You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the client connects with sha256_password over an insecure connection, it has to encrypt the user's password with the server's RSA public key. This can be requested from the server in authentication negotiation.
Distributing keys securely can be an operational headache. MySQL Server will supply its own RSA public key upon request from the client, so that the key doesn’t have to be explicitly distributed and configured for each client. But this introduces another security concern – a proxy in the middle may substitute an RSA public key for which it has the private key, decrypt and harvest the plain-text password, then re-encrypting the password with the actual server RSA public key for the connection attempt to continue. For this reason, it’s strongly recommended that clients define a local RSA public key to use instead of request the server RSA key during the handshake.
The mysql CLI supports specifying the server's RSA public key with the --server-public-key-path variable.
Connector/J has allowPublicKeyRetrieval (default false) and serverRSAPublicKeyFile properties.
We should add both these connection string options for RSA public key support.
The text was updated successfully, but these errors were encountered:
If the client connects with
sha256_password
over an insecure connection, it has to encrypt the user's password with the server's RSA public key. This can be requested from the server in authentication negotiation.However, as Protecting MySQL Passwords With the sha256_password Plugin says:
The
mysql
CLI supports specifying the server's RSA public key with the--server-public-key-path
variable.Connector/J has
allowPublicKeyRetrieval
(defaultfalse
) andserverRSAPublicKeyFile
properties.We should add both these connection string options for RSA public key support.
The text was updated successfully, but these errors were encountered: