Add server's RSA public key connection string option #286
Description
If the client connects with sha256_password over an insecure connection, it has to encrypt the user's password with the server's RSA public key. This can be requested from the server in authentication negotiation.
However, as Protecting MySQL Passwords With the sha256_password Plugin says:
Distributing keys securely can be an operational headache. MySQL Server will supply its own RSA public key upon request from the client, so that the key doesn’t have to be explicitly distributed and configured for each client. But this introduces another security concern – a proxy in the middle may substitute an RSA public key for which it has the private key, decrypt and harvest the plain-text password, then re-encrypting the password with the actual server RSA public key for the connection attempt to continue. For this reason, it’s strongly recommended that clients define a local RSA public key to use instead of request the server RSA key during the handshake.
The mysql CLI supports specifying the server's RSA public key with the --server-public-key-path variable.
Connector/J has allowPublicKeyRetrieval (default false) and serverRSAPublicKeyFile properties.
We should add both these connection string options for RSA public key support.