Limiting used TLS version for frontend connections
44 views
Skip to first unread message
Dmytro Havrylov
Sep 6, 2023, 8:07:33 AM9/6/23
to proxysql
Hello,
Does anyone know if it will be possible to limit the TLS version used for frontend connections in the nearest future? I have found the pull request for it (https://github.com/sysown/proxysql/pull/3359) but it looks like noone is working on it. This feature is critical in some environments where usage of insecure TLS version ( <TLS1.2 at the moment) is strictly prohibited.
Thanks,
Dimitri
john danilson
Apr 4, 2024, 8:19:21 AMApr 4
to proxysql
We are faced with this exact situation and need to restrict font end proxysql to use tlsv2.1 due to directives from our cyber team. Is there any roadmap for this?
John
John
Josh Hunt
Apr 8, 2024, 4:05:04 PMApr 8
to proxysql
We had to go the other direction temporarily and allow older TLS versions to connect. We did this by creating a proxysql-specific openssl.cnf file and then setting the min protocol version there, and also passing this as an env variable in our systemd unit file.
# cat proxysql-ssl.cnf
openssl_conf = default_conf
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=0
openssl_conf = default_conf
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=0
and then
/etc/systemd/system/proxysql.service.d# cat override.conf
# This file is managed by the proxysql-formula.
# Manual changes will be lost!
# NO DEBCONF UPDATES
[Service]
Environment=
Environment="OPENSSL_CONF=/etc/ssl/proxysql-ssl.cnf"
ExecStart=
ExecStart=/usr/bin/proxysql --idle-threads -c /etc/proxysql.cnf
# This file is managed by the proxysql-formula.
# Manual changes will be lost!
# NO DEBCONF UPDATES
[Service]
Environment=
Environment="OPENSSL_CONF=/etc/ssl/proxysql-ssl.cnf"
ExecStart=
ExecStart=/usr/bin/proxysql --idle-threads -c /etc/proxysql.cnf
Wondering if you could do something similar for your case, but replace MinProtocol there with TLSv1.2? You'll also likely need to change CipherString as well.
Josh
john danilson
Apr 9, 2024, 7:59:00 AMApr 9
to proxysql
Josh, Thanks very much for your idea. I'm still working on this but will suggest your solution to our sysadmins. We have commerical support via Percona and they too are looking into some ideas for us. I have some changes pending with our dev team to try and await their ok to proceed. We're in the midst of a deployment so getting their attention is hard.
I'll update this posting once I get any further on this project.
John
Josh Hunt
Apr 9, 2024, 8:10:57 PMApr 9
to proxysql
No worries John. Hope it helps.
FWIW I had also created a github issue for this when I hit the problem and also posted my solution: https://github.com/sysown/proxysql/issues/4352
We also use Percona and when I asked them for help with this we did not get much back from them so came up with this and also communicated it to them.
Josh
Reply all
Reply to author
Forward
0 new messages