TransWikia.com

disable ssl for mysql client apps

Server Fault Asked on December 25, 2021

I have set up SSL for mysql replication. The problem is, that it makes problems on the other local apps which use mysql.

Like postfix:

Jul 25 23:00:22 srv1 postfix/proxymap[3141]: warning: connect to mysql server 127.0.0.1: SSL connection error: unable to verify peer checksum
Jul 25 23:00:22 srv1 postfix/trivial-rewrite[3353]: warning: virtual_mailbox_domains: proxy:mysql:/etc/postfix/mysql-virtual_domains.cf: table lookup problem
Jul 25 23:00:22 srv1 postfix/trivial-rewrite[3353]: warning: virtual_mailbox_domains lookup failure

or amavis:

Jul 25 23:08:12 srv1 amavis[5625]: (05625-01) (!)connect_to_sql: unable to connect to DSN 'DBI:mysql:database=dbispconfig;host=127.0.0.1;port=3306': SSL connection error: unable to verify peer checksum

and also pureftp

Jul 25 23:02:42 srv1 pure-ftpd: (?@2a02:810c:XXXXXXXX) [ERROR] The SQL server seems to be down [SSL connection error: unable to verify peer checksum]

Because I dont need local encryption, i want to disable it, but I dont know how.
I have only set a cnf entry for the clients with:

[client]
#ssl-ca=/etc/letsencrypt/live/mydomain/chain.pem
#ssl-mode=DISABLED
ssl=0

But without luck. For postfix I found in the docs this note:

Postfix 3.1 and earlier don’t read [client] option group settings
unless a non-empty option_file or option_group value are specified. To
enable this, specify, for example “option_group = client”.

So I added to all /etc/postfix/mysql-*.cf files the option_group syntax. But after the restart it is the same problem..

When I disable ssl on the server, the problems are gone. But I want to have ssl for security of the replication.

Any Ideas?

One Answer

Here are few ideas.

  1. Use postconf to see if there are any mistypes or incompatibilities in configuration files of Postfix. This utility complains when there are unused parameters.
  2. Do not enforce the use of SSL on a server side. Instead, configure replication client to refuse insecure connections.
  3. Use the feature of MySQL server 5.7 that allow changing SSL/TLS requirements per user via CREATE USER ... REQUIRE ... and ALTER USER ... REQUIRE ... and remove mandatory SSL for local clients.
  4. Since postfix uses libmysqlclient, it should be possible to override location where postfix looks for my.cnf and use [mysql] section instead. It should be feasible to do this via MYSQL_HOME environmental variable, but I doubt it is a good idea even to try :)

Answered by RLazar on December 25, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP