Connection problem between GeoServer and MariaDB

0
votes

Using GeoServer 2.18.2, I have a problem connecting to a MariaDB 10.5.8 database. Both applications are running on the same Ubuntu 20.04 server. MariaDB has been compiled with openssl 1.1.1f. GeoServer uses JDBC to connect to databases.

The symptom is that GeoServer fails to connect to the database with (cryptic) error message:

Unable to obtain connection: Cannot create PoolableConnectionFactory (Communications link failure The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.)

This error is often associated with a network failure or incorrect address/port. But in this case it seems to be an SSL problem, even though the DB account does not require SSL. Using the application tcpdump, with the command

tcpdump -A port 3306 -w /path/outfile.pcap

logs the traffic between GeoServer and MariaDB. Passing the output file into the Wireshark application gives the following output:

No. Time Source Destination Protocol Length Info
8 0.00231 127.0.0.1 127.0.0.1 TLSv1.1 216 Client Hello
9 0.002316 127.0.0.1 127.0.0.1 TCP 66 3306 → 36160 [ACK] Seq=118 Ack=187 Win=65408 Len=0 TSval=3835998011 TSecr=3835998011
10 0.002372 127.0.0.1 127.0.0.1 TLSv1.1 73 Alert (Level: Fatal, Description: Protocol Version)

Note that at item 8, the client attempts Hello using TLS 1.1, and at line 10 a fatal error is produced because of the "Protocol version".

If SSL is temporarily disabled on the database, then the connection is made fine. The same GeoServer instance can also successfully connect to a MySQL 5.7 database on a different server. In this case, the relevant Wireshark output is the following:

No. Time Source Destination Protocol Length Info
8 0.011235 geo_ip dbase_ip TLSv1.2 482 Client Hello
9 0.011279 dbase_ip geo_ip TCP 66 3306 → 45926 [ACK] Seq=96 Ack=453 Win=30080 Len=0 TSval=1880641029 TSecr=2494230619
10 0.01156 dbase_ip geo_ip TLSv1.2 2177 Server Hello, Certificate, Certificate Request, Server Hello Done

In this case, the same client appears to have offered TLS1.2 (a different protocol) at the Client Hello which was accepted.

What can be done to diagnose and fix this problem of GeoServer failing to connect to MariaDB?

Thanks.

1
sslmariadbconnectiontls1.2geoserver

1 Answers

0
votes

Here's one answer. To force Geoserver to avoid SSL, go to the Geoserver admin web page and edit the relevant Store and change the 'database' field by appending the string

?useSSL=false

For example, if the actual database name is 'postcodes', the revised database name is

postcodes?useSSL=false

This makes Geoserver avoid SSL (for what is a secure local connection via sockets anyway) and the connection is made successfully.

An alternative which uses a better SSL protocol instead is

postcodes?enabledTLSProtocols=TLSv1.2

For more insecure contexts which require SSL, the first answer may not be suitable. See https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html for details.

But the answer appears to works for this context.