Details
-
New Feature
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
Description
This needs a change in the client auth plugin API
- client authentication plugins to get a new method hash_password(), the same as in the server plugin
The new authentication will work like this
Client side, when sending client reply packet:
- If SSL is used, and --ssl-verify-server-cert is in force, but
- no --ssl-ca or --ssl-fingerprint is in force, and
- the certificate failed validation as self-signed, and
- client authentication plugin doesn't have hash_password() method, and
- the non-empty password was provided, then
- disconnect, otherwise
- continue (let's call it late certificate validation mode)
Server side, when sending the OK packet after successful authentication:
- if SSL is used, and
- the certificate is ephemeral (after
MDEV-31856), and - the account has non-empty password, then
- calculate SHA2(user's hashed password, scramble, certificate fingerprint), and
- put it in the OK's info field, prefixed by byte 0x01
Client side, when receiving OK packet:
- if in the late certificate validation mode, then
- use hash_password() callback, calculate SHA2(user's hashed password, scramble, certificate fingerprint), compare
Notes
- client plugin versions and the API version have to be incremented
- the server doesn't know if the client is in the late password validation mode, so it might do some unnecessary work just in case
- this could be fixed by a new capability bit, or
- just live with potential unnecessary work on connect — it is assumed that in overwhelming majority of the cases this work will be necessary (almost all setups will use this mode)
Attachments
Issue Links
- blocks
-
-
- Closed
-
- causes
-
MDEV-33639 AuthSwitchResponse info has changed since 11.4
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
R2DBC-90 TLS ephemeral certificate automatic implementation
-
- Open
-