Enforcing mTLS with ProxySQL

Description:

Attempting to enforce mTLS using ProxySQL.

In values, I have tls enabled:

    tls:
      enabled: true

I’ve set the interfaces ssl_verify_client and ssl_required as well as have_ssl.

interfaces="0.0.0.0:3306:ssl_cert=/etc/proxysql/ssl/tls.crt:ssl_key=/etc/proxysql/ssl/tls.key:ssl_ca=/etc/proxysql/ssl/ca.crt:ssl_required=1:ssl_verify_client=1;0.0.0.0:33062:ssl_cert=/etc/proxysql/ssl/tls.crt:ssl_key=/etc/proxysql/ssl/tls.key:ssl_ca=/etc/proxysql/ssl/ca.crt:ssl_required=1:ssl_verify_client=1"
have_ssl=true

I was able to confirm configuration got applied by querying the database:

mysql> SELECT * FROM runtime_global_variables WHERE variable_name='mysql-interfaces';
+------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| variable_name    | variable_value                                                                                                                                                                                                                                                                                             |
+------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| mysql-interfaces | 0.0.0.0:3306:ssl_cert=/etc/proxysql/ssl/tls.crt:ssl_key=/etc/proxysql/ssl/tls.key:ssl_ca=/etc/proxysql/ssl/ca.crt:ssl_required=1:ssl_verify_client=1;0.0.0.0:33062:ssl_cert=/etc/proxysql/ssl/tls.crt:ssl_key=/etc/proxysql/ssl/tls.key:ssl_ca=/etc/proxysql/ssl/ca.crt:ssl_required=1:ssl_verify_client=1 |
+------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

However, I can still connect using invalid certs or with no certs at all.

Steps to Reproduce:

Pretty much as above, apply the same values and attempt to connect without certs or with invalid certs.

Version:

ProxySQL version 2.7.3-percona-1.1, codename Truls

Logs:

N/A

Expected Result:

Unable to connect when not using certs or using invalid certs.

Actual Result:

Able to connect when not using certs or using invalid certs.

Additional Information:

I’ve found the below:

with the important note:

Important Note: ProxySQL doesn’t support mTLS support for SSL connections, it’s just in case a client connection supplies a certificate which holds a SAN URI identifier starting with ‘spiffe‘, like in the previously given example, that ProxySQL will perform the verification of the client certificate against proxysql-cert.pem.

I think I can safely assume the operator doesn’t support it either, however maybe I’m wrong. If I’m not, I’d like to find out if it is possible at all to enforce mTLS within the operator? Perhaps using HA Proxy instead of ProxySQL? Would like to know what the options are, if any.

Additionally to the above, it seems that the operator doesn’t allow to set use_ssl on users created by the operator (i.e. root, proxyadmin etc.). The moment that’s set, it gets reverted almost immediately, which isn’t the case when it’s set for users created outside the operator. This is unfortunate as at the very least it’d enforce standard TLS for users created by the operator connecting to ProxySQL, which is an option ProxySQL supports.

I’ll raise this issue in GitHub.