Add API to express like a --ssl-mode=PREFERRED MySQL client
#1370
Conversation
Signed-off-by: lance6716 <lance6716@gmail.com>
|
This pull request introduces 1 alert when merging ad744fc into fa1e4ed - view on LGTM.com new alerts:
|
Signed-off-by: lance6716 <lance6716@gmail.com>
|
This pull request introduces 1 alert when merging 636b5b0 into fa1e4ed - view on LGTM.com new alerts:
|
|
I don't like adding new registry. Existing registries were added when Go didn't have Connector API. |
|
OK, to use |
This reverts commit ad744fc.
Signed-off-by: lance6716 <lance6716@gmail.com>
|
This pull request introduces 1 alert when merging 372d17b into fa1e4ed - view on LGTM.com new alerts:
|
|
This pull request introduces 1 alert when merging 9e2588b into fa1e4ed - view on LGTM.com new alerts:
|
lance6716
changed the title
--ssl-mode=mode=PREFERRED MySQL client
|
PR description is also updated 😄 |
|
So the problem is that I'm not sure how MySQL Client behaves in this situation. Looks like this PR might be more like setting Note that TLSv1.1 is supported by YaSSL, so it should not be needed to downgrade all the way to TLSv1.0 for MySQL 5.7. For MySQL 5.6 and earlier TLSv1.0 was hardcoded (see https://bugs.mysql.com/bug.php?id=75239) and downgrading all the way might be needed. So I think we have these options:
I think merging this PR (or other changes, with the similar behavior) would be good to make it easier for applications to handle this. Using older TLS protocols should not be done by default as that would be bad for security, but for people to migrate to newer database servers that support new TLS features this PR would help. LGTM |
|
@methane please give me some advice, we need the auto-TLS feature |
packets.go
Outdated
| if mc.flags&clientSSL == 0 && mc.cfg.TLS != nil { | ||
| if mc.cfg.AllowFallbackToNoTLS { | ||
| mc.cfg.TLS = nil |
There was a problem hiding this comment.
Why delete TLSConfig == "preferred"?
There was a problem hiding this comment.
the case TLSConfig == "preferred" is moved into dsn.go
case "preferred":
cfg.TLS = &tls.Config{InsecureSkipVerify: true}
cfg.AllowFallbackToNoTLS = trueI want to only use one variable AllowFallbackToNoTLS to control this behaviour
There was a problem hiding this comment.
Ok. I got it.
Merging this PR is beneficial for some users with old versions of MySQL. 🎉
LGTM.
|
How about just allowing users to One thing to note is how to treat |
| @@ -46,13 +46,14 @@ type Config struct { | |||
| ServerPubKey string // Server public key name | |||
| pubKey *rsa.PublicKey // Server public key | |||
| TLSConfig string // TLS configuration name | |||
| tls *tls.Config // TLS configuration | |||
| TLS *tls.Config // TLS configuration, its priority is higher than TLSConfig | |||
There was a problem hiding this comment.
In this version, does it still need to be public?
There was a problem hiding this comment.
Yes it does not need to be public, we can still use the old way to register a TLS config and use key name to find it.
Let the maintainer to decide if we can add a short path 😄
|
Almost LGTM. We need to reorganize Config obj and DSN in v2, but now is not a time for it. So I am considering about only naming for now:
@shogo82148 How do you think? |
dsn.go
Outdated
| @@ -391,6 +401,14 @@ func parseDSNParams(cfg *Config, params string) (err error) { | |||
| return errors.New("invalid bool value: " + value) | |||
| } | |||
|
|
|||
| // Allow fallback to unencrypted connection if server does not support TLS | |||
| case "allowFallbackToNoTLS": | |||
There was a problem hiding this comment.
What if setting tls=true or verify CA and hostname with allowFallbackToNoTLS at the same time? What's the meaning then? Looks like invalid combination to me.
There was a problem hiding this comment.
OK, I should give more detailed description on "when will the driver fallback to no TLS", does it happen on TLS identity verify error, not supported TLS version or server not enable TLS?
I want a fallback for the last cases, and maybe the name should contain "TLSHandshake" or something. Will learn the TLS concepts to find a good name later. Welcome to give me some advice
also cc @dveeden
lance6716
changed the title
--ssl-mode=mode=PREFERRED MySQL client--ssl-mode=PREFERRED MySQL client
Co-authored-by: D3Hunter <jujj603@gmail.com>
|
This pull request introduces 1 alert when merging a58b468 into fa1e4ed - view on LGTM.com new alerts:
Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. It looks like GitHub code scanning with CodeQL is already set up for this repo, so no further action is needed 🚀. For more information, please check out our post on the GitHub blog. |
|
I updated the PR description to give a overview of the comments. @shogo82148 please give a review, especially about the naming/API stype as @methane requested |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
How about |
Signed-off-by: lance6716 <lance6716@gmail.com>
|
This pull request introduces 1 alert when merging 4ced115 into fa1e4ed - view on LGTM.com new alerts:
Heads-up: LGTM.com's PR analysis will be disabled on the 5th of December, and LGTM.com will be shut down ⏻ completely on the 16th of December 2022. It looks like GitHub code scanning with CodeQL is already set up for this repo, so no further action is needed 🚀. For more information, please check out our post on the GitHub blog. |
| case "skip-verify": | ||
| cfg.TLS = &tls.Config{InsecureSkipVerify: true} | ||
| case "preferred": | ||
| cfg.TLS = &tls.Config{InsecureSkipVerify: true} |
Check failure
Code scanning / CodeQL
Disabled TLS certificate check
|
ptal @methane |
|
PTAL @methane this PR has LGT1 now |
- Using tls=preferred, the server accepts a TLS connection from the client but is also okay if the client does not switch to encryption. - upgrade go-sql-driver > 1.7.0 to use this feature for older version MySQL server go-sql-driver/mysql#1370.
Signed-off-by: lance6716 lance6716@gmail.com
Description
Problem
We use "preferred" tls mode to encrypt MySQL connection when it's possible. After golang 1.18 the default minimum TLS version is changed to v1.2, so it's no longer a valid value to connect to old MySQL servers, and according to the doc the only way to come back to old behaviour is setting
tls.Config.MinVersiontoVersionTLS10New feature
In this PR I want to introduce(or update)
one new configuration:
AllowFallbackToNoTLSwhich is aboolto indicate the TLS is preferred rather than a must. Its behaviour is same as the old "preferred" tls modeone (optional) configuration field change:
TLSwhich is a*tls.Configin Config. It's OK that we don't have this change and use old-style register + name reference, but I hope we can get rid of boring works (unique naming, register, deregister)behaviour of configuration item combinations
(some of them are mentioned in the comments of this PR)
AllowFallbackToNoTLS, it should be the same as thattlsConfig=preferred&tlsVersion=1.0as an alternative: I think using*tls.ConfigandAllowFallbackToNoTLSare more flexible, for example, in*tls.ConfigI can set the minimun and maximun TLS version.tlsConfig=skip-verify&tlsVersion=1.0as an alternative: same as above, because in*tls.Configwe can controlInsecureSkipVerify. In addition to that, we can useVerifyPeerCertificateto perform more verification like --ssl-mode=VERIFY_CA/VERIFY_IDENTITYChecklist