force tlsv2.1 for front and back end of proxysql

[john danilson]

It seems that proxysql will default to the highest level tls version available on the target mysql server.  We found this when both TLSv1.2 and TLSv1.3 were set in our tls version.  

We need to enforce use of TLSv1.2.  We have removed TLSv1.3 from mysql thusly:

1. set global  tls_version=TLSv1.2;

2.  ALTER INSTANCE RELOAD TLS;

and bounced the application thinking it would force use of TLSV1.2 in our database.  Surprisingly it did not and we still see active connections using TLSv1.3.   We are perplexed as to how this is possible.  

[René Cannaò]

Hi John,

Can you please describe how did you very verify that "we still see active connections using TLSv1.3" ?

I assume you are referring about connections from ProxySQL to the mysql server, right?

Thanks

--
You received this message because you are subscribed to the Google Groups "proxysql" group.
To unsubscribe from this group and stop receiving emails from it, send an email to proxysql+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/proxysql/e70ecb93-15cf-4261-ae06-806f510fffecn%40googlegroups.com.

[john danilson]

Rene 
Yes, I'm referring to the connection from proxysql to MySQL pxc cluster node.  For reference our configuration:

java application hits

     f5 vip for read which hits a proxysql on port 3306 routed to read nodes via port 3306

     f5 vip for write which hits a proxysql on port 3307 routed to write node via port 3306

thence to 

    Two proxysql weighted equally to the vips

thence 

    to a 3 node pxc cluster 

All three nodes have  tls_version      | TLSv1.2 and ALTER INSTANCE RELOAD TLS; was run on each node. 

Here is the query we use against a MySQL node to determine what tls protocol is being used:

SELECT sbt.variable_value        AS tls_version,
       Count(sbt.variable_value) AS Total
FROM   performance_schema.status_by_thread AS sbt
       JOIN performance_schema.threads AS t
         ON t.thread_id = sbt.thread_id
       JOIN performance_schema.status_by_thread AS t2
         ON t2.thread_id = t.thread_id
WHERE  sbt.variable_name = 'Ssl_version'
       AND t2.variable_name = 'Ssl_cipher'
       AND sbt.variable_value LIKE 'TLS%'
GROUP  BY sbt.variable_value 

Here is the result of the query with hostnames redacted for all three nodes in our cluster

node 1 : tls_version Total TLSv1.2 84                                        <-- read node
node 2 : tls_version Total TLSv1.2 75                                        <-- read node 
node 3 : tls_version Total TLSv1.3 261 TLSv1.2 59                 <-- write node

I did the following tests before I made the configruation change to force the nodes to tls 1.3.

1. mysql client connect directly to host.  confirm it was using tls 1.3.  

2. mysql client connect to host via proxysql and confirm it was using tls 1.3 

3. set variable and do alter for force use of tls 1.2 (all nodes)

4. mysql client connect directly to host.  confirm it was using tls 1.2

5 mysql client connect to host via proxysql and confirm it was using tls 1.3 

6. request bounce of user applications.  found both tls 1.2 and 1.3 connections as shown above.

7. on one of proxysql killed the oldest connections in stats_mysql_processlist

8. reran the query and found no change; same numbers of tls 1.2 and tls 1.3 connections as shown above. 

Do we need to bounce both proxysql and/or pxc nodes to get this forced to use tls 1.2 

Thanks

John