-
Bug
-
Resolution: Done
-
Major
-
None
-
Quay Enterprise
Quay connects to mysql using TCP/IP and then appears to switch to SSL/TLS when available.
Quay database config:
DB_CONNECTION_ARGS:
ssl:
ca: conf/stack/database.pem
DB_URI: mysql+pymysql://dbquay:REDACTED@quay.example.com/quay
mysql general log:
2020-06-24T22:51:37.439449Z 104 Connect dbquay@34.72.153.xx on quay using TCP/IP 2020-06-24T22:51:45.429138Z 105 Connect dbquay@34.72.153.xx on quay using SSL/TLS
Set mysql to required SSL/TLS with configuration flag 'require_secure_transport=ON' in the my.cnf file.
Result in mysql logs show quay attempting to connect only via TCP/IP (which will always fail):
2020-06-25T18:06:42.414958Z 116 Connect dbquay@34.72.153.xx on quay using TCP/IP 2020-06-25T18:06:50.615549Z 117 Connect dbquay@34.72.153.xx on quay using TCP/IP 2020-06-25T18:06:58.599843Z 118 Connect dbquay@34.72.153.xx on quay using TCP/IP 2020-06-25T18:07:07.023908Z 119 Connect dbquay@34.72.153.xx on quay using TCP/IP 2020-06-25T18:07:16.953001Z 120 Connect dbquay@34.72.153.xx on quay using TCP/IP 2020-06-25T18:07:28.469559Z 121 Connect dbquay@34.72.153.xx on quay using TCP/IP
Quay error:
sqlalchemy.exc.InternalError: (pymysql.err.InternalError) (3159, u'Connections using insecure transport are prohibited while --require_secure_transport=ON.') (Background on this error at: http://sqlalche.me/e/2j85)
This is a major issue because many clients cannot use quay in production unless the mysql connection is always TLS/SSL.
Attempted to force TLS by passing various flags along in the DB_CONNECTION_ARGS portion of the config.yaml (ie ssl=true, ssl-mode=required etc) did not fix the issue.
