diff options
author | mkaruza <mario.karuza@galeracluster.com> | 2021-02-05 11:06:25 +0100 |
---|---|---|
committer | Jan Lindström <jan.lindstrom@mariadb.com> | 2021-04-15 08:50:01 +0300 |
commit | c3b016efde4b1e0c2b85ca26c814ad43f5611ab2 (patch) | |
tree | a253e3593bc130bc37931540ef56b504ed23796d | |
parent | 767d63374e634f8ede5e18a8a74127a113013467 (diff) | |
download | mariadb-git-c3b016efde4b1e0c2b85ca26c814ad43f5611ab2.tar.gz |
MDEV-22668: "Flush SSL" command doesn't reload wsrep certbb-10.4-MDEV-22668
Trigger `socket.ssl_reload` when FLUSH SSL is issued. To triger reloading
of certificate, key and CA, files needs to be physically changed.
Reviewed-by: Jan Lindström <jan.lindstrom@mariadb.com>
-rw-r--r-- | mysql-test/std_data/galera_certs/INFORMATION | 2 | ||||
-rw-r--r-- | mysql-test/std_data/galera_certs/galera.1.crt | 25 | ||||
-rw-r--r-- | mysql-test/std_data/galera_certs/galera.1.csr | 16 | ||||
-rw-r--r-- | mysql-test/std_data/galera_certs/galera.1.key | 27 | ||||
-rw-r--r-- | mysql-test/std_data/galera_certs/galera.2.crt | 25 | ||||
-rw-r--r-- | mysql-test/std_data/galera_certs/galera.2.csr | 16 | ||||
-rw-r--r-- | mysql-test/std_data/galera_certs/galera.2.key | 27 | ||||
-rw-r--r-- | mysql-test/std_data/galera_certs/galera.root.crt | 32 | ||||
-rw-r--r-- | mysql-test/std_data/galera_certs/galera.root.key | 54 | ||||
-rw-r--r-- | mysql-test/std_data/galera_certs/galera.root.srl | 1 | ||||
-rw-r--r-- | mysql-test/suite/galera_3nodes/r/galera_ssl_reload.result | 15 | ||||
-rw-r--r-- | mysql-test/suite/galera_3nodes/t/galera_ssl_reload.cnf | 10 | ||||
-rw-r--r-- | mysql-test/suite/galera_3nodes/t/galera_ssl_reload.test | 67 | ||||
-rw-r--r-- | sql/sql_reload.cc | 8 | ||||
-rw-r--r-- | sql/wsrep_mysqld.cc | 26 | ||||
-rw-r--r-- | sql/wsrep_mysqld.h | 1 |
16 files changed, 352 insertions, 0 deletions
diff --git a/mysql-test/std_data/galera_certs/INFORMATION b/mysql-test/std_data/galera_certs/INFORMATION new file mode 100644 index 00000000000..439ba394e09 --- /dev/null +++ b/mysql-test/std_data/galera_certs/INFORMATION @@ -0,0 +1,2 @@ +WSREP certificates signed with root certificate. +Password used is `galera`. diff --git a/mysql-test/std_data/galera_certs/galera.1.crt b/mysql-test/std_data/galera_certs/galera.1.crt new file mode 100644 index 00000000000..c1c1818a88c --- /dev/null +++ b/mysql-test/std_data/galera_certs/galera.1.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEODCCAiACFG1AlRipIFaH2nn79vsiU6s8yxqwMA0GCSqGSIb3DQEBCwUAMFox +CzAJBgNVBAYTAkZJMREwDwYDVQQIDAhIZWxzaW5raTERMA8GA1UEBwwISGVsc2lu +a2kxDzANBgNVBAoMBkdhbGVyYTEUMBIGA1UEAwwLZ2FsZXJhLnJvb3QwHhcNMjEw +MjA0MTMxOTU3WhcNMzAxMTA0MTMxOTU3WjBXMQswCQYDVQQGEwJGaTERMA8GA1UE +CAwISGVsc2lua2kxETAPBgNVBAcMCEhlbHNpbmtpMQ8wDQYDVQQKDAZHYWxlcmEx +ETAPBgNVBAMMCGdhbGVyYS4xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAq1/qI8oopqwSG6TWLSzMOpm5iXilzQ5bM0E440ZVrdPo/OZvAb99yofMFJi9 +uD1zUigHA+PXoJhm0HYTt5VsymByYwKCT8aYC6Sm6a2H82uuS7Ze8JUBdl4ymZCe +f56fYmh3EVu0Kf+rk9uCQGouzwrDNuS+MWxsV+lxVoAA08F19yJdvxehBNlGopqc +Sw6NNa9SISCqjg32oR2RuFzkifV/olPHGl1FSzyzJ/zO2CQYjzT8W+UA/EtnFFCo +XVJzOKHIbzTNKmj/kkX6esBZ7ItmAdGaTlIV6A/OR/wcKxzZBopd9wFSm42x+Dxk +eMPKS7OFhaOypl/PHo1LsSrzKwIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQApP88p +5jaa26DhqBonGMBwgbnGzzXqrDlE6GX8Z5TffgOQjg7ZmMzdnS50iW5Jj9PcG3PL +VpdxtKnyV/3qKJ40WpRvnUMcghyRB74h44y09Qh013uSpFR4ST7As1kAsRKYU7YP +gc7Bc+rc3fjCOxqwRBIg/mosFCmW7UoogpeGNhuXFgl7ED3pjszAOjbLDxUkaQTj +vbS9nWvtzE68STBdVTct91OIJPY2hNno8trwYqchQOG7wPOH/V+HzQ3jeLdE8AKw +/PouspuE5RJmU9zcRzlKBKUsmjl+zD6nkyEzkfRO/JoDhBB0ReHsxaR+SU42K78n +2H/qGjfhIcWsQVyIaRGqRTPZ6AhRX/04n8RTLHHkG/CLsgBcZnaOvVhraItUAEzC +AQtD9vvF5uyzdmj0uu2TZNHJnbx+NXoNGJOJI2qUISLSdrVkS6qAHIdavypxDZZg +4o5NZz+Jyc7Zq61LxLemKfD0isVsY91610A/1JwCy+Li99Mvng8gAJoP2NX/Cvmv +i0QowP5uRRSL6YmiqRByer9yveSlxR03FvLeFSdftln3eEIyS9/kU74oJ+rOXPus +fuB2ZNFHjmX7iXj3zf1kkpNCc03eaLY6P3+h2Opnqitz/XAT/eSWQ1huMKGm78ih +C3Cd/yrwiA+AfxhYMJHl6CTpEWcJnqZQbPBjug== +-----END CERTIFICATE----- diff --git a/mysql-test/std_data/galera_certs/galera.1.csr b/mysql-test/std_data/galera_certs/galera.1.csr new file mode 100644 index 00000000000..f0c396836f0 --- /dev/null +++ b/mysql-test/std_data/galera_certs/galera.1.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnDCCAYQCAQAwVzELMAkGA1UEBhMCRmkxETAPBgNVBAgMCEhlbHNpbmtpMREw +DwYDVQQHDAhIZWxzaW5raTEPMA0GA1UECgwGR2FsZXJhMREwDwYDVQQDDAhnYWxl +cmEuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtf6iPKKKasEhuk +1i0szDqZuYl4pc0OWzNBOONGVa3T6PzmbwG/fcqHzBSYvbg9c1IoBwPj16CYZtB2 +E7eVbMpgcmMCgk/GmAukpumth/Nrrku2XvCVAXZeMpmQnn+en2JodxFbtCn/q5Pb +gkBqLs8KwzbkvjFsbFfpcVaAANPBdfciXb8XoQTZRqKanEsOjTWvUiEgqo4N9qEd +kbhc5In1f6JTxxpdRUs8syf8ztgkGI80/FvlAPxLZxRQqF1SczihyG80zSpo/5JF ++nrAWeyLZgHRmk5SFegPzkf8HCsc2QaKXfcBUpuNsfg8ZHjDykuzhYWjsqZfzx6N +S7Eq8ysCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCUyo7S6TThiPiTRbMMu9Pu +/YAK7mcxF3zG5rMzcf4fgaJAuUfE1Ct4y9eJ0k4gPevt37J2AhyTei6yS2ivESie +exc/kztendR1PQmnRlICWa3ErXC1ZBJAVjaOx/S+Ttq5Tp4Bd/X2gvUb5JT+9Xbi +NtxlnISh9cjO9BP7nfsCAbjqBhYT1hmYMlCDkTgHOPRpBQDQlRZ7e5jXDyzHaKzq +yMfX0jo934oq2lkrV68q/9vmW0SrUU0X9GVDVRo8+4wTb1/dHQOcDaFO1LrsklaQ +MqJkffv0tJB249+JkXHMzOZbfUTFn6jVJvMrSAQmOCIgXpswk0qmMM6ipEQkAlKW +-----END CERTIFICATE REQUEST----- diff --git a/mysql-test/std_data/galera_certs/galera.1.key b/mysql-test/std_data/galera_certs/galera.1.key new file mode 100644 index 00000000000..adcd6a396a1 --- /dev/null +++ b/mysql-test/std_data/galera_certs/galera.1.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAq1/qI8oopqwSG6TWLSzMOpm5iXilzQ5bM0E440ZVrdPo/OZv +Ab99yofMFJi9uD1zUigHA+PXoJhm0HYTt5VsymByYwKCT8aYC6Sm6a2H82uuS7Ze +8JUBdl4ymZCef56fYmh3EVu0Kf+rk9uCQGouzwrDNuS+MWxsV+lxVoAA08F19yJd +vxehBNlGopqcSw6NNa9SISCqjg32oR2RuFzkifV/olPHGl1FSzyzJ/zO2CQYjzT8 +W+UA/EtnFFCoXVJzOKHIbzTNKmj/kkX6esBZ7ItmAdGaTlIV6A/OR/wcKxzZBopd +9wFSm42x+DxkeMPKS7OFhaOypl/PHo1LsSrzKwIDAQABAoIBABrfppLIL8m7L/e/ +yIo6/SevVYX2MmHOf4SxFJ+nNuZUVbPa2st2YN5ynxEXxqBumnfmqPr2LqkTXQQR +kBP4zZ+KskVObmreJJem0TnRqYEFgMaEqaymYR1TtjGYmRJAKJRA93L0Y3M2kYxV +Hr7FJ+P1txkTk7OiYfcDN2+uEPMjoIwPTZYqcpw8UggF3zMZosBH3tf4yk/+5Q52 +MilRRjmoOFJSs9617OdgLoXEwQ4sAvg9UecrNR/octMnBUXKq5vWT+L9ub0fxATV +8U+GUiv2gBnHGikbsqfV/7hZZy+R1V6b/hFrpTlTHXhKpM56ownT85tcI2WNVVOR +FkDFXDECgYEA1gkIXzQ1O4wuxEBZCwH3hpzT2qCDou/yA91pQN6sekdxJffz8VJs +5MUmr53vBTD3j57l+iPfa1yApNYEeQDXmiervdLjC0ep3FqyK8qS/J9x86K2E9Bt +R8ElYGEsYoT93pzM7txPEZo3awgHAqmlPQ9mhujBpsR9xBjYi1IrGDkCgYEAzPmj +ezryhMqFosh9OK5tirjGw3T28p+ywIl7wS5/Le32HV6sGsva3UpZhb67SkpCDbpF +ihDV7KHFQqOvZBNSFc8gPvBgFlv4k5IzbU2q1/nO/TzgSnp1sAwlZv4shsiLz7sv +x2ZhR8gPfO7cTS4281rdlhUuAMe79W2FRwm9/oMCgYEAkPSjH9864i5pie5On97g +JeHWtS2amWJKFQYB/7YPN+1kmyNXqit5pmJDdhLPS0PDlhg2hvd+m7aVRY3Qj6bb +XgLaFIBb1krdpmgiXPggHklaIngjOj4hlMQhrSmCpuKNERQ+0tKQFkrMl4djQBFm +4HiqplnCtVBEIOf22Dx5BTkCgYAQssmhsWSucr0+TKz+4B7mbTUsGSxBCceLLega +DcqomDkznVHSAQd8faEbZzVk0PXenm0p2UNEOs2SJzmTootOYYhT+EsrpyRyCTgN +UIV5gM1fDgWLq7xIskSdxlkkRdQ2AR7cVLfaHC8+00q5MumhG6bvohwUTjE+xkRU +TDPhNwKBgQDKmYS+6sUiUim69J1dP/DNCs4fabbOi/uKaAk0HdN1abnxgRROzrPI +0BsD84XrG8/e0JhRiKG3Doq18ejNjfWsuyliHPCoJrTIj4IUq7bFvVbdOD6BQHNw +VzHa3UImlF1LthRqRMV5As+GOF0pRCHeXyihi6KBDEZBG/SKaCp9rw== +-----END RSA PRIVATE KEY----- diff --git a/mysql-test/std_data/galera_certs/galera.2.crt b/mysql-test/std_data/galera_certs/galera.2.crt new file mode 100644 index 00000000000..2d7ebb2d533 --- /dev/null +++ b/mysql-test/std_data/galera_certs/galera.2.crt @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEODCCAiACFG1AlRipIFaH2nn79vsiU6s8yxqxMA0GCSqGSIb3DQEBCwUAMFox +CzAJBgNVBAYTAkZJMREwDwYDVQQIDAhIZWxzaW5raTERMA8GA1UEBwwISGVsc2lu +a2kxDzANBgNVBAoMBkdhbGVyYTEUMBIGA1UEAwwLZ2FsZXJhLnJvb3QwHhcNMjEw +MjA0MTMyMTMzWhcNMzAxMTA0MTMyMTMzWjBXMQswCQYDVQQGEwJGSTERMA8GA1UE +CAwISGVsc2lua2kxETAPBgNVBAcMCEhlbHNpbmtpMQ8wDQYDVQQKDAZHYWxlcmEx +ETAPBgNVBAMMCGdhbGVyYS4yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAq0DluHNB6VlRjMlQVhnABzB+wTAsC4DBQBAy/AzCPdEg67pZj1j1UKNitdfO +/FLn6DCLoFhw/z5gFUpev3JzgHcbguOlf3AQA4p9zZn/R/g8fGJtUHolkYXT+V+j ++xUQ8dzdjelu6Xd0kpN9wigtKO4PUd3fzZ7QKen68zQPNEf+KFbSj/Dhk2iokt3N +entl3MpLGJ+FsxPQwm7bagRdn66x7zAeRu4DifYh3i7lWkC+xE+bnB82BrzBHcMh +N6uqdnKSdj078hRj/gcSJFMlOSaWCWoZdHQ7+3gp/bCi/dGywNxOgbsmuHznlUpE +ELbhv6G0m6LzzB1NW7HFctyrNwIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQAwtXxJ +8ZQw1jZKUo0TP1D17Jdu36x2Tl8YwB+WMGdEvQSuKAnUEL/k4zOB5WI1VlNbJFAF +dgsbHXjYrVCbDEpmN15sYXZ4J2NfGTmHAz38gB+r2LDlWj/+5L+VK+hkwGdbcaPX +cDxm5M66ZbTvCFfozlHRh68/vGKhLnT0Iof3DekP7vaPUlfUUZGFh75vxUW8TM/S +Ii4Tdo5D/gV4J/fUX2VKMKrJIYKcUxk48AFT0acCfzs9Uc5f4YYJ0vMrtGeVR0gl +QLavAk3OW7IVY7trVrb0+qKfVuaxFli2hZN58ug/fpSN4wEMP31UxZ8WihG3xJ4x +9ona+VR023ltpJerLWgHZyvH/HR8QnrQpPJ7y+2XLdI01gIQpYDwHsBBa8EkGjvG +ra5YB07xOxxR4Wfr7/7gZzMvBkRr0wG/96iAfIB/ILYRJX+93gyqaVHS4RZRRQxe +fsOpYOy5wMfPIjQQ4/Zd35NH+Y/dQcYqV+GdbbardXtNbT0tqLQesT3boBpsTxA9 +fkA9RayzTKHGojTv8p/FHh6yusfwa9MMdNsbkikM0YoAOTQwrBe7S9sm17Z6HxWr +A7QqZGxAzAqI6aRRoro6z0KLNjuuiJysCSBqHB3yvPn6bV84UEUreoXFIHINkF/L +B9S5zL+uYnA3X/ozdSmayNpipA3uYqqhUVSG9g== +-----END CERTIFICATE----- diff --git a/mysql-test/std_data/galera_certs/galera.2.csr b/mysql-test/std_data/galera_certs/galera.2.csr new file mode 100644 index 00000000000..0fba110b92a --- /dev/null +++ b/mysql-test/std_data/galera_certs/galera.2.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnDCCAYQCAQAwVzELMAkGA1UEBhMCRkkxETAPBgNVBAgMCEhlbHNpbmtpMREw +DwYDVQQHDAhIZWxzaW5raTEPMA0GA1UECgwGR2FsZXJhMREwDwYDVQQDDAhnYWxl +cmEuMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtA5bhzQelZUYzJ +UFYZwAcwfsEwLAuAwUAQMvwMwj3RIOu6WY9Y9VCjYrXXzvxS5+gwi6BYcP8+YBVK +Xr9yc4B3G4LjpX9wEAOKfc2Z/0f4PHxibVB6JZGF0/lfo/sVEPHc3Y3pbul3dJKT +fcIoLSjuD1Hd382e0Cnp+vM0DzRH/ihW0o/w4ZNoqJLdzXp7ZdzKSxifhbMT0MJu +22oEXZ+use8wHkbuA4n2Id4u5VpAvsRPm5wfNga8wR3DITerqnZyknY9O/IUY/4H +EiRTJTkmlglqGXR0O/t4Kf2wov3RssDcToG7Jrh855VKRBC24b+htJui88wdTVux +xXLcqzcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB1Je87IIfWW4YTvf1evm4/ +ICxImyQ4T5m3IOPrv9dV/DdxIoNSEfeudjyOmdeXchV5XxlGD2a6JDW4Pmf/gMlU +5E6ySf4yvI/heDM05GdG623Nye41hCAqh9AIBOvhZEFlQ8/eDZFBXT9nZ4PFUshv +7v1KlMNKHq5E3Y2eet3d0wDzE0CYJfkc0yoYX/y1IGVM2Td7/YmsSTz8Xm1OvIfx +hbLzbnYIv4OLfSda/ntFxUy32c8jRxusbbrL4NKE5+eO5Sro1JR/rxRW9DIarp02 +8fzUyf1WhYIGtP/N3ZiZ4jqCsRyj0QmuwIohk33pKtb0APIA+qy8a13QSLUCPuHf +-----END CERTIFICATE REQUEST----- diff --git a/mysql-test/std_data/galera_certs/galera.2.key b/mysql-test/std_data/galera_certs/galera.2.key new file mode 100644 index 00000000000..5b9bf3d0eac --- /dev/null +++ b/mysql-test/std_data/galera_certs/galera.2.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAq0DluHNB6VlRjMlQVhnABzB+wTAsC4DBQBAy/AzCPdEg67pZ +j1j1UKNitdfO/FLn6DCLoFhw/z5gFUpev3JzgHcbguOlf3AQA4p9zZn/R/g8fGJt +UHolkYXT+V+j+xUQ8dzdjelu6Xd0kpN9wigtKO4PUd3fzZ7QKen68zQPNEf+KFbS +j/Dhk2iokt3Nentl3MpLGJ+FsxPQwm7bagRdn66x7zAeRu4DifYh3i7lWkC+xE+b +nB82BrzBHcMhN6uqdnKSdj078hRj/gcSJFMlOSaWCWoZdHQ7+3gp/bCi/dGywNxO +gbsmuHznlUpEELbhv6G0m6LzzB1NW7HFctyrNwIDAQABAoIBAQCAnv9qJ3bLkgAD +43dpE3H8dFnfMxUBlrSOLxx73gFNeHJnWdDGLyQganZK6UlWjdYLt9pGleZYbjqw +AulilM1XIR4SknPMYRhF8JBICW+IWFLlgO9lUDhDMeZhF4oLnGjbnuzwFvDsfIGb +TRdY6d/xK8tpy2C6CJuDv25xlxoMQwJvSIViJd1qyCe4x3PDBvZ3TKMiWXfUGoSg +75Yee6dIryCoWGACTjdiNdJpo99EIMJT8HIGQeBBJuIvSTsAgXMugDlnvUkq98LX +XLJ+Lilx+enUb1WDbwZDMwJd0DlDVZyRVDJwlJRFUEuJvSRfMNKICEynmqJVc/36 +I7BzHNtRAoGBAOOGrH/r46oiSH6vE0VqgPIdlruLDZWoBIW0tVW1wb9E3NzExK53 +WEGy6FETsFGt3cYxtKd5Qy4rD5gfqYrfmDH/bmkK9p69pSjKcSgynABxCqM0DCth +F3EGc5ZGDcA7Xar70NEP9COExFvPpi2bBq+8//OHNKWHe/aTYj3FuvyjAoGBAMCv +ZrUR8NJfxw8Jqygc/L5BBW0gzh8ycHlQQPrpb4j01ncFcjTe1Tsc8BAkHYXZbS7o +h+3JkgzQf7fHJmafKPO3esj2fZqdCoWBqhAf9Wk+9s33rTPo4OXdk22MdII7kV/e +VpUKzdznKQmftleoJDVq6qBDMN9qQy8z5hVVv8xdAoGBAJEVSV3wzyWn4s5VWVaE +SWEaGQnR64Got+mCh7b1xWvvv15PYpNVqsOKD7XTdjU/RxGglG/OVVZVQwZf+j6B +wYzwMjltMkGa8HwISwu06eEmNABJqhDnQolh8ca7OP2BXYMwO8F0CNu1R3i7+l1O +Y38gZ52kc5+xuwxKgvSc51U9AoGAKiq4aUvBzegT4eCVyjN9xAzqqRUSxpT9NC8x +6TcIp4odHPLeKV/Sfhs5Fe8xXsdUM33DsW/5PECskoVMjAyso5k1j6ERn7JaSRk1 +JE46IIwc6roW91MxVFyHFOQ14wIyMC6x9+/jWUJlIqwG9WvgcKgzLFtH6LySc1QC +OA0J6ikCgYAr7JEzFzckFvXNgdUiADnXztchwmjeV/CJZdaHhlVdHmtt0Z7PiWK9 +wRCKwA+wfTW1MeufP/t3l9MqdFx7MjxBbu2aVnd9BEDtGX6pch1pMa7CHyHayDiL +UoD0lPrJ9hLftKkyMO2IL3kWlg5g3cpwVBzMKxNBynzQx7TQxUrAgA== +-----END RSA PRIVATE KEY----- diff --git a/mysql-test/std_data/galera_certs/galera.root.crt b/mysql-test/std_data/galera_certs/galera.root.crt new file mode 100644 index 00000000000..e965d5a26d6 --- /dev/null +++ b/mysql-test/std_data/galera_certs/galera.root.