-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add API to express like a --ssl-mode=PREFERRED
MySQL client
#1370
Conversation
Signed-off-by: lance6716 <[email protected]>
This pull request introduces 1 alert when merging ad744fc into fa1e4ed - view on LGTM.com new alerts:
|
Signed-off-by: lance6716 <[email protected]>
This pull request introduces 1 alert when merging 636b5b0 into fa1e4ed - view on LGTM.com new alerts:
|
I don't like adding new registry. Existing registries were added when Go didn't have Connector API. |
OK, to use |
This reverts commit ad744fc.
Signed-off-by: lance6716 <[email protected]>
This pull request introduces 1 alert when merging 372d17b into fa1e4ed - view on LGTM.com new alerts:
|
Signed-off-by: lance6716 <[email protected]>
This pull request introduces 1 alert when merging 9e2588b into fa1e4ed - view on LGTM.com new alerts:
|
--ssl-mode=mode=PREFERRED
MySQL client
PR description is also updated 😄 |
So the problem is that I'm not sure how MySQL Client behaves in this situation. Looks like this PR might be more like setting Note that TLSv1.1 is supported by YaSSL, so it should not be needed to downgrade all the way to TLSv1.0 for MySQL 5.7. For MySQL 5.6 and earlier TLSv1.0 was hardcoded (see https://bugs.mysql.com/bug.php?id=75239) and downgrading all the way might be needed. So I think we have these options:
I think merging this PR (or other changes, with the similar behavior) would be good to make it easier for applications to handle this. Using older TLS protocols should not be done by default as that would be bad for security, but for people to migrate to newer database servers that support new TLS features this PR would help. LGTM |
@methane please give me some advice, we need the auto-TLS feature |
packets.go
Outdated
if mc.flags&clientSSL == 0 && mc.cfg.TLS != nil { | ||
if mc.cfg.AllowFallbackToNoTLS { | ||
mc.cfg.TLS = nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why delete TLSConfig == "preferred"
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the case TLSConfig == "preferred"
is moved into dsn.go
case "preferred":
cfg.TLS = &tls.Config{InsecureSkipVerify: true}
cfg.AllowFallbackToNoTLS = true
I want to only use one variable AllowFallbackToNoTLS
to control this behaviour
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. I got it.
Merging this PR is beneficial for some users with old versions of MySQL. 🎉
LGTM.
@@ -46,13 +46,14 @@ type Config struct { | |||
ServerPubKey string // Server public key name | |||
pubKey *rsa.PublicKey // Server public key | |||
TLSConfig string // TLS configuration name | |||
tls *tls.Config // TLS configuration | |||
TLS *tls.Config // TLS configuration, its priority is higher than TLSConfig |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this version, does it still need to be public?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it does not need to be public, we can still use the old way to register a TLS config and use key name to find it.
Let the maintainer to decide if we can add a short path 😄
Almost LGTM. We need to reorganize Config obj and DSN in v2, but now is not a time for it. So I am considering about only naming for now:
@shogo82148 How do you think? |
dsn.go
Outdated
@@ -391,6 +401,14 @@ func parseDSNParams(cfg *Config, params string) (err error) { | |||
return errors.New("invalid bool value: " + value) | |||
} | |||
|
|||
// Allow fallback to unencrypted connection if server does not support TLS | |||
case "allowFallbackToNoTLS": |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if setting tls=true
or verify CA and hostname with allowFallbackToNoTLS
at the same time? What's the meaning then? Looks like invalid combination to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I should give more detailed description on "when will the driver fallback to no TLS", does it happen on TLS identity verify error, not supported TLS version or server not enable TLS?
I want a fallback for the last cases, and maybe the name should contain "TLSHandshake" or something. Will learn the TLS concepts to find a good name later. Welcome to give me some advice
also cc @dveeden
--ssl-mode=mode=PREFERRED
MySQL client--ssl-mode=PREFERRED
MySQL client
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe add a param tlsVersion
, so we can use preferred
to connect to old MySQL using tlsConfig=preferred&tlsVersion=1.0
and this way for tlsConfig
= true
or skip-verify
, we can combined it with tlsVersion
Co-authored-by: D3Hunter <[email protected]>
This pull request introduces 1 alert when merging a58b468 into fa1e4ed - view on LGTM.com new alerts:
Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. It looks like GitHub code scanning with CodeQL is already set up for this repo, so no further action is needed 🚀. For more information, please check out our post on the GitHub blog. |
I updated the PR description to give a overview of the comments. @shogo82148 please give a review, especially about the naming/API stype as @methane requested |
How about |
Signed-off-by: lance6716 <[email protected]>
This pull request introduces 1 alert when merging 4ced115 into fa1e4ed - view on LGTM.com new alerts:
Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. It looks like GitHub code scanning with CodeQL is already set up for this repo, so no further action is needed 🚀. For more information, please check out our post on the GitHub blog. |
ptal @methane |
PTAL @methane this PR has LGT1 now |
- Using tls=preferred, the server accepts a TLS connection from the client but is also okay if the client does not switch to encryption. - upgrade go-sql-driver > 1.7.0 to use this feature for older version MySQL server go-sql-driver/mysql#1370.
Signed-off-by: lance6716 [email protected]
Description
Problem
We use "preferred" tls mode to encrypt MySQL connection when it's possible. After golang 1.18 the default minimum TLS version is changed to v1.2, so it's no longer a valid value to connect to old MySQL servers, and according to the doc the only way to come back to old behaviour is setting
tls.Config.MinVersion
toVersionTLS10
New feature
In this PR I want to introduce(or update)
one new configuration:
AllowFallbackToNoTLS
which is abool
to indicate the TLS is preferred rather than a must. Its behaviour is same as the old "preferred" tls modeone (optional) configuration field change:
TLS
which is a*tls.Config
in Config. It's OK that we don't have this change and use old-style register + name reference, but I hope we can get rid of boring works (unique naming, register, deregister)behaviour of configuration item combinations
(some of them are mentioned in the comments of this PR)
AllowFallbackToNoTLS
, it should be the same as thattlsConfig=preferred&tlsVersion=1.0
as an alternative: I think using*tls.Config
andAllowFallbackToNoTLS
are more flexible, for example, in*tls.Config
I can set the minimun and maximun TLS version.tlsConfig=skip-verify&tlsVersion=1.0
as an alternative: same as above, because in*tls.Config
we can controlInsecureSkipVerify
. In addition to that, we can useVerifyPeerCertificate
to perform more verification like --ssl-mode=VERIFY_CA/VERIFY_IDENTITYChecklist