[CONJ-742] Possible classloader issue loading authentication plugin Created: 2019-10-28  Updated: 2020-08-11  Resolved: 2019-10-31

Status: Closed
Project: MariaDB Connector/J
Component/s: authentication
Affects Version/s: 2.5.1
Fix Version/s: 2.5.2

Type: Bug Priority: Major
Reporter: Joseph Nahmias Assignee: Diego Dupin
Resolution: Fixed Votes: 0
Labels: None
Environment:

SQuirreL SQL Client snapshot-20190714_0016


 Description   

jira: Client does not support authentication protocol requested by server. plugin type was = sha256_password
class java.sql.SQLException: Client does not support authentication protocol requested by server. plugin type was = sha256_password

 Comments   
Comment by Diego Dupin [ 2019-10-30 ]

Could you indicate server exact version and connection string to help reproduced the issue ?

Comment by Joseph Nahmias [ 2019-10-30 ]

Server version: 5.7.27-0ubuntu0.16.04.1 (Ubuntu)

$ lsb_release -d
 
Description:    Ubuntu 16.04.6 LTS
 
$ dpkg -l mysql-server | grep ^i
 
ii  mysql-server   5.7.27-0ubuntu0.16.04.1 all          MySQL database server (metapackage depending on the latest version)

SquirrelSQL Client Connection String: jdbc:mysql://dbserver.example.org:3306/dbname

Comment by Diego Dupin [ 2019-10-30 ]

hmm, reproduced. It seems SQuirreL is playing with classloader.
I'll need to check that, putting Jar in lib would probably work as a workaround.

Comment by Joseph Nahmias [ 2019-10-30 ]

FYI, I already have mariadb-java-client-2.5.1.jar in EXTRACLASSPATH.

Comment by Diego Dupin [ 2019-10-30 ]

I mean exactly not using extra classpath, but copying lib in squirrel lib folder for now.
But let me check further

Comment by Diego Dupin [ 2019-10-30 ]

Could you try with SNAPSHOT file : https://oss.sonatype.org/content/repositories/snapshots/org/mariadb/jdbc/mariadb-java-client/2.5.2-SNAPSHOT/mariadb-java-client-2.5.2-20191030.181402-1.jar in extra classpath ?
service loader now use Driver classloader, not current thread classloader.
That must solve the issue.

Comment by Joseph Nahmias [ 2019-10-30 ]

That did something...
Now I get the error: class java.sql.SQLException: RSA public key is not available client side (option serverRsaPublicKeyFile)

Comment by Diego Dupin [ 2019-10-30 ]

great!

This error message is because with this MySQL sha256_password has a lot of constraints. (That's why MariaDB prefer using ed25519 authentication plugin, not implementing that type of plugin). You must either :

  • use SSL
  • provide server RSA public key file using option `serverRsaPublicKeyFile`
  • or less secure: permit the server to provide this file, setting option `allowPublicKeyRetrieval` to true.
Comment by Joseph Nahmias [ 2019-10-30 ]

Interesting, didn't know about the ed25519 auth. Maybe when we upgrade the server next year....

In the meantime, I've set useSsl = true, trustServerCertificate = true, allowPublicKeyRetrieval = true. However I now get the error:

Unexpected Error occurred attempting to open an SQL connection.
 
class java.io.EOFException: SSL peer shut down incorrectly

Looking in the server's logfile, all I see is:

2019-10-30T20:38:57.307338Z 194974 [Note] Bad handshake

Any ideas?

Comment by Diego Dupin [ 2019-10-30 ]

if you use SSL, allowPublicKeyRetrieval is not needed.

It seems the server rejects SSL exchange. probably because you use MySQL 5.7.27 community server, that use by default a TLS implementation that is not TLSv1.2 compatible and has issue when client send a TLSv1.2 client hello.

So either indicate TLSv1 and TLSv1.1 in connection string, like :
jdbc:mariadb://localhost:3306/testj?useSsl&trustServerCertificate&enabledSslProtocolSuites=TLSv1,TLSv1.1
or update to next version 5.7.28 that use openSSL and is TLSv1.2 compatible.

Generated at Thu Feb 08 03:17:58 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.