diff options
| -rw-r--r-- | scripts/wsrep_sst_common.sh | 61 | ||||
| -rw-r--r-- | scripts/wsrep_sst_mariabackup.sh | 48 |
2 files changed, 70 insertions, 39 deletions
diff --git a/scripts/wsrep_sst_common.sh b/scripts/wsrep_sst_common.sh index 4ea5db0609b..2fc8c9019e6 100644 --- a/scripts/wsrep_sst_common.sh +++ b/scripts/wsrep_sst_common.sh @@ -1187,28 +1187,27 @@ check_port() check_for_dhparams() { ssl_dhparams="$DATA/dhparams.pem" - if [ ! -r "$ssl_dhparams" ]; then - get_openssl - if [ -n "$OPENSSL_BINARY" ]; then - wsrep_log_info \ - "Could not find dhparams file, creating $ssl_dhparams" - local bug=0 - local errmsg - errmsg=$("$OPENSSL_BINARY" \ - dhparam -out "$ssl_dhparams" 2048 2>&1) || bug=1 - if [ $bug -ne 0 ]; then - wsrep_log_info "run: \"$OPENSSL_BINARY\" dhparam -out \"$ssl_dhparams\" 2048" - wsrep_log_info "output: $errmsg" - wsrep_log_error "******** ERROR *****************************************" - wsrep_log_error "* Could not create the dhparams.pem file with OpenSSL. *" - wsrep_log_error "********************************************************" - ssl_dhparams="" - fi - else - # Rollback: if openssl is not installed, then use - # the default parameters: + get_openssl + if [ -n "$OPENSSL_BINARY" ]; then + wsrep_log_info \ + "Could not find dhparams file, creating $ssl_dhparams" + local bug=0 + local errmsg + errmsg=$("$OPENSSL_BINARY" \ + dhparam -out "$ssl_dhparams" -dsaparam 2048 2>&1) || bug=1 + if [ $bug -ne 0 ]; then + wsrep_log_info "run: \"$OPENSSL_BINARY\" dhparam"\ + "-out \"$ssl_dhparams\" -dsaparam 2048" + wsrep_log_info "output: $errmsg" + wsrep_log_error "******** ERROR *****************************************" + wsrep_log_error "* Could not create the dhparams.pem file with OpenSSL. *" + wsrep_log_error "********************************************************" ssl_dhparams="" fi + else + # Rollback: if openssl is not installed, then use + # the default parameters: + ssl_dhparams="" fi } @@ -1310,29 +1309,39 @@ verify_cert_matches_key() # check_for_version() { - y1="${1#*.}" + local y1="${1#*.}" [ "$y1" = "$1" ] && y1="" - z1=${y1#*.} + local z1="${y1#*.}" [ "$z1" = "$y1" ] && z1="" - x1="${1%%.*}" + local w1="${z1#*.}" + [ "$w1" = "$z1" ] && w1="" + local x1="${1%%.*}" y1="${y1%%.*}" z1="${z1%%.*}" + w1="${w1%%.*}" [ -z "$y1" ] && y1=0 [ -z "$z1" ] && z1=0 - y2="${2#*.}" + [ -z "$w1" ] && w1=0 + local y2="${2#*.}" [ "$y2" = "$2" ] && y2="" - z2="${y2#*.}" + local z2="${y2#*.}" [ "$z2" = "$y2" ] && z2="" - x2="${2%%.*}" + local w2="${z2#*.}" + [ "$w2" = "$z2" ] && w2="" + local x2="${2%%.*}" y2="${y2%%.*}" z2="${z2%%.*}" + w2="${w2%%.