-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TLS] Use TiProxy with require issuer #464
Comments
Thank you for your feedback! It's a known limitation documented in https://docs.pingcap.com/tidb/dev/tiproxy-overview#security We're going to support it after TiProxy is GA. |
Hello @djshow832
It looks like TiProxy manage SSL configuration between client and TiDB..? |
You can say so. TiProxy is an L7 proxy and needs to parse packets, so it can't reuse the TLS between the client and TiDB. Instead, the client connects to TiProxy with one cert, and TiProxy connects to TiDB with another cert. For the TLS configurations, check this doc: https://docs.pingcap.com/tidb/dev/tiproxy-configuration#security |
Bug Report
1. Minimal reproduce step (Required)
Get a TiDB cluster V6.5.1
CREATE USER that require issuer to connect
Get TiProxy latest
Get mysql client
Try to connect with user without SSL to TiProxy : OK
Try to connect with user_withSSL to TiProxy : NOK
Try to connect user_withSSL to TiDB:4000 : OK
TiProxy configuration :
TiDB server config :
2. What did you expect to see? (Required)
When I try to connect with my user that requires issuer, I want to be connected successfuly
3. What did you see instead (Required)
Connection is refused
Error from TiProxy logs :
Error from TiDB logs :
4. What is your version? (Required)
TiProxy : 0.2.0
TiDB cluster : V6.5.1
The text was updated successfully, but these errors were encountered: