Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
11.4.0
-
None
-
docker ubuntu20.04, php8.2
Description
Hi, I came from php-src.
The following issue has been reported in php-src:
https://github.com/php/php-src/issues/13628
I think that the "info" of OK_packet returned by Protocol::AuthSwitchResponse has probably changed since 11.4.
https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_connection_phase_packets_protocol_auth_switch_response.html
https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_basic_ok_packet.html
Until 11.3.2, this value was empty, but since 11.4 it contains a random-looking string.
If this is the intended change, I would like to do something about it on the php side, but since it is not "human readable status information" as stated in the protocol description, I am having trouble deciding.
It would be helpful if you could tell us about this change.
Regards.
Attachments
Issue Links
- is caused by
-
MDEV-31855 validate ssl certificates using client password
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Link |
This issue is caused by |
| Assignee | Sergei Golubchik [ serg ] |
| Component/s | Authentication and Privilege System [ 13101 ] | |
| Component/s | Protocol [ 14604 ] |
Is it AuthSwitchResponse? It's supposed to be in the OK packet after the successful authentication, not when switching authentication to a different plugin.
In addition to links that Daniel provided, there's also https://mariadb.org/mission-impossible-zero-configuration-ssl/
I'll update documentation.
You have options:
- you can ignore it, everything will work as before
- you can start the server with --skip-ssl. It'll restore 11.3- behavior — no SSL enabled, no info field in the first OK packet.
- you can implement the client part of
MDEV-31855. In that case mysqli will support MitM-proof zero-configuration SSL. Please, don't hesitate to ask if anything will be unclear.
| Component/s | Documentation [ 10903 ] |
| Fix Version/s | 11.4 [ 29301 ] |
| Fix Version/s | N/A [ 14700 ] | |
| Fix Version/s | 11.4 [ 29301 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Open [ 1 ] | Closed [ 6 ] |
ls it AuthSwitchResponse? It's supposed to be in the OK packet after the successful authentication, not when switching authentication to a different plugin.
Ah you're right, thank you. It is an `OK_packet` from the server in response to the Handshake Response.
I found a content that may be related to this in the MariaDB OK_packet documentation.
https://mariadb.com/kb/en/ok_packet/
The length-encoded info string is not always included in the packet. Check the length of the packet to detect if there is data after the warning count. For the first OK_Packet in the connection it contains (if present) the SSL certificate verification signature. For the following OK_Packets it contains (if present) various human-readable information.
What I thought was a "mysterious string" turned out to be "SSL certificate verification signature".
Thank you, I was able to understand what was happening. I guess I just need to modify the test.
Protocol in
MDEV-31855serg has anything changed since the design?
Docs in https://mariadb.com/kb/en/connection/#handshake-response-packet need to be updated.
C/C implementation: