[MDEV-22129] MySQL Compatibility: Missing `ssl-mode` flag Created: 2020-04-03  Updated: 2020-07-11  Resolved: 2020-05-11

Status: Closed
Project: MariaDB Server
Component/s: Scripts & Clients
Affects Version/s: 10.4.11
Fix Version/s: N/A

Type: Bug Priority: Minor
Reporter: Matthew McCullough Assignee: Unassigned
Resolution: Incomplete Votes: 0
Labels: need_feedback
Environment:

MacBook Pro (15-inch, 2017), MacOS Catalina

Issue Links:
Relates
relates to MDEV-28634 Client's --ssl-* options (without --s... Closed

 Description   

MySQL client has the option `ssl-mode`:

From 5.6 Docs:

This option is available only for client programs, not the server. It specifies the security state of the connection to the server:
If this option is not specified, the default is to establish an unencrypted connection. This is like the --ssl=0 option or its synonyms (--skip-ssl, --disable-ssl).
If this option is specified, the only permitted value is REQUIRED (establish an encrypted connection if the server supports encrypted connections). The connection attempt fails if an encrypted connection cannot be established.

From 5.7 Docs:

This option is available only for client programs, not the server. It specifies the security state of the connection to the server. These option values are permitted:
PREFERRED: Establish an encrypted connection if the server supports encrypted connections, falling back to an unencrypted connection if an encrypted connection cannot be established. This is the default if --ssl-mode is not specified.
REQUIRED: Establish an encrypted connection if the server supports encrypted connections. The connection attempt fails if an encrypted connection cannot be established.
VERIFY_CA: Like REQUIRED, but additionally verify the server Certificate Authority (CA) certificate against the configured CA certificates. The connection attempt fails if no valid matching CA certificates are found.
VERIFY_IDENTITY: Like VERIFY_CA, but additionally perform host name identify verification by checking the server's Common Name identity in the certificate that the server sends to the client. The client verifies the Common Name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. This is like the legacy --ssl-verify-server-cert option.
DISABLED: Establish an unencrypted connection. This is like the legacy --ssl=0 option or its synonyms (--skip-ssl, --disable-ssl).

The client that comes with MariaDB does not support this flag. Therefore software built to use MySQL, that employs this flag for some reason, can't support MariaDB.

This specifically comes up in a Go library called SQLBoiler which does code generation based on database schema; unit tests for the generated code fail with MariaDB because the client doesn't understand this flag.

Relevant issues:

https://github.com/volatiletech/sqlboiler/issues/117
https://github.com/volatiletech/sqlboiler/issues/273

 Comments   
Comment by Sergei Golubchik [ 2020-04-07 ]

MariaDB clients don't support ssl-mode. As MySQL 5.7 manual above says, one is supposed to use --ssl instead of --ssl-mode=PREFERRED and --ssl --ssl-verify-server-cert instead of --ssl-mode=VERIFY_IDENTITY. We intentionally didn't implement the support for VERIFY_CA and REQUIRED modes, because requiring ssl without verifying the certificate is misleading — it creates a false sense of security while keeping connection vulnerable to MitM attacks.

For MySQL compatibility we can add support for this option, but only for those values that the client actually implements. Looking at the sqlboiler issue you only need --ssl-mode=DISABLED anyway, so that should work.

Why sqlboiler needs to disable ssl explicitly anyway?

Comment by Jakob Müller [ 2020-06-06 ]

The MySQL 5.7 documentation actually says the exact opposite:
"Consequently, --ssl and --ssl-verify-server-cert are deprecated, and are removed in MySQL 8.0."

https://dev.mysql.com/doc/refman/5.7/en/encrypted-connections.html

So this should probably be adjusted in order to maintain compatibility.

Generated at Thu Feb 08 09:12:25 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.