Add support for MySQL VERIFY_CA SSL mode via tls-verify parameter

  Implements VERIFY_CA SSL mode to verify certificate authority without
  hostname verification, matching MySQL client's --ssl-mode=VERIFY_CA.

  This addresses a long-standing limitation where users needed TLS with
  CA verification but couldn't use hostname verification due to:
  - Connecting via IP addresses instead of hostnames
  - Dynamic IPs or load-balanced MySQL instances
  - Certificates with SANs that don't match connection strings
  - Multiple hostnames for the same MySQL instance

  Adds new  DSN parameter with two values:
  - identity: Full verification (CA + hostname) - default
  - ca: CA verification only (no hostname check)

  Works with both system CA pool and custom registered TLS configs:
  - ?tls=true&tls-verify=ca (system CA)
  - ?tls=custom&tls-verify=ca (custom CA)

  This is particularly important for users migrating to MySQL 8.0's
  caching_sha2_password authentication, which requires encrypted
  connections by default, making TLS support more critical.

  Implementation follows Go team's recommended pattern from golang/go
  issues #21971, #31791, #31792, #35467: using InsecureSkipVerify
  with custom VerifyPeerCertificate callback that performs CA validation
  via x509.Certificate.Verify() without hostname checking.

  Related: #899
  See also: golang/go#31792, golang/go#24151, golang/go#21971,
  golang/go#28754, golang/go#31791, golang/go#35467

Author: pourtorabehsan

AUTHORS

@@ -43,6 +43,7 @@ Diego Dupin <diego.dupin at gmail.com>
 Dirkjan Bussink <d.bussink at gmail.com>
 DisposaBoy <disposaboy at dby.me>
 Egor Smolyakov <egorsmkv at gmail.com>
+Ehsan Pourtorab <pourtorab.ehsan at gmail.com>
 Erwan Martin <hello at erwan.io>
 Evan Elias <evan at skeema.net>
 Evan Shaw <evan at vendhq.com>

README.md

@@ -434,7 +434,39 @@ Valid Values:   true, false, skip-verify, preferred, <name>
 Default:        false
 ```
 
-`tls=true` enables TLS / SSL encrypted connection to the server. Use `skip-verify` if you want to use a self-signed or invalid certificate (server side) or use `preferred` to use TLS only when advertised by the server. This is similar to `skip-verify`, but additionally allows a fallback to a connection which is not encrypted. Neither `skip-verify` nor `preferred` add any reliable security. You can use a custom TLS config after registering it with [`mysql.RegisterTLSConfig`](https://godoc.org/github.com/go-sql-driver/mysql#RegisterTLSConfig).
+`tls=true` enables TLS / SSL encrypted connection to the server with full certificate verification (including hostname). Use `skip-verify` if you want to use a self-signed or invalid certificate (server side) or use `preferred` to use TLS only when advertised by the server. This is similar to `skip-verify`, but additionally allows a fallback to a connection which is not encrypted. Neither `skip-verify` nor `preferred` add any reliable security. You can use a custom TLS config after registering it with [`mysql.RegisterTLSConfig`](https://godoc.org/github.com/go-sql-driver/mysql#RegisterTLSConfig).
+
+**TLS Verification Modes:**
+
+The `tls` parameter selects which CA certificates to use:
+- `tls=true`: Use system CA pool
+- `tls=<name>`: Use custom registered TLS config
+- `tls=skip-verify`: Accept any certificate (insecure)
+- `tls=preferred`: Attempt TLS, fall back to plaintext (insecure)
+
+The `tls-verify` parameter controls how certificates are verified (works with both `tls=true` and custom configs):
+- `tls-verify=identity` (default): Verifies CA and hostname - Most secure, equivalent to MySQL's VERIFY_IDENTITY
+- `tls-verify=ca`: Verifies CA only, skips hostname check - Equivalent to MySQL's VERIFY_CA mode
+
+**Examples:**
+- `?tls=true` - System CA with full verification (default behavior)
+- `?tls=true&tls-verify=ca` - System CA with CA-only verification
+- `?tls=custom` - Custom CA with full verification (default behavior)
+- `?tls=custom&tls-verify=ca` - Custom CA with CA-only verification
+
+##### `tls-verify`
+
+```
+Type:           string
+Valid Values:   identity, ca
+Default:        identity
+```
+
+Controls the TLS certificate verification level. This parameter works in conjunction with the `tls` parameter:
+- `identity`: Full verification including hostname (default, most secure)
+- `ca`: CA verification only, without hostname checking (MySQL VERIFY_CA equivalent)
+
+This parameter only applies when `tls=true` or `tls=<custom-config>`. It has no effect with `tls=skip-verify` or `tls=preferred`.
 
 
 ##### `writeTimeout`

dsn.go

@@ -49,6 +49,7 @@ type Config struct {
 	MaxAllowedPacket     int               // Max packet size allowed
 	ServerPubKey         string            // Server public key name
 	TLSConfig            string            // TLS configuration name
+	TLSVerify            string            // TLS verification level: "identity" (default) or "ca"
 	TLS                  *tls.Config       // TLS configuration, its priority is higher than TLSConfig
 	Timeout              time.Duration     // Dial timeout
 	ReadTimeout          time.Duration     // I/O read timeout
@@ -195,21 +196,39 @@ func (cfg *Config) normalize() error {
 	}
 
 	if cfg.TLS == nil {
+		// Default TLSVerify to identity if not specified
+		if cfg.TLSVerify == "" {
+			cfg.TLSVerify = "identity"
+		}
+
 		switch cfg.TLSConfig {
 		case "false", "":
 			// don't set anything
 		case "true":
-			cfg.TLS = &tls.Config{}
+			// System CA pool
+			if cfg.TLSVerify == "ca" {
+				cfg.TLS = createVerifyCAConfig(nil)
+			} else {
+				cfg.TLS = &tls.Config{}
+			}
 		case "skip-verify":
 			cfg.TLS = &tls.Config{InsecureSkipVerify: true}
 		case "preferred":
 			cfg.TLS = &tls.Config{InsecureSkipVerify: true}
 			cfg.AllowFallbackToPlaintext = true
 		default:
+			// Custom registered TLS config
 			cfg.TLS = getTLSConfigClone(cfg.TLSConfig)
 			if cfg.TLS == nil {
 				return errors.New("invalid value / unknown config name: " + cfg.TLSConfig)
 			}
+
+			// Apply tls-verify to custom config
+			if cfg.TLSVerify == "ca" {
+				// Extract RootCAs from the custom config and create a CA-only verification config
