There seem to be various TLS settings inside MariaDB configuration right now, but it's depending on the wildcard cert (should have a new keypair instead) and no ciphers have been configured yet.
OpenSSL has a preference over yaSSL, although it looks like we're already using the MariaDB version with OpenSSL support compiled, so that's great. The goal of this task is not to require TLS connections yet, just to make it working properly so we can concentrate on the clients afterwards.
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Invalid | None | T4016 Encrypt all traffic inside Miraheze Cluster | ||
| Resolved | John | T4017 Reconfigure TLS settings inside MariaDB | ||
| Declined | Southparkfan | T4018 Evaluate usage of ProxySQL on MediaWiki servers | ||
| Resolved | John | T4020 Encrypt traffic between Matomo and MariaDB | ||
| Resolved | Paladox | T7967 Icingaweb2 is down |
We're definitely using OpenSSL for MariaDB 10.2.24, great. First step would be creating a Miraheze CA with easy-rsa.
Ideally we only use TLS 1.3 or later, but the tls_version variable is only available in the 10.4, which is the development version: see also here. Oh well, at least SSLv3 is disabled..
Ciphers? https://cipherli.st recommends EECDH+AESGCM:EDH+AESGCM, though a performance comparison is crucial.
Localhost MariaDB (10.4.x) connection (on db6) uses the TLS_AES_256_GCM_SHA384 cipher in conjunction with TLS 1.3, MediaWiki uses the ECDHE-RSA-AES128-GCM-SHA256 cipher in conjunction with TLS 1.2. Per https://wiki.mozilla.org/Security/Server_Side_TLS, the configuration on db6 is modern, MediaWiki's settings are considered legacy.
It is noteworthy that AES-NI is lacking on the KVM guests (cloud[12]), which means openssl's speeds on guests are nowhere near as good as on the host: see https://github.com/mdaxini/howto-openssl/wiki/OpenSSL-Cipher-Speed. Can be fixed by directly using the host's CPU, not sure what the disadvantages of that can be. Fwiw, dbt1 (OVH public cloud) does have AES-NI support enabled.
So, for TLS 1.3 we are looking at the following ciphers (credits MozillaWiki):
0x13,0x01 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD 0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD 0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
On systems without AES-NI, ChaCha20 would be preferred, while the contrary seems to be true for modern systems - with AES-NI. Only modern systems connect to MariaDB, so AES ciphers should be considered (but only 100% sure if we can enable AES-NI on KVM guests!).
Comparison between -128 and -256 on cloud1 - KVM host (median of three runs, picking 8192 bytes value):
| Type | Bytes/s | %diff - aes-128-gcm | %diff - aes-256-gcm | %diff - chacha20-poly1305 | %diff KVM guest |
| aes-128-gcm | 4582670.34k | X | +35.2% | +179.0% | +2537% |
| aes-256-gcm | 3388317.70k | -26.1% | X | +106.3% | +2265% |
| chacha20-poly1305 | 1642616.15k | -64.2% | -51.5% | X | +275% |
Comparison between -128 and -256 on db6 - KVM guest, no AES-NI (median of three runs, picking 8192 bytes value):
| Type | Bytes/s | %diff - aes-128-gcm | %diff - aes-256-gcm | %diff - chacha20-poly1305 | %diff KVM host |
| aes-128-gcm | 173801.47k | X | +21.3% | -60.3% | -96.2% |
| aes-256-gcm | 143283.54k | -17.6% | X | -67.3% | -95.8% |
| chacha20-poly1305 | 438061.74k | +152.1% | +205.7% | X | -73.3% |
Conclusions:
Eventually, the following tasks are left:
Ideally, one would not be using our wildcard certificates for MariaDB, but I don't think maintaining our own certificate authority is a good idea either. Perhaps go with Let's Encrypt TLS certificates issued for db([67]|t1).miraheze.org?
db13
| User | Source of connections | Current TLS specs | Supports TLS 1.3 w/ AES-{128,256}-GCM? |
|---|---|---|---|
| grafana@% | Grafana app (monX) | ? | ? |
| icinga@% | Icinga monitoring agents/scripts (monX) | ? | ? |
| icinga2@% | Icinga master config (monX) | ? | ? |
| icingaweb2@% | Icinga web interface? (monX) | Does not use TLS: puppet says yes, but the config is incorrect (and tcpdump verifies plaintext data) | ? |
| mediawiki@% | MediaWiki app (mwX/testX) | (hack in DatabaseMysqli.php on test2): TLS 1.2 ECDHE-RSA-AES128-GCM-SHA256 | No, TLS 1.3 is PHP 7.4+? |
| phabricator@% | Phabricator app (phabX) | ? | No, TLS 1.3 is PHP 7.4+? |
| piwik@% | Matomo app (monX) | ? | No, TLS 1.3 is PHP 7.4+? |
| replica@% | Database replication (dbbackupX) | ? | MariaDB master: (openssl s_client -starttls mysql) TLS_AES_128_GCM_SHA256 supported, TLS_AES_256_GCM_SHA384 supported. Replica connections unknwon. |
| root@localhost | Root access (mysql client on server) | No TLS (but that's expected) | Is supported (via local mysql client) |
| wikiadmin@% | MediaWiki maintenance & jobrunner (jobrunnerX) | sql.php (jobrunner1): TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 | No, TLS 1.3 is PHP 7.4+? |
| roundcubemail@{2001:41d0:800:1056::9,51.89.160.134} | Roundcube webmail (mailX) | No TLS, has TLS support | No, TLS 1.3 is PHP 7.4+? |
TLS setup is mostly well-defined for MariaDB. The length this task has been opened has meant it has lost its original purpose and the constant recycling of it has meant the purpose and end target is undefined.
Therefore I will redefine the task as follows:
TLS is fully configured on db*.
Clients aren't required to use TLS. This should change.
TLS is now configured so only 1.2 and 1.3 can be used, and root has SSL encryption:
MariaDB [(none)]> SHOW SESSION STATUS LIKE 'Ssl_cipher'; +---------------+------------------------+ | Variable_name | Value | +---------------+------------------------+ | Ssl_cipher | TLS_AES_256_GCM_SHA384 | +---------------+------------------------+ 1 row in set (0.000 sec)
Therefore now the task is only blocked on requiring all user accounts have TLS when connecting. List of accounts are:
Phabricator can not be done as it does not support MySQL SSL connections at all in the code.