[exim] Re: MySQL connection with SSL

Góra strony
Delete this message
Reply to this message
Autor: Victor Ustugov
Data:  
Dla: Gandalf Corvotempesta via Exim-users
Temat: [exim] Re: MySQL connection with SSL
Gandalf Corvotempesta via Exim-users wrote on 25.05.2024 9:32:
> any help on this?
> im rally stuck, the new mysql server only accept ssl connections and i have
> to connect an exim to it but doesn't work


You should probably receive an error message "ERROR 3159 (HY000):
Connections using insecure transport are prohibited while
--require_secure_transport=ON." instead of "Failed: lookup of
"SELECT 1 " gave DEFER: MYSQL connection failed: Access denied for
user 'xxx'@'10.111.1.2' (using password: YES)".

Could you please execute the the same query with cli mysql tool with the
same options?


> anyone had success using SSL with mysql?


On FreeBSD exim uses SSL even if I do nothing.


# echo "SHOW VARIABLES WHERE Variable_name='require_secure_transport';"
| mysql -h 127.0.0.1 --ssl-mode=PREFERRED

WARNING: no verification of server certificate will be done. Use
--ssl-mode=VERIFY_CA or VERIFY_IDENTITY.
Variable_name   Value
require_secure_transport        ON



# echo "SHOW VARIABLES WHERE Variable_name='require_secure_transport';"
| mysql -h 127.0.0.1 --ssl-mode=DISABLED

ERROR 3159 (HY000): Connections using insecure transport are prohibited
while --require_secure_transport=ON.


# exim -be '${lookup mysql{SHOW VARIABLES WHERE
Variable_name="require_secure_transport";}{$value}fail}'
Variable_name=require_secure_transport Value=ON


The [exim] section is missing from the /usr/local/etc/mysql/my.cnf file.

The [client] section contains only the port and socket options.
These are the default settings.

But this is FreeBSD, not Linux. And this is mysql, not mariadb.


> Il gio 23 mag 2024, 20:54 Gandalf Corvotempesta <
> gandalf.corvotempesta@???> ha scritto:
>
>> This is a strace when trying to connect to a mysql server that has SSL
>> forced (that's why i'm hitting an access denied)
>> Now the configuration file is read as expected, but the option group
>> that is forcing the ssl-mode seems to be ignored
>> (honestly, as default, ssl is preferred, it should connect via ssl
>> anyway even without an option group)
>>
>>
>>
>> openat(AT_FDCWD, "/etc/mysql/my.cnf", O_RDONLY) = 3
>> newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=1174, ...},
>> AT_EMPTY_PATH) = 0
>> read(3, "# The MariaDB configuration file"..., 4096) = 1174
>> access("/etc/mysql/conf.d//my.cnf", R_OK) = -1 ENOENT (No such file or
>> directory)
>> access("/etc/mysql/mariadb.conf.d/my.cnf", R_OK) = -1 ENOENT (No such
>> file or directory)
>> openat(AT_FDCWD, "/etc/mysql/mariadb.conf.d/99-exim.cnf", O_RDONLY) = 4
>> newfstatat(4, "", {st_mode=S_IFREG|0644, st_size=31, ...}, AT_EMPTY_PATH)
>> = 0
>> read(4, "[exim]\n   ssl-mode = REQUIRED\n", 4096) = 31
>> read(4, "", 4096)                       = 0
>> close(4)                                = 0
>> read(3, "", 4096)                       = 0
>> close(3)                                = 0
>> getpid()                                = 3743075
>> socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
>> fcntl(3, F_SETFL, O_RDONLY|O_NONBLOCK)  = 0
>> connect(3, {sa_family=AF_INET, sin_port=htons(3306),
>> sin_addr=inet_addr("10.111.1.1")}, 16) = -1 EINPROGRESS (Operation now
>> in progress)
>> clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=0, tv_nsec=1000}, NULL) = 0
>> poll([{fd=3, events=POLLOUT}], 1, -1)   = 1 ([{fd=3, revents=POLLOUT}])
>> getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
>> fcntl(3, F_SETFL, O_RDONLY)             = 0
>> setsockopt(3, SOL_IP, IP_TOS, [8], 4)   = 0
>> setsockopt(3, SOL_TCP, TCP_NODELAY, [1], 4) = 0
>> setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
>> recvfrom(3, 0x55c7fbdd3e60, 16384, MSG_DONTWAIT, NULL, NULL) = -1
>> EAGAIN (Resource temporarily unavailable)
>> poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
>> recvfrom(3, "Q\0\0\0\n8.0.31-google\0\274=\2\0\35+\36H\1\31!\4\0"...,
>> 16384, MSG_DONTWAIT, NULL, NULL) = 85
>> sendto(3, "\306\0\0\1\215\242\276\0\0\0\0@
>> -\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
>> 202, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 202
>> recvfrom(3, 0x55c7fbdd3e60, 16384, MSG_DONTWAIT, NULL, NULL) = -1
>> EAGAIN (Resource temporarily unavailable)
>> poll([{fd=3, events=POLLIN}], 1, -1)    = 1 ([{fd=3, revents=POLLIN}])
>> recvfrom(3, "J\0\0\2\377\25\4#28000Access denied for u"..., 16384,
>> MSG_DONTWAIT, NULL, NULL) = 78
>> close(3)                                = 0
>> newfstatat(1, "", {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0x5),
>> ...}, AT_EMPTY_PATH) = 0
>> write(1, "Failed: lookup of \"SELECT 1 \" ga"..., 133Failed: lookup of
>> "SELECT 1 " gave DEFER: MYSQL connection failed: Access denied for
>> user 'xxx'@'10.111.1.2' (using password: YES)
>> ) = 133
>> futex(0x7fceb027e5d8, FUTEX_WAKE_PRIVATE, 2147483647) = 0

>>
>> Il giorno mer 22 mag 2024 alle ore 20:51 Gandalf Corvotempesta
>> <gandalf.corvotempesta@???> ha scritto:
>>>
>>> ok now the file is read as expected, i can see it from the trace, but
>>> i'm still getting
>>> access denied because the connection is not made with SSL.
>>>
>>> I'm out of ideas
>>>
>>> Il giorno ven 17 mag 2024 alle ore 21:39 Gandalf Corvotempesta
>>> <gandalf.corvotempesta@???> ha scritto:
>>>>
>>>> Il giorno ven 17 mag 2024 alle ore 16:37 Jeremy Harris via Exim-users
>>>> <exim-users@???> ha scritto:
>>>>> If there were, then it should go on to try those files.
>>>>> This is not an Exim problem.
>>>>
>>>> This is the issue:
>>>> https://jira.mariadb.org/browse/CONC-396
>>
>



--
Best wishes Viktor Ustiuhov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/