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFlTCCA32gAwIBAgIUKCF88W+48rZzdfgYpE2dXVMGSKgwDQYJKoZIhvcNAQEL +BQAwWjELMAkGA1UEBhMCRkkxETAPBgNVBAgMCEhlbHNpbmtpMREwDwYDVQQHDAhI +ZWxzaW5raTEPMA0GA1UECgwGR2FsZXJhMRQwEgYDVQQDDAtnYWxlcmEucm9vdDAe +Fw0yMTAyMDQxMzE3MDJaFw0yMzExMjUxMzE3MDJaMFoxCzAJBgNVBAYTAkZJMREw +DwYDVQQIDAhIZWxzaW5raTERMA8GA1UEBwwISGVsc2lua2kxDzANBgNVBAoMBkdh +bGVyYTEUMBIGA1UEAwwLZ2FsZXJhLnJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQDKqL45jbaq8RLOj+DeilPcEnBN5gn/y9V3IfZ0BQCd4bR09zLz +7BQKz6QS825Wi56HC155W1xPMR0RYWy3I3owreQtfdGJuYoTKLpRSoqWJgy/FSzR ++Tr34WfpeIj6754YRm7MndWBPVkujPtOWz6EHn+2oUNIpCZAOwXtMrlJzf5GwNBu +4kwkylz0whs3iTS//pZLyqk6MsLI7tebmfi9qyaM0b+C1OKiBRQRIjPON8Htp7Au +GDyOqA4Y9IQlAzZVqy2PP79Ci2FpPF3+01ByWGY6vAIxma2VXS/aNvUvGnuzH8hz +A5xg1+5Fv2kdxffcWLjp5/WSIaTUiBFMBRKswTtfo+vWuVpzXGvlExGHd10m+MhK +Avoqq6N28ql6E5pDDH5k6aZ1eB6nKF6BU4BMa4SUPBX/qz8PMbb5j0+n645Gj/G2 +0DfCQoyHd6sMAZZ9LgTjGB/R6sz74YF72q6xECTCygn5HY3qjvmx0BYlIkQDKKqh +bq2ZmsLLCwtyfUeW144eMhErNZA1MwoJxd8LM0TpJ0nXQdEESf5oS5fMLZnVrxah +dl5QYYMbmyNedNKdwV4idhGCy+Zq7VAX4lBXazI1rD9vQb+oTcPGQiy4i/Vi/g6i +F+XZTdTiaOWPEmvFFGLLUQxKl4w872hJaupqfteqdiZ+3ICVIUI8qnXHmwIDAQAB +o1MwUTAdBgNVHQ4EFgQUs75v/MgjJ5RHGE6+0qdiVo4BwlowHwYDVR0jBBgwFoAU +s75v/MgjJ5RHGE6+0qdiVo4BwlowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B +AQsFAAOCAgEAOVhBs28dwwvD5q2r7oVVcxLc+tb8zu4XxpXT1p6hiZYUyPguCh00 +GVdXCgR4JMI/NcyM5fBAbF3S8oK3+9rw2kW09afVV06Qf/8o3nIyOiDl7598tGIP +CCK4QsUW/dGajx5kvhtQ7qce+u9KfFTof6lq2xkYtFBBhmBdSv9A1jAZJMw2x3bc +nr99PS8XZMphS0MIExHKj6Ry5DdYm722zZHyIEiiEGyMViDm2m1iug5r/LPH5Z56 +BjQiH4VP+0y5mevBOUGuH8ID+J9Hu9BeoXLhkv+W2Ljs/S6wqzjinMBqVG+wwe0Y +a8F5pABkl5uX38nMQ7CikSbLxSbn7nRf+sux1sbzqjMldeCSqiv9mI5Ysq97+Ni1 +5qMxNxNc0u/wGRnrXH8fWfxBKPP5moA7DQfVcUWPgDGQwDpA8kn8RlJxFk3g4yaK ++NMwk5MORKyx3tz/A3Yhs9AUXk3okvmQCT2YVSHcKUB8PAU+TaKqbr3wk07Y/tL/ +jFPHS+t3eD91Y05KGUXjdtGi+33zpV0biHmTWAZT78VQowDNvEpTnXhkSx8HGHYR +nqSMU2m2LboHSatY113RYznx0LJ1azczRlJdGs8oyPWLPDD2JCesZaQqGZVRJoms +lK4EzYEb5mZTCRgtgoiO+iKcf6XifuOCrWZXoLm4FlLEfOQ3b8yAFlo= +-----END CERTIFICATE----- diff --git a/mysql-test/std_data/galera_certs/galera.root.key b/mysql-test/std_data/galera_certs/galera.root.key new file mode 100644 index 00000000000..8472f87e714 --- /dev/null +++ b/mysql-test/std_data/galera_certs/galera.root.key @@ -0,0 +1,54 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,F0ACFFE47CF32BB2 + +F5PwhFDgzuaD7ISSmSn3+GpEoWipTwOPjE8ei9LsQ1a/RdcW19kmB9sJojOSVlV6 +CbLeEl/YKkkAZvbupKvpL0i82WTi+V7W9iKNU3M9tN1JE3WNGCYrL16aUrlnXszi +eiNhWzAGxtpXNTv+d9gdgYZ0mHJrDk390tYGRcnrEp8FasL0aI4AnIWrJq9zgHeP +m8K0RxIB6Rp07+SEfsO0pZuGPIkO/qVhIDXYhQrEkap3viPZouH1qzaJNaQXD1ZE +EoP0n/jbX3KuLeep4aGdEGq/eAZx/WUZpZWECOqwZ7HDNFcXj4nZRNQmCpSobEHU +e+9DL+nnmoMtsFG7Jb6S3d8Fxv5DLqm7LTHweZzlkw0pD5sVVMSeb6Xq2Cshxsf2 +htQGZDtxscTimDrLHsNonw1tVBfY0HPpTNNmjyKpa2lmbQ4KQls3A4i9yZaXM1W4 +pkc1Emk0ot+yXZU+SNPeAgAMCf5rygiQtsALYdbkZVpVvziVVBFdav+v9RtwrMfJ +fli6GbAwm2mKXdFlc8SnfbNxKw8v2K26IUZFEzwiE/MxwOR4UBwcNa2JcXKsMGVt +o2pBOJr0dquywV37EV7hu2S6Kgf1nREgksON86REmZoPpzMlCpTf805awdDN/a/K +jJkRrekRinrPaIDfvwQjIhhXYWSVQywJ2nTL6+78SvnKRNmIFDGdmOY7CtsyRvkp +P2Qp+JhzT4VM8x2sApBQiN3S3dSr1D8gmdwKGiLp82GhMIdGNjVpxPSVjCFC3Apu +hvRw3LSJ7iUWLrtsR2yZeDBHh1yDraLYo76qYqvgYDKYa+R1GiJd70t5cDSqgwV9 +EXlnA32VsRrAXdRypGNAq934TSWiO4l+M60bt/K/U41uQHas1gWsGdtWcjCLTylf +YT8G+4QnIrOGJzyKZeIrawu/GtxrK2S5xe0ZAOwYQmJYiIH4TfvdrNX4DNEfGpd/ +CrBULWCvAtgqNrNgpFuV8027yAZWPpG2DSE+Q+XTahxjNUxAI7kkXB/Xxc5KfhSF +BaYHQ2TfTWnwD3K1BNWM4yZ/L4up8UIrXyMdk7q0LofwCTKGOgqzwVaez86gpriL +pphXPYIY9cX9qLBs5YuVGk9ApkbC0VRqmXcCL7OEAzso14ItHVlVU73QSS+I+3sK +sqwb0USLuN7qZUVhtJIyAkK/D+DmNYSg4eqhcMRnJAanD2acmwtAy0HE+YVcQN/X +gEwSOdkf7WkwDshvBPA8rl4YWRxwKxstS0wyPG8rzMZWYYB2xf3nd78NtdzVZSnN +pDUJkUKorCaSuanMvjKS9r+sILzUc1bkO/T//qTY/HtRtl8AffcXIjyJkXb5PSjt +dxq7ktkeESAB9vb+c7nWolMVqxUD+1KpHi1kwR4IuAWtJe4G+82pDc6wLEZjeJMO +nd2NNW/CToWv0YfWonGUDZbOFqee7H0Tioqjni4uQbLcDZJHr6i3wwGIncIENo73 +DqfYEpNT3U6uLSC/cNv3lvIRjVziBEB9f0KgOHt38UIsZ4oJAMV/B63Wfn1nd1g4 +NBdNwO48M2KHbxgwXJxxX1jQOj9+IJiVaGIbpzeeJ3yTKDMfkBKH4eQj2/aAA1zK +pqFRyoBhuviMZ1IeBOVyb3QHJSINry/WiiOKoHLvvFM7KXgygedJwg6k8SHCQCfS +D9RignCNT/O8VhJ4hpzAXbEpeAXJn+AHYGIxL6Fu+0dwDKJjruvcLpVVt9GLLdzX +OBgsK0z9m3hLOf8dfY97jMkRTHtokrA28iheLh6l8rFFesJM8lqFreFRRJMTXeHW +Xwa82PbUdIWygguAlSj035aGUuNRNDZq4Bh4XTVndCDbUfRBlYF9yMduvSqaKsmm +tLJ8V04vDECQpUcAPTCCbTDFoV8/KVDsxMTgZkdiJG/Vv2y8mzy5FPAJBNk/HCcx +E8qc7KF80l+YGQ/IgGzzz9r9DqaXy21FwaiA6TRFth9hXMdzZLVBNfpzZ+dGMJEQ +PAoWUshcNNwAZVU0+GzdQvdckGUcWgnMZpzXswaUmXbMidQ6VQnDTQdj5qIEnrMW +CrIHVs+hhjcGRbGf6DGHQpQbjD9FWX38PVzPpocu1qmLKVTUoFPqm0EqU01SYLFu +S9ntmlOqYJJIR0LbXJvAL7tVKHiK4gR8NMfN2YKPi4Eg3GKTZ5XaSpNPQJnR0ZqP ++sU07jjQTcVuCD8Cx8c9LGXa6PNAwBufk3jrz/vZy8AQEs13aMu3thHhLQWKrgi5 +jVdoLNIqQZJH7aY0YjoaD6if+4uHtRQOqUcJPUyxWnwXx+Y/o+9DrpH5K9V9fcVR +e7Ej8j2Ha4yzZw7M9Uze0unMRQOhE2lbRsP4C6f/TK3izeSlmhG0D/pHfHx9GKbf +S7TPnD0YhUS9TpXX3BEVSXVjIkkbIiC0djq3OI+3PSn/PJqWjCw8pL7JZp5T8J1u +sqyQCge4XjYmmj9Np511tcviq+jmobf0b+WMmxxV21/Au+v2uI/7eAwUyWYIJYny +kcGUDmEZohsFx6hYbRsH+bSEUqC6MuKiUaaqEb97IoR33D3ZajMBchw+Yg0jh/wJ +S8FKEB0NlS00051UnwdsjBKyuOMWT6xH9VVR8W+7t6i0rMDxb4DjP3T+BqjXCT0d +kiHRXRALxotk+WVRC4qRVr0kmFut9bLjlFu2Hlbnpmm7zmJcE3hbkhWjXqDsysp7 +SKJAs+IvYrTMEtURflKiN/n7y6SbXdCXvw+lRTeTjT9h8DiIMsK5vw2SSjWPaQnu +ikCATObciGyro3aImzhaBBY0r/F4Q1KsvLi+xKo+JoDHSVNjNg9SNjQKhyVRFJq/ +quwTP019B5U3ykWj2/i7HV9IBH+nGEUuvpI5esUoIWTvdCkVdAEeSg0vwkJoohbb +l9HjDYyEJxoLhwaR7Mqh+uDxHBK2Kqh8TkIXjdUbXqTRIX6lajzJ/p7owoE48sHa +iWo9tN+4bOabEjPAkEhLy2cLUfWEPjClo8YZelif8cZigKzdSDbxdmyugfFtZfQX +NYwcMYayGBCETNyByLbBjNO+7XPlNcfqQJlFWsGOrzmJdoxtW7CYYqbN8qzhpNox +MSRK7T+eUDFKNjY53lPfUPUFgcXq+9IKicf6cYE8gsI3/5I9vzLk3Lt7ZLXMgFv7 +-----END RSA PRIVATE KEY----- diff --git a/mysql-test/std_data/galera_certs/galera.root.srl b/mysql-test/std_data/galera_certs/galera.root.srl new file mode 100644 index 00000000000..e6c62e06527 --- /dev/null +++ b/mysql-test/std_data/galera_certs/galera.root.srl @@ -0,0 +1 @@ +6D409518A9205687DA79FBF6FB2253AB3CCB1AB1 diff --git a/mysql-test/suite/galera_3nodes/r/galera_ssl_reload.result b/mysql-test/suite/galera_3nodes/r/galera_ssl_reload.result new file mode 100644 index 00000000000..541822797b7 --- /dev/null +++ b/mysql-test/suite/galera_3nodes/r/galera_ssl_reload.result @@ -0,0 +1,15 @@ +connection node_2; +connection node_1; +connect node_3, 127.0.0.1, root, , test, $NODE_MYPORT_3; +connection node_1; +connection node_2; +connection node_3; +connection node_1; +connection node_2; +connection node_2; +# restart: with restart_parameters +SET GLOBAL wsrep_provider_options = 'socket.ssl_reload=1'; +connection node_3; +# restart: with restart_parameters +connection node_2; +FLUSH SSL; diff --git a/mysql-test/suite/galera_3nodes/t/galera_ssl_reload.cnf b/mysql-test/suite/galera_3nodes/t/galera_ssl_reload.cnf new file mode 100644 index 00000000000..65d1599268d --- /dev/null +++ b/mysql-test/suite/galera_3nodes/t/galera_ssl_reload.cnf @@ -0,0 +1,10 @@ +!include ../galera_3nodes.cnf + +[mysqld.1] +wsrep_provider_options='base_port=@mysqld.1.#galera_port;socket.ssl=yes;socket.ssl_ca=@ENV.MYSQL_TEST_DIR/std_data/galera_certs/galera.root.crt;socket.ssl_cert=@ENV.MYSQL_TEST_DIR/std_data/galera_certs/galera.1.crt;socket.ssl_key=@ENV.MYSQL_TEST_DIR/std_data/galera_certs/galera.1.key' + +[mysqld.2] +wsrep_provider_options='base_port=@mysqld.2.#galera_port;socket.ssl=yes;socket.ssl_ca=@ENV.MYSQL_TEST_DIR/std_data/galera_certs/galera.root.crt;socket.ssl_cert=@ENV.MYSQL_TEST_DIR/std_data/galera_certs/galera.1.crt;socket.ssl_key=@ENV.MYSQL_TEST_DIR/std_data/galera_certs/galera.1.key' + +[mysqld.3] +wsrep_provider_options='base_port=@mysqld.3.#galera_port;socket.ssl=yes;socket.ssl_ca=@ENV.MYSQL_TEST_DIR/std_data/galera_certs/galera.root.crt;socket.ssl_cert=@ENV.MYSQL_TEST_DIR/std_data/galera_certs/galera.1.crt;socket.ssl_key=@ENV.MYSQL_TEST_DIR/std_data/galera_certs/galera.1.key' diff --git a/mysql-test/suite/galera_3nodes/t/galera_ssl_reload.test b/mysql-test/suite/galera_3nodes/t/galera_ssl_reload.test new file mode 100644 index 00000000000..0c22a58b3e9 --- /dev/null +++ b/mysql-test/suite/galera_3nodes/t/galera_ssl_reload.test @@ -0,0 +1,67 @@ +# +# Test reloading of Galera SSL certificate without shutting down node +# + +--source include/galera_cluster.inc +--source include/have_innodb.inc + +--connect node_3, 127.0.0.1, root, , test, $NODE_MYPORT_3 + +# Save original auto_increment_offset values. +--let $node_1=node_1 +--let $node_2=node_2 +--let $node_3=node_3 +--source ../galera/include/auto_increment_offset_save.inc + +# Setup galera ports +--connection node_1 +--source suite/galera/include/galera_base_port.inc +--let $NODE_GALERAPORT_1 = $_NODE_GALERAPORT + +--connection node_2 +--source suite/galera/include/galera_base_port.inc +--let $NODE_GALERAPORT_2 = $_NODE_GALERAPORT + +# Setup temporary file for SSL reloading +let $ssl_cert = $MYSQLTEST_VARDIR/tmp/ssl_cert.pem; +let $ssl_key = $MYSQLTEST_VARDIR/tmp/ssl_key.pem; +let $ssl_ca = $MYSQLTEST_VARDIR/tmp/ssl_ca.pem; + +copy_file std_data/galera_certs/galera.root.crt $ssl_ca; +copy_file std_data/galera_certs/galera.1.crt $ssl_cert; +copy_file std_data/galera_certs/galera.1.key $ssl_key; + +--connection node_2 +--source include/shutdown_mysqld.inc +--let $restart_noprint=1 +--let $restart_parameters = --wsrep_cluster_address=gcomm://127.0.0.1:$NODE_GALERAPORT_1 --wsrep_provider_options=base_port=$NODE_GALERAPORT_2;socket.ssl=yes;socket.ssl_ca=$MYSQL_TEST_DIR/std_data/galera_certs/galera.root.crt;socket.ssl_cert=$MYSQLTEST_VARDIR/tmp/ssl_cert.pem;socket.ssl_key=$MYSQLTEST_VARDIR/tmp/ssl_key.pem +--source include/start_mysqld.inc +--source include/galera_wait_ready.inc + +# Set certificate and key and reload by setting directly `wsrep_provider_options` +remove_file $ssl_cert; +remove_file $ssl_key; +copy_file std_data/galera_certs/galera.2.crt $ssl_cert; +copy_file std_data/galera_certs/galera.2.key $ssl_key; +SET GLOBAL wsrep_provider_options = 'socket.ssl_reload=1'; + +--connection node_3 +--source include/shutdown_mysqld.inc +--let $restart_parameters = --wsrep_cluster_address=gcomm://127.0.0.1:$NODE_GALERAPORT_2 +--source include/start_mysqld.inc + +# Set certificate and key and reload by executing `FLUSH SSL` +--connection node_2 +remove_file $ssl_cert; +remove_file $ssl_key; +copy_file std_data/galera_certs/galera.1.crt $ssl_cert; +copy_file std_data/galera_certs/galera.1.key $ssl_key; +FLUSH SSL; + +# Cleanup +remove_file $ssl_ca; +remove_file $ssl_cert; +remove_file $ssl_key; + +# Restore original auto_increment_offset values. +--source ../galera/include/auto_increment_offset_restore.inc diff --git a/sql/sql_reload.cc b/sql/sql_reload.cc index 5b4600ece9a..76fb9819fd5 100644 --- a/sql/sql_reload.cc +++ b/sql/sql_reload.cc @@ -416,6 +416,14 @@ bool reload_acl_and_cache(THD *thd, unsigned long long options, { if (reinit_ssl()) result= 1; +#ifdef WITH_WSREP + if (!result && + WSREP_ON && wsrep_reload_ssl()) + { + my_message(ER_UNKNOWN_ERROR, "Failed to refresh WSREP SSL.", MYF(0)); + result= 1; + } +#endif } if (options & REFRESH_GENERIC) { diff --git a/sql/wsrep_mysqld.cc b/sql/wsrep_mysqld.cc index 0338d7ad054..0f0ef95492b 100644 --- a/sql/wsrep_mysqld.cc +++ b/sql/wsrep_mysqld.cc @@ -1249,6 +1249,32 @@ exit: return fail; } +bool wsrep_reload_ssl() +{ + try + { + std::string opts= Wsrep_server_state::instance().provider().options(); + if (opts.find("socket.ssl_reload") == std::string::npos) + { + WSREP_DEBUG("Option `socket.ssl_reload` not found in parameters."); + return false; + } + const std::string reload_ssl_param("socket.ssl_reload=1"); + enum wsrep::provider::status ret= Wsrep_server_state::instance().provider().options(reload_ssl_param); + if (ret) + { + WSREP_ERROR("Set options returned %d", ret); + return true; + } + return false; + } + catch (...) + { + WSREP_ERROR("Failed to get provider options"); + return true; + } +} + /*! * @param db Database string * @param table Table string diff --git a/sql/wsrep_mysqld.h b/sql/wsrep_mysqld.h index 0b245ea11cb..db6910030c8 100644 --- a/sql/wsrep_mysqld.h +++ b/sql/wsrep_mysqld.h @@ -214,6 +214,7 @@ extern void wsrep_last_committed_id (wsrep_gtid_t* gtid); extern int wsrep_check_opts(); extern void wsrep_prepend_PATH (const char* path); extern bool wsrep_append_fk_parent_table(THD* thd, TABLE_LIST* table, wsrep::key_array* keys); +extern bool wsrep_reload_ssl(); /* Other global variables */ extern wsrep_seqno_t wsrep_locked_seqno; |