Fail to run k3s using mysql with SSL (... it doesn't contain any IP SANs)

Question

Fail to run k3s using mysql with SSL (... it doesn't contain any IP SANs)

up9cloud opened this issue 4 years ago · 11 comments

There are two issues here:

kine does no provide ServerName for tlsConfig, so can't verify by name...
kine does not set InsecureSkipVerify to true when dsn is with param ?tls=skip-verify

Relative refs:

https://github.com/rancher/kine/blob/3faf3a7028014a5baf96454b2b3fe04984ebc69f/pkg/drivers/mysql/mysql.go#L156
https://github.com/rancher/kine/blob/3faf3a7028014a5baf96454b2b3fe04984ebc69f/pkg/tls/config.go#L15
https://github.com/etcd-io/etcd/blob/6e800b9b0161ef874784fc6c679325acd67e2452/pkg/transport/listener.go#L72
https://github.com/rancher/k3s/blob/fcb864a5e20f69a4d5b19feb7f265abb9086b749/pkg/cli/server/server.go#L101

Answer 1 · 2020-11-10T19:13:13.000Z

This may be related to go-sql-driver/mysql#564

Answer 2 · 2020-11-11T19:31:40.000Z

@brandond It's not related, that because if you want to connect to GCP mysql, you have to use dsn with ip (not with domain) and you have to manually pass the server name to tls config to let it verify by server name.

Answer 3 · 2020-11-11T19:55:53.000Z

Wait, so you're connecting to it with an IP address in the datastore URI, but want to validate the certificate against a hostname, because the IP address isn't in the SAN list on the server's cert?

Can you provide an example?

Answer 4 · 2020-11-11T20:02:00.000Z

@brandond yes it is.

See this commit for another project:

https://github.com/ajvb/kala/pull/211/files#diff-cdd396ae86656919264e05e2f781ed517f85aa8dd79c0cfe64ee1954bc98734eR209

I use config something like this:

{
  "jobDBAddress": "(123.123.123.123)/kala?tls=custom",
  "jobDBUsername": "user",
  "jobDBPassword": "the secret",
  "jobDBTlsServerName": "api-0000000000000-00000:blabla"
}

and it works perfectly

Answer 5 · 2020-11-11T20:04:30.000Z

that's how GCP mysql with TLS works 😂

Answer 6 · 2020-11-11T20:16:16.000Z

See this also:

https://stackoverflow.com/questions/53752383/how-do-you-create-a-tls-connection-to-a-cloud-sql-database-using-go

Answer 7 · 2020-11-11T21:29:25.000Z

So they basically require you to disable TLS verification because "the mysql client libraries by default have hostname verification disabled" and they seem to think that using unique self-signed certs makes MITM impossible somehow? This all seems quite broken.

Answer 8 · 2020-11-11T21:54:55.000Z

Well, to be honestly, I'm not familiar with MITM, and don't know why they made like that. I just want to use k3s with TLS mysql on GCP. All I know is there are 2 ways to solve this:

Let ?tls=skip-verify works (this is the way that we connect to server but skip that verification, like you said)
Pass ServerName to tls config to verify by server name (this is that we connect to it and verify the cert by the server name they request)

Answer 9 · 2021-04-23T17:15:03.000Z

Also hitting this.
I think the best option is to honor the tls=skip-verify flag since this is a classic and it might help in other reason than Google Cloud (if not the ssl lib won't have included it)

Answer 10 · 2021-04-27T06:01:10.000Z

For those that are affected by this one just want to share that using postgresql has not this side effect since pq does honor sslmode=verify-ca