Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22129

MySQL Compatibility: Missing `ssl-mode` flag

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Incomplete
    • 10.4.11
    • N/A
    • Scripts & Clients
    • MacBook Pro (15-inch, 2017), MacOS Catalina

    Description

      MySQL client has the option `ssl-mode`:

      From 5.6 Docs:

      This option is available only for client programs, not the server. It specifies the security state of the connection to the server:
      If this option is not specified, the default is to establish an unencrypted connection. This is like the --ssl=0 option or its synonyms (--skip-ssl, --disable-ssl).
      If this option is specified, the only permitted value is REQUIRED (establish an encrypted connection if the server supports encrypted connections). The connection attempt fails if an encrypted connection cannot be established.

      From 5.7 Docs:

      This option is available only for client programs, not the server. It specifies the security state of the connection to the server. These option values are permitted:
      PREFERRED: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. This is the default if --ssl-mode is not specified.
      REQUIRED: Establish an encrypted connection if the server supports encrypted connections. The connection attempt fails if an encrypted connection cannot be established.
      VERIFY_CA: Like REQUIRED, but additionally verify the server Certificate Authority (CA) certificate against the configured CA certificates. The connection attempt fails if no valid matching CA certificates are found.
      VERIFY_IDENTITY: Like VERIFY_CA, but additionally perform host name identify verification by checking the server's Common Name identity in the certificate that the server sends to the client. The client verifies the Common Name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. This is like the legacy --ssl-verify-server-cert option.
      DISABLED: Establish an unencrypted connection. This is like the legacy --ssl=0 option or its synonyms (--skip-ssl, --disable-ssl).

      The client that comes with MariaDB does not support this flag. Therefore software built to use MySQL, that employs this flag for some reason, can't support MariaDB.

      This specifically comes up in a Go library called SQLBoiler which does code generation based on database schema; unit tests for the generated code fail with MariaDB because the client doesn't understand this flag.

      Relevant issues:

      https://github.com/volatiletech/sqlboiler/issues/117
      https://github.com/volatiletech/sqlboiler/issues/273

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-28634 Client's --ssl-* options (without --ssl-verify-server-cert) are silently ignored if TLS is not possible

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              Unassigned Unassigned
              mattmc Matthew McCullough
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.