Vault credential store - invalid session in SNI

Hi everyone,

I am setting up Boundary to use Vault as credential store. This works fine and I can generate dynamic credentials using the Boundary client.
However, when I try to connect to localhost through the worker proxy, I get the following error from the mysql client:

➜  ~ mysql -u v-token-toke-boundary-c-hAovDq2i -h 127.0.0.1 -P 53332 -p
Enter password:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 2

And in the boundary workers logs the following:

Jun 27 15:58:41 ip-10-237-91-59.eu-central-1.compute.internal boundary[3595]: {"id":"h2rwZwDaiR","source":"https://hashicorp.com/boundary/worker-ip-10-237-91-59","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"worker.(Worker).getSessionTls","data":{"msg":"invalid session in SNI","session_id":""}},"datacontentype":"application/cloudevents","time":"2022-06-27T15:58:41.233798284Z"}

If I try to connect to the database directly, from the worker instance, the credentials generated by Vault that I got in Boundary work.
On both the controllers and the workers I have tls_disabled = true.
The target is a RDS instance (MySQL).

The worker starts with no issue:

Jun 27 16:08:29 ip-10-237-99-241.eu-central-1.compute.internal boundary[10427]: ==> Boundary server started! Log data will stream in below:
Jun 27 16:08:29 ip-10-237-99-241.eu-central-1.compute.internal boundary[10427]: {"id":"eVXzUfacgy","source":"https://hashicorp.com/boundary/worker-ip-10-237-99-241","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"worker.(Worker).createClientConn","data":{"address":"10.237.69.228:9201","msg":"connected to controller"}},"datacontentype":"application/cloudevents","time":"2022-06-27T16:08:29.730731293Z"}

But I can’t proxy the connection for some reason. This is my worker configuration:


disable_mlock = true

kms "awskms" {
  kms_key_id = "[REDACTED]"
  purpose    = "worker-auth"
}

listener "tcp" {
  address     = "10.237.99.241:9202"
  purpose     = "proxy"
  tls_disable = true
}

worker {
  controllers = ["10.237.69.228","10.237.91.88","10.237.108.179"]
  name        = "worker-ip-10-237-99-241"
  public_addr = "10.237.99.241"
}

plugins {
  execution_dir = "/opt/boundary/plugin-exec"
}

The weird thing is that this same setup worked before while I was testing, but now it doesn’t.
Any hints regarding this error?

PS: I can’t update to the newest Boundary version due to this.

TIA

And actually, this happens instantly, so there’s no time to be timing out.

So this is what I’ve found. I forgot to mention that I’m using the Boundary Desktop client.
Using Boundary Desktop 1.4.2 and below, everything works as expected and I can connect to the target database using proxying.
With versions 1.4.3 and above, I get the dreaded:

ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 2

Would that be because I’m using Boundary 0.7.5 on the controllers and workers and the Boundary Desktop version 1.4.3 and above isn’t compatible with 0.7.5?
I’d love to move everything to latest, but as I’ve mentioned before, the plugins exec_dir issue keeps me from doing that.

Let me know if more if you need more input from my side.

Thanks

It’s definitely the case that there can be compatibility issues between different versions of the client and server. While Boundary is in 0.x status your best bet is to keep use the client versions released alongside the server version you’re using. With the CLI this is easy because it’s actually the same binary, but with the desktop it’s a little more complicated because the version basis is different. To the best of my knowledge 1.4.3 targeted 0.8.x server versions while 1.4.2 targeted 0.7.x, and I’ve seen other reports here of issues that appear to be because of breaking changes from 1.4.2 to 1.4.3.

1 Like

@omkensey thanks for the reply.
I’ll wait for the 0.9.1 release and see if that will solve it.