*}" [ -z "$y2" ] && y2=0 [ -z "$z2" ] && z2=0 + [ -z "$w2" ] && w2=0 [ $x1 -lt $x2 ] && return 1 [ $x1 -gt $x2 ] && return 0 [ $y1 -lt $y2 ] && return 1 [ $y1 -gt $y2 ] && return 0 [ $z1 -lt $z2 ] && return 1 + [ $z1 -gt $z2 ] && return 0 + [ $w1 -lt $w2 ] && return 1 return 0 } diff --git a/scripts/wsrep_sst_mariabackup.sh b/scripts/wsrep_sst_mariabackup.sh index 8e025f94a3e..5521dd51098 100644 --- a/scripts/wsrep_sst_mariabackup.sh +++ b/scripts/wsrep_sst_mariabackup.sh @@ -218,6 +218,21 @@ get_keys() stagemsg="$stagemsg-XB-Encrypted" } +get_socat_ver() +{ + [ -n "${SOCAT_VERSION+x}" ] && return + # Determine the socat version + SOCAT_VERSION=$(socat -V 2>&1 | \ + grep -m1 -owE '[0-9]+(\.[0-9]+)+' | \ + head -n1 || :) + if [ -z "$SOCAT_VERSION" ]; then + wsrep_log_error "******** FATAL ERROR ******************" + wsrep_log_error "* Cannot determine the socat version. *" + wsrep_log_error "***************************************" + exit 2 + fi +} + get_transfer() { if [ "$tfmt" = 'nc' ]; then @@ -283,7 +298,7 @@ get_transfer() # If sockopt contains 'pf=ip6' somewhere in the middle, # this will not interfere with socat, but exclude the trivial # cases when sockopt contains 'pf=ip6' as prefix or suffix: - if [ "$sockopt" = "${sockopt#,pf=ip6}" -a \ + if [ "$sockopt" = "${sockopt#,pf=ip6,}" -a \ "$sockopt" = "${sockopt%,pf=ip6}" ] then sockopt=",pf=ip6$sockopt" @@ -310,22 +325,25 @@ get_transfer() if [ "$WSREP_SST_OPT_ROLE" = 'joiner' ]; then tcmd="socat -u openssl-listen:$SST_PORT,reuseaddr" else - tcmd="socat -u stdio openssl-connect:$REMOTEIP:$SST_PORT" + local addr="$REMOTEIP:$SST_PORT" + tcmd="socat -u stdio openssl-connect:$addr" action='Encrypting' + get_socat_ver + if ! check_for_version "$SOCAT_VERSION" '1.7.4.1'; then + if check_for_version "$SOCAT_VERSION" '1.7.3.3'; then + # Workaround for a bug known as 'Red Hat issue 1870279' + # (connection reset by peer) in socat versions 1.7.3.3 + # to 1.7.4.0: + tcmd="socat stdio openssl-connect:$addr,linger=10" + wsrep_log_info \ + "Use workaround for socat $SOCAT_VERSION bug" + fi + fi fi - if [ "${sockopt#*,dhparam=}" != "$sockopt" ]; then + if [ "${sockopt#*,dhparam=}" = "$sockopt" ]; then if [ -z "$ssl_dhparams" ]; then - # Determine the socat version - SOCAT_VERSION=$(socat -V 2>&1 | \ - grep -m1 -owE '[0-9]+(\.[0-9]+)+' | \ - head -n1 || :) - if [ -z "$SOCAT_VERSION" ]; then - wsrep_log_error "******** FATAL ERROR ******************" - wsrep_log_error "* Cannot determine the socat version. *" - wsrep_log_error "***************************************" - exit 2 - fi + get_socat_ver if ! check_for_version "$SOCAT_VERSION" '1.7.3'; then # socat versions < 1.7.3 will have 512-bit dhparams (too small) # so create 2048-bit dhparams and send that as a parameter: @@ -556,6 +574,10 @@ read_cnf() "CERT='$tpem', KEY='$tkey', MODE='$tmode'," \ "encrypt='$encrypt'" + if [ $encrypt -ge 2 ]; then + ssl_dhparams=$(parse_cnf "$encgroups" 'ssl-dhparams') + fi + sockopt=$(parse_cnf sst sockopt "") progress=$(parse_cnf sst progress "") ttime=$(parse_cnf sst time 0) |