[CONC-767] Client version >= 11.4.1 can't connect to MariaDB server 11.4.5 - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 3.4.5
Fix Version/s: 3.4.6
Component/s: None
Labels:
None
Environment:
Windows Server 2019

Description

Installed MariaDB 11.4.5 on Windows Server 2019.
It's not possible to connect to the server using the provided command line client mysql.exe.
Client message:
ERROR 2813 (HY000): Lost connection to server at 'sending authentication information', system error: 0
Server error log:
[Warning] Could not read packet: fd: 1424 state: 1 read length: 4 errno: 0 vio_errno: 1158 length: -1
Tried various versions of the client. It seems that all versions from server < 11.4.1 do work with the server 11.4.5, all clients from server versions >= 11.4.1 do not work.

I specified the server variable connect_timeout = 1000 and tested the client 11.4.5 with varous options:
a) --ssl=0
Connection established immediately
b) -ssl=1 --ssl-verify-server-cert=1
Connection established after 12 seconds
c) --ssl=1 --ssl-verify-server-cert=0
Connection established immediately

Attachments

Issue Links

relates to

MDEV-36267 AWS - Windows Server 2022: Considerable performance degradation for read or write operations after upgrading from mariaDB level 10.11 to 11.4

Needs Feedback

Activity

Ascending order - Click to sort in descending order

Vladislav Vaintroub added a comment - 3 days ago

gerhard.pauls, do you use own certificate, or is this server-generated one? are there ssl-cert and ssl-key in the my.ini?

Vladislav Vaintroub added a comment - 3 days ago gerhard.pauls , do you use own certificate, or is this server-generated one? are there ssl-cert and ssl-key in the my.ini?

Gerhard Pauls added a comment - 3 days ago

There is nothing regarding certs in the my.ini. We didn't intend to use secure connection.

Gerhard Pauls added a comment - 3 days ago There is nothing regarding certs in the my.ini. We didn't intend to use secure connection.

Vladislav Vaintroub added a comment - 2 days ago - edited

I set it to "critical", because several people are already affected, see linked bug.
Maybe it should be "Blocker", anyway, it is a regression affecting more than a single user.

I can't reproduce, but apparently some people do, and there is some need for action, I guess.

We can assume, and it is documented, that CertVerifyCertificateChainPolicy() can use Internet to download updated certificate lists, revocation lists, OCSP, whatever it is. And it can be slow doing this, and exceed the server's default read timeout, or connect timeout, or whatever it is.

Now, georg and serg, there is a weird code I fail to understand.
There is local connection and all, still this thing is running in the client

    if (mysql->options.extension->tls_verification_callback(mysql->net.pvio->ctls, verify_flags))

      if (mysql->net.tls_verify_status > MARIADB_TLS_VERIFY_AUTO ||

          (mysql->options.ssl_ca || mysql->options.ssl_capath))

        goto error;

      if (is_local_connection(mysql->net.pvio))

        CLEAR_CLIENT_ERROR(mysql);

        mysql->net.tls_verify_status&= ~MARIADB_TLS_VERIFY_AUTO;

      else if (!password_and_hashing(mysql, mpvio->plugin))

        goto error;

Why? The connection is local, I passed no password, and the verification is not expected in first place, but no, we unconditionally run a potentially super-expensive function which is possibly going to update revocation lists from internet, and hang while doing it.
Then we ignore the results of this function for local connection.
Can this be removed (reworked? made simpler, rearranged) made sure it does not access the internet. It wants revocation check for a local connection, for the ephemeral self-signed certificate we just created. This is really necessary?

Vladislav Vaintroub added a comment - 2 days ago - edited I set it to "critical", because several people are already affected, see linked bug. Maybe it should be "Blocker", anyway, it is a regression affecting more than a single user. I can't reproduce, but apparently some people do, and there is some need for action, I guess. We can assume, and it is documented, that CertVerifyCertificateChainPolicy() can use Internet to download updated certificate lists, revocation lists, OCSP, whatever it is. And it can be slow doing this, and exceed the server's default read timeout, or connect timeout, or whatever it is. Now, georg and serg , there is a weird code I fail to understand. There is local connection and all, still this thing is running in the client if (mysql->options.extension->tls_verification_callback(mysql->net.pvio->ctls, verify_flags)) { if (mysql->net.tls_verify_status > MARIADB_TLS_VERIFY_AUTO || (mysql->options.ssl_ca || mysql->options.ssl_capath)) goto error; if (is_local_connection(mysql->net.pvio)) { CLEAR_CLIENT_ERROR(mysql); mysql->net.tls_verify_status&= ~MARIADB_TLS_VERIFY_AUTO; } else if (!password_and_hashing(mysql, mpvio->plugin)) goto error; } } Why? The connection is local, I passed no password, and the verification is not expected in first place, but no, we unconditionally run a potentially super-expensive function which is possibly going to update revocation lists from internet, and hang while doing it. Then we ignore the results of this function for local connection. Can this be removed (reworked? made simpler, rearranged) made sure it does not access the internet. It wants revocation check for a local connection, for the ephemeral self-signed certificate we just created. This is really necessary?

People

Assignee:: Vladislav Vaintroub

Reporter:: Gerhard Pauls

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 3 days ago 07:29

Updated:: Yesterday 17:57

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Connector/C