+				rootCAs := cfg.TLS.RootCAs
+				cfg.TLS = createVerifyCAConfig(rootCAs)
+			}
 		}
 	}
 
@@ -370,6 +389,10 @@ func (cfg *Config) FormatDSN() string {
 		writeDSNParam(&buf, &hasParam, "tls", url.QueryEscape(cfg.TLSConfig))
 	}
 
+	if len(cfg.TLSVerify) > 0 && cfg.TLSVerify != "identity" {
+		writeDSNParam(&buf, &hasParam, "tls-verify", cfg.TLSVerify)
+	}
+
 	if cfg.WriteTimeout > 0 {
 		writeDSNParam(&buf, &hasParam, "writeTimeout", cfg.WriteTimeout.String())
 	}
@@ -658,6 +681,14 @@ func parseDSNParams(cfg *Config, params string) (err error) {
 				cfg.TLSConfig = name
 			}
 
+		// TLS verification level
+		case "tls-verify":
+			mode := strings.ToLower(value)
+			if mode != "identity" && mode != "ca" {
+				return fmt.Errorf("invalid tls-verify value: %s (must be 'identity' or 'ca')", value)
+			}
+			cfg.TLSVerify = mode
+
 		// I/O write Timeout
 		case "writeTimeout":
 			cfg.WriteTimeout, err = time.ParseDuration(value)

dsn_test.go

@@ -429,6 +429,160 @@ func TestNormalizeTLSConfig(t *testing.T) {
 	}
 }
 
+func TestTLSVerifySystemCA(t *testing.T) {
+	tests := []struct {
+		name string
+		dsn  string
+	}{
+		{"ca with system CA", "tcp(example.com:1234)/?tls=true&tls-verify=ca"},
+		{"identity with system CA (explicit)", "tcp(example.com:1234)/?tls=true&tls-verify=identity"},
+		{"identity with system CA (default)", "tcp(example.com:1234)/?tls=true"},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			cfg, err := ParseDSN(tc.dsn)
+			if err != nil {
+				t.Error(err.Error())
+			}
+			if cfg.TLS == nil {
+				t.Error("cfg.TLS should not be nil")
+			}
+
+			if cfg.TLSVerify == "ca" {
+				if !cfg.TLS.InsecureSkipVerify {
+					t.Error("ca mode should have InsecureSkipVerify=true")
+				}
+				if cfg.TLS.VerifyPeerCertificate == nil {
+					t.Error("ca mode should have VerifyPeerCertificate callback set")
+				}
+				// ca should not set ServerName (hostname verification is skipped)
+				if cfg.TLS.ServerName != "" {
+					t.Errorf("ca mode should not set ServerName, got %q", cfg.TLS.ServerName)
+				}
+			} else {
+				// identity (default) should set ServerName
+				if cfg.TLS.ServerName != "example.com" {
+					t.Errorf("identity mode should set ServerName to 'example.com', got %q", cfg.TLS.ServerName)
+				}
+			}
+		})
+	}
+}
+
+func TestTLSVerifyCustomConfig(t *testing.T) {
+	// Register a custom TLS config
+	customConfig := &tls.Config{
+		ServerName: "customServer",
+		RootCAs:    nil, // Use system CA pool for this test
+	}
+	RegisterTLSConfig("custom", customConfig)
+	defer DeregisterTLSConfig("custom")
+
+	tests := []struct {
+		name string
+		dsn  string
+	}{
+		{"ca with custom config", "tcp(example.com:1234)/?tls=custom&tls-verify=ca"},
+		{"identity with custom config (explicit)", "tcp(example.com:1234)/?tls=custom&tls-verify=identity"},
+		{"identity with custom config (default)", "tcp(example.com:1234)/?tls=custom"},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			cfg, err := ParseDSN(tc.dsn)
+			if err != nil {
+				t.Error(err.Error())
+			}
+			if cfg.TLS == nil {
+				t.Error("cfg.TLS should not be nil")
+			}
+
+			if cfg.TLSVerify == "ca" {
+				if !cfg.TLS.InsecureSkipVerify {
+					t.Error("ca mode should have InsecureSkipVerify=true")
+				}
+				if cfg.TLS.VerifyPeerCertificate == nil {
+					t.Error("ca mode should have VerifyPeerCertificate callback set")
+				}
+				// ca should not set ServerName (hostname verification is skipped)
+				if cfg.TLS.ServerName != "" {
+					t.Errorf("ca mode should not set ServerName, got %q", cfg.TLS.ServerName)
+				}
+			} else {
+				// identity (default) should preserve custom config's ServerName
+				if cfg.TLS.ServerName != "customServer" {
+					t.Errorf("identity mode should preserve custom ServerName 'customServer', got %q", cfg.TLS.ServerName)
+				}
+			}
+		})
+	}
+}
+
+func TestTLSVerifyBackwardsCompatibility(t *testing.T) {
+	tests := []struct {
+		name             string
+		dsn              string
+		expectTLSVerify  string
+		expectServerName string
+	}{
+		{"tls=true defaults to identity", "tcp(example.com:1234)/?tls=true", "identity", "example.com"},
+		{"tls=false no TLS", "tcp(example.com:1234)/?tls=false", "identity", ""},
+		{"tls=skip-verify unchanged", "tcp(example.com:1234)/?tls=skip-verify", "identity", ""},
