Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33639

AuthSwitchResponse info has changed since 11.4

Details

    Description

      Hi, I came from php-src.

      The following issue has been reported in php-src:
      https://github.com/php/php-src/issues/13628

      I think that the "info" of OK_packet returned by Protocol::AuthSwitchResponse has probably changed since 11.4.
      https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_connection_phase_packets_protocol_auth_switch_response.html
      https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_basic_ok_packet.html

      Until 11.3.2, this value was empty, but since 11.4 it contains a random-looking string.

      If this is the intended change, I would like to do something about it on the php side, but since it is not "human readable status information" as stated in the protocol description, I am having trouble deciding.

      It would be helpful if you could tell us about this change.

      Regards.

      Attachments

        Issue Links

          Activity

            danblack Daniel Black added a comment - Protocol in MDEV-31855 serg has anything changed since the design? Docs in https://mariadb.com/kb/en/connection/#handshake-response-packet need to be updated. C/C implementation: https://github.com/mariadb-corporation/mariadb-connector-c/commit/a99570c118a77c9fe005c662f386931e4514dca2 https://github.com/mariadb-corporation/mariadb-connector-c/commit/fcef411ecb4a2c013e7aac655a96669474110225 possibly assisted/corrected by surrounding commits - https://github.com/mariadb-corporation/mariadb-connector-c/commits/3.4
            serg Sergei Golubchik added a comment - - edited

            Is it AuthSwitchResponse? It's supposed to be in the OK packet after the successful authentication, not when switching authentication to a different plugin.

            In addition to links that Daniel provided, there's also https://mariadb.org/mission-impossible-zero-configuration-ssl/
            I'll update documentation.

            You have options:

            • you can ignore it, everything will work as before
            • you can start the server with --skip-ssl. It'll restore 11.3- behavior — no SSL enabled, no info field in the first OK packet.
            • you can implement the client part of MDEV-31855. In that case mysqli will support MitM-proof zero-configuration SSL. Please, don't hesitate to ask if anything will be unclear.
            serg Sergei Golubchik added a comment - - edited Is it AuthSwitchResponse? It's supposed to be in the OK packet after the successful authentication, not when switching authentication to a different plugin. In addition to links that Daniel provided, there's also https://mariadb.org/mission-impossible-zero-configuration-ssl/ I'll update documentation. You have options: you can ignore it, everything will work as before you can start the server with --skip-ssl . It'll restore 11.3- behavior — no SSL enabled, no info field in the first OK packet. you can implement the client part of MDEV-31855 . In that case mysqli will support MitM-proof zero-configuration SSL. Please, don't hesitate to ask if anything will be unclear.

            ls it AuthSwitchResponse? It's supposed to be in the OK packet after the successful authentication, not when switching authentication to a different plugin.

            Ah you're right, thank you. It is an `OK_packet` from the server in response to the Handshake Response.

            I found a content that may be related to this in the MariaDB OK_packet documentation.
            https://mariadb.com/kb/en/ok_packet/

            The length-encoded info string is not always included in the packet. Check the length of the packet to detect if there is data after the warning count. For the first OK_Packet in the connection it contains (if present) the SSL certificate verification signature. For the following OK_Packets it contains (if present) various human-readable information.

            What I thought was a "mysterious string" turned out to be "SSL certificate verification signature".
            Thank you, I was able to understand what was happening. I guess I just need to modify the test.

            Saki Saki Takamachi added a comment - ls it AuthSwitchResponse? It's supposed to be in the OK packet after the successful authentication, not when switching authentication to a different plugin. Ah you're right, thank you. It is an `OK_packet` from the server in response to the Handshake Response. I found a content that may be related to this in the MariaDB OK_packet documentation. https://mariadb.com/kb/en/ok_packet/ The length-encoded info string is not always included in the packet. Check the length of the packet to detect if there is data after the warning count. For the first OK_Packet in the connection it contains (if present) the SSL certificate verification signature. For the following OK_Packets it contains (if present) various human-readable information. What I thought was a "mysterious string" turned out to be "SSL certificate verification signature". Thank you, I was able to understand what was happening. I guess I just need to modify the test.

            People

              serg Sergei Golubchik
              Saki Saki Takamachi
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.