Replication over SSL

Virtuoso Universal Server RDF Data Management
, , ,
1

Hello,

I am trying to setup SSL on two Virtuoso 8 instances. So far so good in terms of implementation but there is one thing. These servers had replication between them, one was publisher and the other was a subscriber. I am searching a lot the documentation today but I cannot find why the repl_subscribe functionality now produces errors regarding connectivity.

I have tried connecting via ISQL from the subscriber to the publisher node with the command:
isql -H publisher.address -S 1111 -E
And it works. SSL is configured on ports 8890 and 1111 as the default HTTP was running on.

I need to know how I can make ISQL invocation to permanently use -E flag and possibly some kind of parameter that enables by default SSL connections between the two nodes. Based on the docs here 6.1.1.Database I tried:

  1. Adding Encrypt or “Encrypt” inside the odbc.ini file under MASTER_DSN section
  2. Running isql -E -u SQL_ENCRYPT_CONNECTION=1 prior to running repl_subscribe
  3. Adding SQL_ENCRYPT_CONNECTION under SQL section in virtuoso.ini file

EDIT 1: I managed to solve the repl_subscribe command and now it works, I think it was the proper addition of Encrypt inside the odbc.ini file but now I get another issue. Even thought the subscriber is connected to the publisher, the publisher produces errors while accepting the connection, rendering the replication useless immediately.
Logs:

13:55:36 SSL error accepting connection from XXXXXXXXXX error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
13:56:31 SSL error accepting connection from XXXXXXXXXX error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

SSL configuration on both servers for both ISQL and HTTP look like this:

[Parameters]
SSLServerPort           = 1111
SSLCertificate          = ./ssl/XXXXXXXX.crt
SSLPrivateKey           = ./ssl/XXXXXXXX.key
X509ClientVerify        = 0
X509ClientVerifyDepth   = -1
X509ClientVerifyCAFile  = ./ssl/XXXXXXXX_combined_ca.crt
...
[HTTPServer]
SSLPort                     = 8890
SSLCertificate              = ./ssl/XXXXXXXX.crt
SSLPrivateKey               = ./ssl/XXXXXXXX.key
X509ClientVerify            = 0
X509ClientVerifyDepth       = -1
X509ClientVerifyCAFile      = ./ssl/XXXXXXXX_combined_ca.crt

Nikos

2

Virtuoso replication does not support secure SSL connections between publisher and subscriber nodes thus this configuration will not work, hence the “unknown protocol” error reported.

1 Like
3

Thanks, then we can close the case.