+		{"tls=preferred unchanged", "tcp(example.com:1234)/?tls=preferred", "identity", ""},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			cfg, err := ParseDSN(tc.dsn)
+			if err != nil {
+				t.Error(err.Error())
+			}
+
+			if cfg.TLSVerify != tc.expectTLSVerify {
+				t.Errorf("expected TLSVerify=%q, got %q", tc.expectTLSVerify, cfg.TLSVerify)
+			}
+
+			if tc.expectServerName == "" {
+				if cfg.TLS == nil {
+					return // Expected no TLS
+				}
+				if cfg.TLS.ServerName != "" {
+					t.Errorf("expected no ServerName, got %q", cfg.TLS.ServerName)
+				}
+			} else {
+				if cfg.TLS == nil {
+					t.Error("expected TLS config but got nil")
+					return
+				}
+				if cfg.TLS.ServerName != tc.expectServerName {
+					t.Errorf("expected ServerName=%q, got %q", tc.expectServerName, cfg.TLS.ServerName)
+				}
+			}
+		})
+	}
+}
+
+func TestTLSVerifyInvalidValue(t *testing.T) {
+	dsn := "tcp(example.com:1234)/?tls=true&tls-verify=invalid"
+	_, err := ParseDSN(dsn)
+	if err == nil {
+		t.Error("expected error for invalid tls-verify value")
+	}
+}
+
+func TestRegisterTLSConfigReservedKey(t *testing.T) {
+	reservedKeys := []string{"true", "false", "skip-verify", "preferred"}
+
+	for _, key := range reservedKeys {
+		err := RegisterTLSConfig(key, &tls.Config{})
+		if err == nil {
+			t.Errorf("RegisterTLSConfig should reject reserved key %q", key)
+		}
+		DeregisterTLSConfig(key) // Clean up in case it was registered
+	}
+}
+
 func BenchmarkParseDSN(b *testing.B) {
 	b.ReportAllocs()
 

utils.go

@@ -10,6 +10,7 @@ package mysql
 
 import (
 	"crypto/tls"
+	"crypto/x509"
 	"database/sql"
 	"database/sql/driver"
 	"encoding/binary"
@@ -87,6 +88,68 @@ func getTLSConfigClone(key string) (config *tls.Config) {
 	return
 }
 
+// createVerifyCAConfig creates a TLS config that verifies the CA certificate
+// but does not verify the hostname. This implements MySQL's VERIFY_CA mode.
+// It uses the recommended Go pattern from issues #21971, #31791, #31792, #35467:
+// 1. Set InsecureSkipVerify to disable default verification
+// 2. Use VerifyPeerCertificate callback to manually verify CA without hostname
+//
+// If rootCAs is nil, the system's default CA pool will be used.
+// If rootCAs is provided, it will be used for verification instead.
+func createVerifyCAConfig(rootCAs *x509.CertPool) *tls.Config {
+	return &tls.Config{
+		InsecureSkipVerify: true,
+		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+			return verifyCACallback(rawCerts, verifiedChains, rootCAs)
+		},
+	}
+}
+
+// verifyCACallback implements CA-only verification without hostname checking.
+// This verifies that the certificate chain is signed by a trusted CA but does
+// not validate the hostname matches the certificate. This is the standard
+// implementation pattern recommended by the Go team for VERIFY_CA behavior.
+//
+// If rootCAs is nil, the system's default CA pool will be used.
+// If rootCAs is provided, it will be used for verification instead.
+func verifyCACallback(rawCerts [][]byte, verifiedChains [][]*x509.Certificate, rootCAs *x509.CertPool) error {
+	if len(rawCerts) == 0 {
+		return errors.New("tls: no certificates from server")
+	}
+
+	// Parse all certificates in the chain
+	certs := make([]*x509.Certificate, len(rawCerts))
+	for i, rawCert := range rawCerts {
+		cert, err := x509.ParseCertificate(rawCert)
+		if err != nil {
+			return fmt.Errorf("tls: failed to parse certificate: %w", err)
+		}
+		certs[i] = cert
+	}
+
+	// Build intermediates pool from all certificates except the first (leaf)
+	intermediates := x509.NewCertPool()
+	for _, cert := range certs[1:] {
+		intermediates.AddCert(cert)
+	}
+
+	// Verify the certificate chain without hostname verification
+	// By not setting DNSName in VerifyOptions, we skip hostname validation
+	// This implements VERIFY_CA behavior (CA check only, no hostname check)
+	opts := x509.VerifyOptions{
+		Roots:         rootCAs, // nil = use system CA pool
+		Intermediates: intermediates,
+		// DNSName is intentionally not set to skip hostname verification
+	}
+
+	_, err := certs[0].Verify(opts)
+	if err != nil {
+		return fmt.Errorf("tls: failed to verify certificate: %w", err)
+	}
+
+	return nil
+}
+
 // Returns the bool value of the input.
 // The 2nd return value indicates if the input was a valid bool value
 func readBool(input string) (value bool, valid bool) {