Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9389

Inconsistent auth packet sent by client

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 10.1.9
    • Fix Version/s: N/A
    • Component/s: Protocol
    • Labels:
    • Environment:
      Centos7, x86_64, gcc 4.8.5, mysql-proxy 0.8.2

      Description

      Sorry, this is my first time submitting a bug to mariadb, let me know if I messed it up.

      We are migrating from mysql to mariadb and one piece of our system is mysql-proxy which refuses to work with mariadb client. I worked ok with mysql server/client (obviously) but we see an interesting issue with mariadb:

      • if we run mariadb server and mariadb client with mysql-proxy in between we cannot actually run, client fails immediately with the message: ERROR 1043 (08S01): Bad handshake
      • but we can run with mysql client and mariadb server (and mysql-proxy)

      After some debugging I believe the reason is incorrect handling of CLIENT_CONNECT_ATTRS by mariadb client. Examining packets sent to/from proxy here I can see:

      • proxy modifies server handshake packet strips some capability flags from it, including CLIENT_CONNECT_ATTRS, so that client does not see that flag in server capabilities
      • client always sets that flag in its auth packet but it does not fill connection attributes in the packet, which I believe makes inconsistent packet
      • proxy does not modify client auth packet in any way and passes it to server which complains about that inconsistency (though without giving actual reason)

      Looking at the code in sql-common/client.c I think this inconsistency happens because:

      • client always sets CLIENT_CONNECT_ATTRS flag no matter what
      • but it only fills connection attributes if server capabilities have that flag

      I think correct behavior on client side should be to only set that flag if server-side flag is set. This probably applies to few other flags as well, I think mysql protocol description expects from client to only set flags which are also supported by server.

      I could not find any way to workaround that client behavior without patching sources (I think proxy is very limited in what it can do with auth packets). If you can confirm that this behavior is problematic it would be nice to have it fixed eventually (sooner better than later of course).

        Attachments

          Activity

            People

            Assignee:
            serg Sergei Golubchik
            Reporter:
            AndyS Andy Salnikov
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration