-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
MDEV-32123: require_secure_transport doesn't allow TCP connections
In case the option require_secure_transport is on the user can't establish a secure ssl connection over TCP protocol. Inability to set up a ssl session over TCP was caused by the fact that a type of client's connection was checked before ssl handshake performed (ssl handshake happens at the function acl_authenticate()). At that moment vio type has the value VIO_TYPE_TCPIP for client connection that uses TCP transport. In result, checking for allowable vio type for fails despite the fact that SSL session being established. To fix the issue move checking of vio type for allowable values inside the function parse_client_handshake_packet() right after client's capabilities discovered that SSL is not requested by the client.
- Loading branch information
1 parent
872ed53
commit a05b5dd
Showing
7 changed files
with
89 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,17 @@ | ||
CREATE TABLE t1 (t int(1)); | ||
SET GLOBAL require_secure_transport=ON; | ||
ERROR HY000: Connections using insecure transport are prohibited while --require_secure_transport=ON. | ||
connect(localhost,root,,test,MASTER_PORT,MASTER_SOCKET); | ||
connect without_ssl,localhost,root,,,,,TCP NOSSL; | ||
ERROR 08004: Connections using insecure transport are prohibited while --require_secure_transport=ON. | ||
connect with_ssl,localhost,root,,,,,TCP SSL; | ||
SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'; | ||
have_ssl | ||
1 | ||
disconnect with_ssl; | ||
connection default; | ||
SET GLOBAL require_secure_transport=OFF; | ||
connect without_ssl,localhost,root,,,,,TCP NOSSL; | ||
SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'; | ||
have_ssl | ||
0 | ||
disconnect without_ssl; | ||
connection default; | ||
DROP TABLE t1; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,18 @@ | ||
-- source include/have_ssl_communication.inc | ||
CREATE TABLE t1 (t int(1)); | ||
SET GLOBAL require_secure_transport=ON; | ||
--disable_query_log | ||
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT | ||
--error ER_SECURE_TRANSPORT_REQUIRED | ||
connect without_ssl,localhost,root,,,,,TCP NOSSL; | ||
--enable_query_log | ||
|
||
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT | ||
connect with_ssl,localhost,root,,,,,TCP SSL; | ||
SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'; | ||
disconnect with_ssl; | ||
|
||
connection default; | ||
SET GLOBAL require_secure_transport=OFF; | ||
--disable_query_log | ||
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT | ||
connect without_ssl,localhost,root,,,,,TCP NOSSL; | ||
--enable_query_log | ||
SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'; | ||
disconnect without_ssl; | ||
connection default; | ||
DROP TABLE t1; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
--require-secure-transport=TRUE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
connect(localhost,root,,test,MASTER_PORT,MASTER_SOCKET); | ||
connect without_ssl,localhost,root,,,,,TCP NOSSL; | ||
ERROR 08004: Connections using insecure transport are prohibited while --require_secure_transport=ON. | ||
connect with_ssl,localhost,root,,,,,TCP SSL; | ||
SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'; | ||
have_ssl | ||
1 | ||
disconnect with_ssl; | ||
connection default; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
--source include/not_windows.inc | ||
--source include/have_ssl_communication.inc | ||
|
||
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT | ||
--error ER_SECURE_TRANSPORT_REQUIRED | ||
connect without_ssl,localhost,root,,,,,TCP NOSSL; | ||
|
||
--replace_result $MASTER_MYSOCK MASTER_SOCKET $MASTER_MYPORT MASTER_PORT | ||
connect with_ssl,localhost,root,,,,,TCP SSL; | ||
SELECT (VARIABLE_VALUE <> '') AS have_ssl FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher'; | ||
disconnect with_ssl; | ||
|
||
connection default; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters