Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade libmysqlclient.a for TLSv1.1 support (for MariaDB 10.4 default installs) #3492

Open
noahwilliamsson opened this issue Jun 24, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@noahwilliamsson
Copy link
Contributor

commented Jun 24, 2019

Sequel Pro currently appears to ship a libmysqlclient.a library from the 5.5.x series. This libary only supports the older and (security wise) broken TLSv1.0 protocol.

The most recent GA release of MariaDB, version 10.4.6, replaces the embedded yaSSL library (not maintained) with wolfSSL (maintained, supports modern TLS) and ships with a newly introduced tls_version setting that defaults to TLSv1.1,TLSv1.2,TLSv1.3. References:

A libmysqlclient.a library from the 5.7.x series appears to support both TLSv1.0 and TLSv1.1:

Would it be possible to upgrade the MySQL client library to a newer release to make it support a slightly more modern version of TLS? That would allow Sequel Pro to connect to MariaDB 10.4 servers out of the box and also improve security.

@dmoagx

This comment has been minimized.

Copy link
Member

commented Jun 26, 2019

Hey Noah,

"wolfSSL" is AFAIK just a rebranding of yaSSL.

SP is mostly stuck with 5.5 because IIRC 5.6 introduced breaking changes in how some functions in the client libraries behave, thus someone would have to step through the source code or the changelogs and compare those in detail, which is quite a bit of effort.

Personally I think it would be better to get rid of the SSL library dependency altogether and use the Apple provided library (SecureTransport or CF Networking), like all native OS X apps would, but that also is a lot of effort.

@noahwilliamsson

This comment has been minimized.

Copy link
Contributor Author

commented Jun 27, 2019

Thanks for the feedback.

Right, it seems they renamed CyaSSL to wolfSSL in 2015. CyaSSL was their C port/product of their C++ yaSSL SSL library.

Any idea what these functions in the client libraries would be? I did git log --grep mysqlcl -p but didn't find anything obvious besides #2979 (backed out again I think?).

In the process I found a build script for building libmysqlclient.a, which led me to an attempt to build Sequel Pro with a 5.7 series libmysqlclient on a macOS Sierra (10.12) machine.

  1. Download a .dmg from https://cmake.org/download/ and install it to /Applications
  2. Download Boost 1.59 from https://sourceforge.net/projects/boost/files/boost/1.59.0/boost_1_59_0.tar.gz/download (file should end up in ~/Downloads)
  3. See below
cd ~/Downloads
git clone https://github.com/sequelpro/sequelpro.git
git clone --depth 50 --branch 5.7 https://github.com/mysql/mysql-server.git
tar zxf boost_1_59_0.tar.gz
export PATH=$PATH:/Applications/CMake.app/Contents/bin

cd sequelpro/Frameworks/SPMySQLFramework
vi build-mysql-client.sh   # modify the following lines:
  MIN_OS_X_VERSION=10.13   # Last SDK supporting i386 arch?
  CONFIGURE_OPTIONS        # Add this switch: -DWITH_BOOST=~/Downloads/boost_1_59_0

# Build libmysqlclient.a
./build-mysql-client.sh -s ~/Downloads/mysql-server -d

# The script will fail with an error due to changed paths but lets ignore that for now and just:
cp ~/Downloads/mysql-server/archive_output_directory/libmysqlclient.a "MySQL Client Libraries/lib/"

open SPMySQLFramework.xcodeproj
# Patch up linker flags for SPMySQLFramework:
# Under Build Settings > All > Linking > OTHER_LDFLAGS, add `-lc++` to SPMySQL.framework targets

# Finally, open the Sequel Pro project and build everything with an updated libmysqlclient.a
open ../../sequel-pro.xcodeproj

FWIW, I ended up with something that allowed me connect to MariaDB 10.4.6 (requires TLSv1.1) and a few AWS RDS MySQL 5.6 and Aurora MySQL servers (still using TLSv1.0).

SequelPro-mysql-5 7

noahwilliamsson added a commit to noahwilliamsson/sequelpro that referenced this issue Jul 1, 2019

SPMySQLFramework: upgrade libmysqlclient.a for TLSv1.1 support
MariaDB 10.4.6 (GA as of June, 2019) replaces the yaSSL embedded TLS library
with wolfSSL and drops support for TLS 1.0 in its default configuration
(`tls_version=TLSv1.1,TLSv1.2,TLSv1.3`).

Before MySQL 5.7, the embedded yaSSL library used by libmysqlclient.a only
supported TLS 1.0.

This changeset upgrades the MySQL client library to 5.7 to allow SequelPro
to connect to TLS protected MariaDB 10.4 servers.

- upgrade libmysqlclient.a and includes from 5.5.56 to 5.7.26
- drop custom mysql patches (all types are present in MySQL 5.6 and 5.7)
- add `-lc++` to SPMySQLFramework linker flags
- add `-b <boost source path>` option to mysqlclient build script

Fixes sequelpro#3492.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.