:
Line 423 in 1f78c9e
and the MS client-side TLS caching is behaving very badly in the event that something about the TLS has changed (perhaps getting the tmp context insted of the global one or something - it's impossible to tell without looking at the source code)
After several days of soak-testing, I have a one-line fix for this:
--- a/src/proxy_tls.cpp
+++ b/src/proxy_tls.cpp
@@ -477,7 +477,8 @@ int ProxySQL_create_or_load_TLS(bool bootstrap, std::string& msg) {
}
}
if (ret == 0) {
- SSL_CTX_set_verify(GloVars.global.ssl_ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, callback_ssl_verify_peer);
+ // https://github.com/sysown/proxysql/issues/4419
+ SSL_CTX_set_verify(GloVars.global.ssl_ctx, SSL_VERIFY_NONE, callback_ssl_verify_peer);
}
X509_free(x509);
EVP_PKEY_free(pkey);
In other words, do not perform any peer verification at all (https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_verify.html).
This is benign (currently) because of the current implementation of callback_ssl_verify_peer()
:
Line 70 in 1f78c9e
int callback_ssl_verify_peer(int ok, X509_STORE_CTX* ctx) {
// for now only return 1
return 1;
}
This fix has withstood 48-hours of soak-testing under significant load (ubuntu 20.04 and ubuntu 22.04).
I'll raise a PR
from proxysql.
Related Issues (20)
- Question : when a node from reader hostgroup and lost his READ_ONLY HOT 1
- Implement setting in `mysql_hostgroup_attributes` to override global `mysql-monitor_slave_lag_when_null`
- proxySQL can not properly distribute slow queries after linux update HOT 2
- Unable to parse query. If correct, report it as a bug: SET SESSION wsrep_sync_wait=? HOT 2
- [Question] Does ProxySQL Provide Metrics for User Maximum Connections and Current Connection Usage? HOT 2
- Evaluate exporting `stats_mysql_users` using the Prometheus exporter HOT 3
- Every uneven traffic distribution for nodes with same weight after upgrading from v2.0.10-1 to v2.5.5-1 HOT 1
- Ever increasing 'stats_mysql_query_digest' results in sporadic client timings HOT 5
- Official documentation has missing introduced version information for mysql-connection_warming
- Implement setting in `mysql_hostgroup_attributes` to define custom load balancing algorithm
- ProxySQL errorlog not getting picked up from proxysql.cnf in docker HOT 5
- crashes during cluster shutdown in CI testing HOT 1
- Support some form of partial cleanup of `stats_mysql_query_digest`
- Shunned writer node not becoming online HOT 8
- Intermittent "Access denied" errors HOT 1
- Different server_version per port
- Wrong column order in table mysql_servers HOT 3
- aarch64 / i686 builds fail of v2.6.2 (narrowing conversion of timeout in clickhouse) HOT 2
- Can not set servers_defaults field of mysql_hostgroup_attributes table from config file HOT 4
- Clients seeing "Lost connection to MySQL server during query" errors HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from proxysql.