Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TLS] Use TiProxy with require issuer #464

Open
uringover opened this issue Jan 31, 2024 · 3 comments
Open

[TLS] Use TiProxy with require issuer #464

uringover opened this issue Jan 31, 2024 · 3 comments

Comments

@uringover
Copy link

Bug Report

1. Minimal reproduce step (Required)

Get a TiDB cluster V6.5.1
CREATE USER that require issuer to connect
Get TiProxy latest
Get mysql client

Try to connect with user without SSL to TiProxy : OK
Try to connect with user_withSSL to TiProxy : NOK
Try to connect user_withSSL to TiDB:4000 : OK

MySQL [(none)]> show create user user_withSSL;
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for user_withSSL@%                                                                                                                                                                                                                                   |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER 'user_withSSL'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*pwd' REQUIRE ISSUER '/CN=MyCN' PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

TiProxy configuration :

# workdir = "./work"
[proxy]
	graceful-close-conn-timeout = 15
	pd-addrs = "ip_pd1:2379,ip_pd2:2379,ip_pd3:2379"

[log]
	level = "debug"

[security]
	min-tls-version = "1.2" # specify minimum TLS version

ssl-verify-server-cert = true
	[security.cluster-tls]
	# access to other components like TiDB or PD, will use this
		ca = "/SSL/tidb-tiproxy_test/ca.crt"
		cert = "/SSL/tidb-tiproxy_test/tiproxy.crt"
		key = "/SSL/tidb-tiproxy_test/tiproxy.key"
	[security.sql-tls]
	# access to TiDB SQL(4000) port will use this
		ssl-verify-server-cert = true
		ca = "/SSL/tidb-tiproxy_test/ca.crt"
		cert = "/SSL/tidb-tiproxy_test/client.crt"
		key = "/SSL/tidb-tiproxy_test/client.key"

TiDB server config :

enable-telemetry = false
token-limit = 10000
[prepared-plan-cache]
enabled = true
[security]
auto-tls = true
cluster-ssl-ca = "/SSD/tls/ca.crt"
cluster-ssl-cert = "/SSD/tls/tidb.crt"
cluster-ssl-key = "/SSD/tls/tidb.pem"
ssl-ca = "/SSL/client/CA-cert.pem"
ssl-cert = "/SSL/client/Server-cert.pem"
ssl-key = "/SSL/client/Server-key.pem"
session-token-signing-cert="/SSL/tiproxy/tiproxy.crt"
session-token-signing-key="/SSL/tiproxy/tiproxy.key"
graceful-wait-before-shutdown=15
[tikv-client]
grpc-connection-count = 20

2. What did you expect to see? (Required)

When I try to connect with my user that requires issuer, I want to be connected successfuly

3. What did you see instead (Required)

Connection is refused
Error from TiProxy logs :

[2024/01/31 16:41:20.564 +01:00] [DEBUG] [main.proxy.conn.be.authenticator] [backend/authenticator.go:198] [backend does not support capabilities from proxy] [connID=2] [client_addr=127.0.0.1:37772] [addr=0.0.0.0:6000] [common=CLIENT_LONG_PASSWORD|CLIENT_FOUND_ROWS|CLIENT_LONG_FLAG|CLIENT_CONNECT_WITH_DB|CLIENT_LOCAL_FILES|CLIENT_PROTOCOL_41|CLIENT_INTERACTIVE|CLIENT_TRANSACTIONS|CLIENT_SECURE_CONNECTION|CLIENT_MULTI_STATEMENTS|CLIENT_MULTI_RESULTS|CLIENT_PLUGIN_AUTH|CLIENT_CONNECT_ATTS|CLIENT_DEPRECATE_EOF] [proxy=CLIENT_COMPRESS|CLIENT_ODBC|CLIENT_RESERVED|CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA|CLIENT_ZSTD_COMPRESSION_ALGORITHM] [backend=CLIENT_SSL]

Error from TiDB logs :

[2024/01/31 16:44:07.202 +01:00] [ERROR] [privileges.go:540] ["global priv check ssl fail"] [authUser=user_withSSL [authHost=x.x.x.x]
[2024/01/31 16:44:07.202 +01:00] [WARN] [conn.go:687] ["open new session or authentication failure"] [conn=1303266525565682207] [error="[privilege:1045]Access denied for user 'user_withSSL'@'x.x.x.x' (using password: YES)"]
[2024/01/31 16:44:07.202 +01:00] [WARN] [server.go:644] ["Server.onConn handshake"] [conn=1303266525565682207] [error="[privilege:1045]Access denied for user 'user_withSSL'@'x.x.x.x' (using password: YES)"] ["remote addr"=x.x.x.x:43778]

4. What is your version? (Required)

TiProxy : 0.2.0
TiDB cluster : V6.5.1

@djshow832
Copy link
Collaborator

djshow832 commented Feb 1, 2024

Thank you for your feedback! It's a known limitation documented in https://docs.pingcap.com/tidb/dev/tiproxy-overview#security
The reason is that the TLS certificate between the client and TiProxy is different from that between TiProxy and TiDB server, and TiDB server verifies the TLS certificate based on the TLS certificate on TiProxy.

We're going to support it after TiProxy is GA.

@uringover
Copy link
Author

Hello @djshow832
Thnka you for your answer.
I forgot something in my card..
In the configuration file of TiProxy, there is this part :

	[security.sql-tls]
	# access to TiDB SQL(4000) port will use this
	  #skip-ca = true
	  ssl-verify-server-cert = true
          ca = ""
	  cert = ""
	  key = ""

It looks like TiProxy manage SSL configuration between client and TiDB..?
Am I wrong?

@djshow832
Copy link
Collaborator

djshow832 commented Feb 1, 2024

You can say so.

TiProxy is an L7 proxy and needs to parse packets, so it can't reuse the TLS between the client and TiDB. Instead, the client connects to TiProxy with one cert, and TiProxy connects to TiDB with another cert.

For the TLS configurations, check this doc: https://docs.pingcap.com/tidb/dev/tiproxy-configuration#security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants