Using a local Unix socket connection via the `--socket-name` or `-S` command line flags should not require SSL by default. (it should set --ssl=False by default)
> Connections over Unix socket files are not encrypted with a mode of PREFERRED. To enforce encryption for Unix socket-file connections, use a mode of REQUIRED or stricter. (However, socket-file transport is secure by default, so encrypting a socket-file connection makes it no more secure and increases CPU load.)
I think MariaDB should also use this behavior, encrypting unix socket connections by default is wasteful and will increase CPU as mentioned above. The default for unix socket should be to not encrypt, with the ability to override and encrypt if required.
Examples:
mariadb -S /cloudsql/my-instance -u root -p
...
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it
Using a local Unix socket connection via the `--socket-name` or `-S` command line flags should not require SSL by default. (it should set --ssl=False by default)
> Connections over Unix socket files are not encrypted with a mode of PREFERRED. To enforce encryption for Unix socket-file connections, use a mode of REQUIRED or stricter. (However, socket-file transport is secure by default, so encrypting a socket-file connection makes it no more secure and increases CPU load.)
I think MariaDB should also use this behavior, encrypting unix socket connections by default is wasteful and will increase CPU as mentioned above. The default for unix socket should be to not encrypt, with the ability to override and encrypt if required.
Examples:
```
mariadb -S /cloudsql/my-instance -u root -p
...
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it
```
This should succeed without requiring SSL.
Using a local Unix socket connection via the `--socket-name` or `-S` command line flags should not require SSL by default. (it should set --ssl=False by default)
> Connections over Unix socket files are not encrypted with a mode of PREFERRED. To enforce encryption for Unix socket-file connections, use a mode of REQUIRED or stricter. (However, socket-file transport is secure by default, so encrypting a socket-file connection makes it no more secure and increases CPU load.)
I think MariaDB should also use this behavior, encrypting unix socket connections by default is wasteful and will increase CPU as mentioned above. The default for unix socket should be to not encrypt, with the ability to override and encrypt if required.
Examples:
{noformat}
mariadb -S /cloudsql/my-instance -u root -p
...
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it
{noformat}
The only use case it'll break is when users connect via sockets to accounts with REQUIRE clauses like REQUIRE SSL or REQUIRE ISSUER. It'd be good to have a solution for this. "Do nothing, let them fail" is one possible solution.
Sergei Golubchik
added a comment - Generally, I agree.
The only use case it'll break is when users connect via sockets to accounts with REQUIRE clauses like REQUIRE SSL or REQUIRE ISSUER . It'd be good to have a solution for this. "Do nothing, let them fail" is one possible solution.
Yes it is correct, this would break some existing REQUIRE clauses.
You would know better if "Do nothing, let them fail" is a viable solution, so I will leave the final decision up to you. However, I do think having it fail and requiring `--ssl=True` is a better overall flow and intuitive experience then the current approach of having SSL required by default for Unix sockets. As the majority of use cases for Unix sockets will not want SSL required.
Does MariaDB have an equivalent of MySQL command line's `--ssl-mode=PREFERRED`? This would potentially be another option as a default. It would allow users with REQUIRED clauses to still succeed as well as users will SSL disabled. Not the ideal solution since many cases will continue to use SSL with Unix sockets and waste CPU.
Jack Wotherspoon
added a comment - Yes it is correct, this would break some existing REQUIRE clauses.
You would know better if "Do nothing, let them fail" is a viable solution, so I will leave the final decision up to you. However, I do think having it fail and requiring `--ssl=True` is a better overall flow and intuitive experience then the current approach of having SSL required by default for Unix sockets. As the majority of use cases for Unix sockets will not want SSL required.
Does MariaDB have an equivalent of MySQL command line's `--ssl-mode=PREFERRED`? This would potentially be another option as a default. It would allow users with REQUIRED clauses to still succeed as well as users will SSL disabled. Not the ideal solution since many cases will continue to use SSL with Unix sockets and waste CPU.
Does MariaDB have an equivalent of MySQL command line's `--ssl-mode=PREFERRED`
Yes. --ssl-verify-server-cert is equivalent to VERIFY_IDENTITY. It's the default since 11.4. --disable-ssl-verify-server-cert will be equivalent to PREFERRED.
Sergei Golubchik
added a comment - Does MariaDB have an equivalent of MySQL command line's `--ssl-mode=PREFERRED`
Yes. --ssl-verify-server-cert is equivalent to VERIFY_IDENTITY . It's the default since 11.4.
--disable-ssl-verify-server-cert will be equivalent to PREFERRED .
People
Unassigned
Jack Wotherspoon
Votes:
0Vote for this issue
Watchers:
3Start watching this issue
Dates
Created:
Updated:
Git Integration
Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.
{"report":{"fcp":754.7000002861023,"ttfb":172.59999990463257,"pageVisibility":"visible","entityId":133046,"key":"jira.project.issue.view-issue","isInitial":true,"threshold":1000,"elementTimings":{},"userDeviceMemory":8,"userDeviceProcessors":64,"apdex":1,"journeyId":"cd7e886c-036d-4011-84ee-cc8331481fe5","navigationType":0,"readyForUser":862.2000002861023,"redirectCount":0,"resourceLoadedEnd":857.2000002861023,"resourceLoadedStart":178.30000019073486,"resourceTiming":[{"duration":66.2999997138977,"initiatorType":"link","name":"https://jira.mariadb.org/s/2c21342762a6a02add1c328bed317ffd-CDN/lu2cib/820016/12ta74/0a8bac35585be7fc6c9cc5a0464cd4cf/_/download/contextbatch/css/_super/batch.css","startTime":178.30000019073486,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":178.30000019073486,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":244.59999990463257,"responseStart":0,"secureConnectionStart":0},{"duration":66.40000009536743,"initiatorType":"link","name":"https://jira.mariadb.org/s/7ebd35e77e471bc30ff0eba799ebc151-CDN/lu2cib/820016/12ta74/494e4c556ecbb29f90a3d3b4f09cb99c/_/download/contextbatch/css/jira.browse.project,project.issue.navigator,jira.view.issue,jira.general,jira.global,atl.general,-_super/batch.css?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&slack-enabled=true&whisper-enabled=true","startTime":178.59999990463257,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":178.59999990463257,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":245,"responseStart":0,"secureConnectionStart":0},{"duration":118.30000019073486,"initiatorType":"script","name":"https://jira.mariadb.org/s/0917945aaa57108d00c5076fea35e069-CDN/lu2cib/820016/12ta74/0a8bac35585be7fc6c9cc5a0464cd4cf/_/download/contextbatch/js/_super/batch.js?locale=en","startTime":178.90000009536743,"connectEnd":178.90000009536743,"connectStart":178.90000009536743,"domainLookupEnd":178.90000009536743,"domainLookupStart":178.90000009536743,"fetchStart":178.90000009536743,"redirectEnd":0,"redirectStart":0,"requestStart":178.90000009536743,"responseEnd":297.2000002861023,"responseStart":297.2000002861023,"secureConnectionStart":178.90000009536743},{"duration":212.2000002861023,"initiatorType":"script","name":"https://jira.mariadb.org/s/2d8175ec2fa4c816e8023260bd8c1786-CDN/lu2cib/820016/12ta74/494e4c556ecbb29f90a3d3b4f09cb99c/_/download/contextbatch/js/jira.browse.project,project.issue.navigator,jira.view.issue,jira.general,jira.global,atl.general,-_super/batch.js?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&locale=en&slack-enabled=true&whisper-enabled=true","startTime":179,"connectEnd":179,"connectStart":179,"domainLookupEnd":179,"domainLookupStart":179,"fetchStart":179,"redirectEnd":0,"redirectStart":0,"requestStart":179,"responseEnd":391.2000002861023,"responseStart":391.2000002861023,"secureConnectionStart":179},{"duration":215.7999997138977,"initiatorType":"script","name":"https://jira.mariadb.org/s/a9324d6758d385eb45c462685ad88f1d-CDN/lu2cib/820016/12ta74/c92c0caa9a024ae85b0ebdbed7fb4bd7/_/download/contextbatch/js/atl.global,-_super/batch.js?locale=en","startTime":179.30000019073486,"connectEnd":179.30000019073486,"connectStart":179.30000019073486,"domainLookupEnd":179.30000019073486,"domainLookupStart":179.30000019073486,"fetchStart":179.30000019073486,"redirectEnd":0,"redirectStart":0,"requestStart":179.30000019073486,"responseEnd":395.09999990463257,"responseStart":395.09999990463257,"secureConnectionStart":179.30000019073486},{"duration":216.09999990463257,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:calendar-en/jira.webresources:calendar-en.js","startTime":179.5,"connectEnd":179.5,"connectStart":179.5,"domainLookupEnd":179.5,"domainLookupStart":179.5,"fetchStart":179.5,"redirectEnd":0,"redirectStart":0,"requestStart":179.5,"responseEnd":395.59999990463257,"responseStart":395.59999990463257,"secureConnectionStart":179.5},{"duration":216.30000019073486,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:calendar-localisation-moment/jira.webresources:calendar-localisation-moment.js","startTime":179.59999990463257,"connectEnd":179.59999990463257,"connectStart":179.59999990463257,"domainLookupEnd":179.59999990463257,"domainLookupStart":179.59999990463257,"fetchStart":179.59999990463257,"redirectEnd":0,"redirectStart":0,"requestStart":179.59999990463257,"responseEnd":395.90000009536743,"responseStart":395.90000009536743,"secureConnectionStart":179.59999990463257},{"duration":259.69999980926514,"initiatorType":"link","name":"https://jira.mariadb.org/s/b04b06a02d1959df322d9cded3aeecc1-CDN/lu2cib/820016/12ta74/a2ff6aa845ffc9a1d22fe23d9ee791fc/_/download/contextbatch/css/jira.global.look-and-feel,-_super/batch.css","startTime":179.90000009536743,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":179.90000009536743,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":439.59999990463257,"responseStart":0,"secureConnectionStart":0},{"duration":216.2000002861023,"initiatorType":"script","name":"https://jira.mariadb.org/rest/api/1.0/shortcuts/820016/47140b6e0a9bc2e4913da06536125810/shortcuts.js?context=issuenavigation&context=issueaction","startTime":180.09999990463257,"connectEnd":180.09999990463257,"connectStart":180.09999990463257,"domainLookupEnd":180.09999990463257,"domainLookupStart":180.09999990463257,"fetchStart":180.09999990463257,"redirectEnd":0,"redirectStart":0,"requestStart":180.09999990463257,"responseEnd":396.30000019073486,"responseStart":396.30000019073486,"secureConnectionStart":180.09999990463257},{"duration":259.40000009536743,"initiatorType":"link","name":"https://jira.mariadb.org/s/3ac36323ba5e4eb0af2aa7ac7211b4bb-CDN/lu2cib/820016/12ta74/d176f0986478cc64f24226b3d20c140d/_/download/contextbatch/css/com.atlassian.jira.projects.sidebar.init,-_super,-project.issue.navigator,-jira.view.issue/batch.css?jira.create.linked.issue=true","startTime":180.30000019073486,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":180.30000019073486,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":439.7000002861023,"responseStart":0,"secureConnectionStart":0},{"duration":216.40000009536743,"initiatorType":"script","name":"https://jira.mariadb.org/s/5d5e8fe91fbc506585e83ea3b62ccc4b-CDN/lu2cib/820016/12ta74/d176f0986478cc64f24226b3d20c140d/_/download/contextbatch/js/com.atlassian.jira.projects.sidebar.init,-_super,-project.issue.navigator,-jira.view.issue/batch.js?jira.create.linked.issue=true&locale=en","startTime":180.40000009536743,"connectEnd":180.40000009536743,"connectStart":180.40000009536743,"domainLookupEnd":180.40000009536743,"domainLookupStart":180.40000009536743,"fetchStart":180.40000009536743,"redirectEnd":0,"redirectStart":0,"requestStart":180.40000009536743,"responseEnd":396.80000019073486,"responseStart":396.80000019073486,"secureConnectionStart":180.40000009536743},{"duration":656.1999998092651,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:bigpipe-js/jira.webresources:bigpipe-js.js","startTime":181.2000002861023,"connectEnd":181.2000002861023,"connectStart":181.2000002861023,"domainLookupEnd":181.2000002861023,"domainLookupStart":181.2000002861023,"fetchStart":181.2000002861023,"redirectEnd":0,"redirectStart":0,"requestStart":181.2000002861023,"responseEnd":837.4000000953674,"responseStart":837.4000000953674,"secureConnectionStart":181.2000002861023},{"duration":656.5999999046326,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:bigpipe-init/jira.webresources:bigpipe-init.js","startTime":181.30000019073486,"connectEnd":181.30000019073486,"connectStart":181.30000019073486,"domainLookupEnd":181.30000019073486,"domainLookupStart":181.30000019073486,"fetchStart":181.30000019073486,"redirectEnd":0,"redirectStart":0,"requestStart":181.30000019073486,"responseEnd":837.9000000953674,"responseStart":837.9000000953674,"secureConnectionStart":181.30000019073486},{"duration":69,"initiatorType":"xmlhttprequest","name":"https://jira.mariadb.org/rest/webResources/1.0/resources","startTime":451.09999990463257,"connectEnd":451.09999990463257,"connectStart":451.09999990463257,"domainLookupEnd":451.09999990463257,"domainLookupStart":451.09999990463257,"fetchStart":451.09999990463257,"redirectEnd":0,"redirectStart":0,"requestStart":451.09999990463257,"responseEnd":520.0999999046326,"responseStart":520.0999999046326,"secureConnectionStart":451.09999990463257},{"duration":147.30000019073486,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/e65b778d185daf5aee24936755b43da6/_/download/contextbatch/js/browser-metrics-plugin.contrib,-_super,-project.issue.navigator,-jira.view.issue,-atl.general/batch.js?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&slack-enabled=true&whisper-enabled=true","startTime":709.9000000953674,"connectEnd":709.9000000953674,"connectStart":709.9000000953674,"domainLookupEnd":709.9000000953674,"domainLookupStart":709.9000000953674,"fetchStart":709.9000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":709.9000000953674,"responseEnd":857.2000002861023,"responseStart":857.2000002861023,"secureConnectionStart":709.9000000953674},{"duration":142.5,"initiatorType":"script","name":"https://www.google-analytics.com/analytics.js","startTime":748.4000000953674,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":748.4000000953674,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":890.9000000953674,"responseStart":0,"secureConnectionStart":0},{"duration":62.09999990463257,"initiatorType":"xmlhttprequest","name":"https://jira.mariadb.org/rest/webResources/1.0/resources","startTime":916.7000002861023,"connectEnd":916.7000002861023,"connectStart":916.7000002861023,"domainLookupEnd":916.7000002861023,"domainLookupStart":916.7000002861023,"fetchStart":916.7000002861023,"redirectEnd":0,"redirectStart":0,"requestStart":916.7000002861023,"responseEnd":978.8000001907349,"responseStart":978.8000001907349,"secureConnectionStart":916.7000002861023}],"fetchStart":0,"domainLookupStart":0,"domainLookupEnd":0,"connectStart":0,"connectEnd":0,"requestStart":25,"responseStart":173,"responseEnd":174,"domLoading":176,"domInteractive":925,"domContentLoadedEventStart":925,"domContentLoadedEventEnd":972,"domComplete":1006,"loadEventStart":1006,"loadEventEnd":1007,"userAgent":"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)","marks":[{"name":"bigPipe.sidebar-id.start","time":897.9000000953674},{"name":"bigPipe.sidebar-id.end","time":898.7000002861023},{"name":"bigPipe.activity-panel-pipe-id.start","time":898.8000001907349},{"name":"bigPipe.activity-panel-pipe-id.end","time":900.4000000953674},{"name":"activityTabFullyLoaded","time":989.9000000953674}],"measures":[],"correlationId":"e800f74f0a0a1c","effectiveType":"4g","downlink":9.2,"rtt":0,"serverDuration":95,"dbReadsTimeInMs":11,"dbConnsTimeInMs":20,"applicationHash":"9d11dbea5f4be3d4cc21f03a88dd11d8c8687422","experiments":[]}}
Bug
Major
Generally, I agree.
The only use case it'll break is when users connect via sockets to accounts with REQUIRE clauses like REQUIRE SSL or REQUIRE ISSUER. It'd be good to have a solution for this. "Do nothing, let them fail" is one possible solution.