Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22129

MySQL Compatibility: Missing `ssl-mode` flag

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Incomplete
    • 10.4.11
    • N/A
    • Scripts & Clients
    • MacBook Pro (15-inch, 2017), MacOS Catalina

    Description

      MySQL client has the option `ssl-mode`:

      From 5.6 Docs:

      This option is available only for client programs, not the server. It specifies the security state of the connection to the server:
      If this option is not specified, the default is to establish an unencrypted connection. This is like the --ssl=0 option or its synonyms (--skip-ssl, --disable-ssl).
      If this option is specified, the only permitted value is REQUIRED (establish an encrypted connection if the server supports encrypted connections). The connection attempt fails if an encrypted connection cannot be established.

      From 5.7 Docs:

      This option is available only for client programs, not the server. It specifies the security state of the connection to the server. These option values are permitted:
      PREFERRED: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. This is the default if --ssl-mode is not specified.
      REQUIRED: Establish an encrypted connection if the server supports encrypted connections. The connection attempt fails if an encrypted connection cannot be established.
      VERIFY_CA: Like REQUIRED, but additionally verify the server Certificate Authority (CA) certificate against the configured CA certificates. The connection attempt fails if no valid matching CA certificates are found.
      VERIFY_IDENTITY: Like VERIFY_CA, but additionally perform host name identify verification by checking the server's Common Name identity in the certificate that the server sends to the client. The client verifies the Common Name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. This is like the legacy --ssl-verify-server-cert option.
      DISABLED: Establish an unencrypted connection. This is like the legacy --ssl=0 option or its synonyms (--skip-ssl, --disable-ssl).

      The client that comes with MariaDB does not support this flag. Therefore software built to use MySQL, that employs this flag for some reason, can't support MariaDB.

      This specifically comes up in a Go library called SQLBoiler which does code generation based on database schema; unit tests for the generated code fail with MariaDB because the client doesn't understand this flag.

      Relevant issues:

      https://github.com/volatiletech/sqlboiler/issues/117
      https://github.com/volatiletech/sqlboiler/issues/273

      Attachments

        Issue Links

          Activity

            serg Sergei Golubchik added a comment - - edited

            MariaDB clients don't support ssl-mode. As MySQL 5.7 manual above says, one is supposed to use --ssl instead of --ssl-mode=PREFERRED and --ssl --ssl-verify-server-cert instead of --ssl-mode=VERIFY_IDENTITY. We intentionally didn't implement the support for VERIFY_CA and REQUIRED modes, because requiring ssl without verifying the certificate is misleading — it creates a false sense of security while keeping connection vulnerable to MitM attacks.

            For MySQL compatibility we can add support for this option, but only for those values that the client actually implements. Looking at the sqlboiler issue you only need --ssl-mode=DISABLED anyway, so that should work.

            Why sqlboiler needs to disable ssl explicitly anyway?

            serg Sergei Golubchik added a comment - - edited MariaDB clients don't support ssl-mode . As MySQL 5.7 manual above says, one is supposed to use --ssl instead of --ssl-mode=PREFERRED and --ssl --ssl-verify-server-cert instead of --ssl-mode=VERIFY_IDENTITY . We intentionally didn't implement the support for VERIFY_CA and REQUIRED modes, because requiring ssl without verifying the certificate is misleading — it creates a false sense of security while keeping connection vulnerable to MitM attacks. For MySQL compatibility we can add support for this option, but only for those values that the client actually implements. Looking at the sqlboiler issue you only need --ssl-mode=DISABLED anyway, so that should work. Why sqlboiler needs to disable ssl explicitly anyway?
            ibot3 Jakob Müller added a comment -

            The MySQL 5.7 documentation actually says the exact opposite:
            "Consequently, --ssl and --ssl-verify-server-cert are deprecated, and are removed in MySQL 8.0."

            https://dev.mysql.com/doc/refman/5.7/en/encrypted-connections.html

            So this should probably be adjusted in order to maintain compatibility.

            ibot3 Jakob Müller added a comment - The MySQL 5.7 documentation actually says the exact opposite: "Consequently, --ssl and --ssl-verify-server-cert are deprecated, and are removed in MySQL 8.0." https://dev.mysql.com/doc/refman/5.7/en/encrypted-connections.html So this should probably be adjusted in order to maintain compatibility.

            People

              Unassigned Unassigned
              mattmc Matthew McCullough
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.