Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-36193

MariaDB client with `--socket-name` should default to SSL=False

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 11.4.3
    • None
    • Scripts & Clients, SSL
    • debian-linux-gnu (x86_64)

    Description

      Using a local Unix socket connection via the `--socket-name` or `-S` command line flags should not require SSL by default. (it should set --ssl=False by default)

      The MySQL command line interface currently already uses this behavior: https://dev.mysql.com/doc/refman/8.4/en/connection-options.html#option_general_ssl-mode

      > Connections over Unix socket files are not encrypted with a mode of PREFERRED. To enforce encryption for Unix socket-file connections, use a mode of REQUIRED or stricter. (However, socket-file transport is secure by default, so encrypting a socket-file connection makes it no more secure and increases CPU load.)

      I think MariaDB should also use this behavior, encrypting unix socket connections by default is wasteful and will increase CPU as mentioned above. The default for unix socket should be to not encrypt, with the ability to override and encrypt if required.

      Examples:

      mariadb -S /cloudsql/my-instance -u root -p
      		 
      ...
      		 
      ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

      This should succeed without requiring SSL.

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          serg Sergei Golubchik added a comment -

          Generally, I agree.

          The only use case it'll break is when users connect via sockets to accounts with REQUIRE clauses like REQUIRE SSL or REQUIRE ISSUER. It'd be good to have a solution for this. "Do nothing, let them fail" is one possible solution.

          serg Sergei Golubchik added a comment - Generally, I agree. The only use case it'll break is when users connect via sockets to accounts with REQUIRE clauses like REQUIRE SSL or REQUIRE ISSUER . It'd be good to have a solution for this. "Do nothing, let them fail" is one possible solution.
          jackwotherspoon Jack Wotherspoon added a comment -

          Yes it is correct, this would break some existing REQUIRE clauses.

          You would know better if "Do nothing, let them fail" is a viable solution, so I will leave the final decision up to you. However, I do think having it fail and requiring `--ssl=True` is a better overall flow and intuitive experience then the current approach of having SSL required by default for Unix sockets. As the majority of use cases for Unix sockets will not want SSL required.

          Does MariaDB have an equivalent of MySQL command line's `--ssl-mode=PREFERRED`? This would potentially be another option as a default. It would allow users with REQUIRED clauses to still succeed as well as users will SSL disabled. Not the ideal solution since many cases will continue to use SSL with Unix sockets and waste CPU.

          jackwotherspoon Jack Wotherspoon added a comment - Yes it is correct, this would break some existing REQUIRE clauses. You would know better if "Do nothing, let them fail" is a viable solution, so I will leave the final decision up to you. However, I do think having it fail and requiring `--ssl=True` is a better overall flow and intuitive experience then the current approach of having SSL required by default for Unix sockets. As the majority of use cases for Unix sockets will not want SSL required. Does MariaDB have an equivalent of MySQL command line's `--ssl-mode=PREFERRED`? This would potentially be another option as a default. It would allow users with REQUIRED clauses to still succeed as well as users will SSL disabled. Not the ideal solution since many cases will continue to use SSL with Unix sockets and waste CPU.
          serg Sergei Golubchik added a comment -

          Does MariaDB have an equivalent of MySQL command line's `--ssl-mode=PREFERRED`

          Yes. --ssl-verify-server-cert is equivalent to VERIFY_IDENTITY. It's the default since 11.4.
          --disable-ssl-verify-server-cert will be equivalent to PREFERRED.

          serg Sergei Golubchik added a comment - Does MariaDB have an equivalent of MySQL command line's `--ssl-mode=PREFERRED` Yes. --ssl-verify-server-cert is equivalent to VERIFY_IDENTITY . It's the default since 11.4. --disable-ssl-verify-server-cert will be equivalent to PREFERRED .

          People

            Unassigned Unassigned
            jackwotherspoon Jack Wotherspoon
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.