mirror of
https://github.com/MariaDB/server.git
synced 2025-01-16 12:02:42 +01:00
MDEV-9141 : [PATCH] Add CA validation to wsrep_sst_xtrabackup-v2.sh
- Add CA validation to wsrep_sst_xtrabackup-v2.sh. - Also added a few {} around tpem for consistency. - Abort if encryption is requested but socat is not ssl-enabled. Patch contributed by : Klaas Demter
This commit is contained in:
parent
5b94ea71c3
commit
ab9a488dec
1 changed files with 22 additions and 12 deletions
|
@ -191,9 +191,9 @@ get_transfer()
|
|||
exit 2
|
||||
fi
|
||||
|
||||
if [[ $encrypt -eq 2 || $encrypt -eq 3 ]] && ! socat -V | grep -q WITH_OPENSSL;then
|
||||
wsrep_log_info "NOTE: socat is not openssl enabled, falling back to plain transfer"
|
||||
encrypt=-1
|
||||
if [[ $encrypt -eq 2 || $encrypt -eq 3 ]] && ! socat -V | grep -q "WITH_OPENSSL 1";then
|
||||
wsrep_log_error "Encryption requested, but socat is not OpenSSL enabled (encrypt=$encrypt)"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if [[ $encrypt -eq 2 ]];then
|
||||
|
@ -204,11 +204,11 @@ get_transfer()
|
|||
fi
|
||||
stagemsg+="-OpenSSL-Encrypted-2"
|
||||
if [[ "$WSREP_SST_OPT_ROLE" == "joiner" ]];then
|
||||
wsrep_log_info "Decrypting with PEM $tpem, CA: $tcert"
|
||||
tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=$tpem,cafile=${tcert}${sockopt} stdio"
|
||||
wsrep_log_info "Decrypting with cert=${tpem}, cafile=${tcert}"
|
||||
tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=${tpem},cafile=${tcert}${sockopt} stdio"
|
||||
else
|
||||
wsrep_log_info "Encrypting with PEM $tpem, CA: $tcert"
|
||||
tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=$tpem,cafile=${tcert}${sockopt}"
|
||||
wsrep_log_info "Encrypting with cert=${tpem}, cafile=${tcert}"
|
||||
tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},cafile=${tcert}${sockopt}"
|
||||
fi
|
||||
elif [[ $encrypt -eq 3 ]];then
|
||||
wsrep_log_info "Using openssl based encryption with socat: with key and crt"
|
||||
|
@ -218,11 +218,21 @@ get_transfer()
|
|||
fi
|
||||
stagemsg+="-OpenSSL-Encrypted-3"
|
||||
if [[ "$WSREP_SST_OPT_ROLE" == "joiner" ]];then
|
||||
wsrep_log_info "Decrypting with certificate $tpem, key $tkey"
|
||||
tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=$tpem,key=${tkey},verify=0${sockopt} stdio"
|
||||
if [[ -z $tcert ]];then
|
||||
wsrep_log_info "Decrypting with cert=${tpem}, key=${tkey}, verify=0"
|
||||
tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=${tpem},key=${tkey},verify=0${sockopt} stdio"
|
||||
else
|
||||
wsrep_log_info "Encrypting with certificate $tpem, key $tkey"
|
||||
tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=$tpem,key=${tkey},verify=0${sockopt}"
|
||||
wsrep_log_info "Decrypting with cert=${tpem}, key=${tkey}, cafile=${tcert}"
|
||||
tcmd="socat -u openssl-listen:${TSST_PORT},reuseaddr,cert=${tpem},key=${tkey},cafile=${tcert}${sockopt} stdio"
|
||||
fi
|
||||
else
|
||||
if [[ -z $tcert ]];then
|
||||
wsrep_log_info "Encrypting with cert=${tpem}, key=${tkey}, verify=0"
|
||||
tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},key=${tkey},verify=0${sockopt}"
|
||||
else
|
||||
wsrep_log_info "Encrypting with cert=${tpem}, key=${tkey}, cafile=${tcert}"
|
||||
tcmd="socat -u stdio openssl-connect:${REMOTEIP}:${TSST_PORT},cert=${tpem},key=${tkey},cafile=${tcert}${sockopt}"
|
||||
fi
|
||||
fi
|
||||
|
||||
else
|
||||
|
|
Loading…
Reference in a new issue