Issue 786 mysql ssl support

[p-alik]

This PR aims to add ssl connection support for MySQL backend, which is requested in the issue #786 .
At this stage it allow setting of mysql option MYSQL_OPT_SSL_MODE only.
The connection could be established with MYSQL_OPT_SSL_MODE set to SSL_MODE_DISABLED, SSL_MODE_PREFERRED and SSL_MODE_REQUIRED.

Tested with
DATABASE_URL='mysql://***?ssl_mode=(disabled|required|preferred)' cargo test --manifest-path diesel/Cargo.toml --features mysql --no-default-features mysql

https://dev.mysql.com/doc/c-api/8.0/en/mysql-options.html
https://dev.mysql.com/doc/c-api/8.0/en/c-api-encrypted-connections.html

[ELD]

This looks good to me, though the Windows and Rust 1.40.0 tests are failing. It’s looking like the mysqlclient_sys library doesn’t export the SSL mode variants on Windows, which is perplexing, but I’m not positive that’s the root cause. I haven’t had a chance to dig more into it.

I’m not comfortable giving approval on this PR until we can figure out why Windows isn’t building, but it does look good as-is right now!

[p-alik]

I've to improve this PR for sake of Windows and I suppose to do that next week.

[p-alik]

Due to sgrif/mysqlclient-sys#27 there is no way to set ssl-mode for MySQL connection on Windows in same way as on Linux/Unix yet.

Would it be appropriate to restrict setting of MySQL option MYSQL_OPT_SSL_MODE for #[cfg(not(windows))]? Any other suggestions?

[ELD]

That would probably be a suitable alternative for now, since the corresponding Windows bindings don’t work right now.

[weiznich]

I've left some comments, otherwise this is looking good 👍

(Sorry for taking some time to do a review here, it took some time to catch up with everything after holiday.)

[biot023]

Hi -- I guess nothing happened with this?
Are there any workarounds for SSL-secured access?
I'm going to talk to our DBA service about maybe SSH tunnelling but I'm not confident that will work out...

[weiznich]

@biot023 Commenting on old issues/PR's just to ask for updates is something that is highly discouraged. Please stop doing that if you have nothing meaningful (like how to resolve the issues outlined above) to contribute.

[biot023]

@biot023 Commenting on old issues/PR's just to ask for updates is something that is highly discouraged. Please stop doing that if you have nothing meaningful (like how to resolve the issues outlined above) to contribute.

It was a genuine question. Never mind, consider me suitably discouraged.

[biot023]

Maybe not entirely discouraged.
I've been able to set up ProxySQL (https://proxysql.com) in a docker instance to handle the SSL bit of the connection.
I can just point any diesel services at that image.
Hope that's of some help to somebody else struggling with this.

[Neo-Zhixing]

Maybe as a stopgap measure we should fork libmysqlclient-sys into the diesel org for now and merge all pending PRs there? There are no new commits in that repo since 2019 and @sgrif has been inactive since July 2021. MySQL SSL support is a real use case, and doing that would unblock us on multiple issues.

[weiznich]

@Neo-Zhixing There is no need to fork mysqlclient-sys. I have all merge and publish rights for that crate. Unfortunately I do not have the time to do a lot active work there while maintaining diesel at the same time, so this is basically waiting for someone laying out a basic plan about the future of mysqlclient-sys and someone who implements it.

[thomasmost]

I've been able to set up ProxySQL (https://proxysql.com) in a docker instance to handle the SSL bit of the connection.
I can just point any diesel services at that image.
Hope that's of some help to somebody else struggling with this.

@biot023 this is I think exactly what I'll need to do—you don't happen to have an example Dockerfile/diesel config that you'd feel comfortable sharing do you (scrubbed of anything sensitive, obviously)?

[biot023]

@biot023 this is I think exactly what I'll need to do—you don't happen to have an example Dockerfile/diesel config that you'd feel comfortable sharing do you (scrubbed of anything sensitive, obviously)?

Hi -- I really struggled with this. I got it working, as I recall, but then had an issue with tons of connections being established to the main server and never dropped -- took the whole site down in about 4 minutes, when I tested it!
It's probable that you could get it working but in our case I went past the point of sunken cost fallacy and we abandoned diesel for that particular project.
That's not throwing shade on diesel, btw -- I still use it whenever I can, it just didn't work out in this scenario for us.
Sorry I'm not more help, man.
Cheers,
Doug.

[weiznich]

@biot023 and @thomasmost Just to reiterate what I've written above: I would be more than happy to merge support for mysql ssl connections to diesel, but that requires work from someone. I'm happy to provide some pointers + discuss design, but implementation needs to be done by someone else.

[thomasmost]

@weiznich Let's do it! What is your schedule like/what forum would you prefer for such a discussion?

[weiznich]

@thomasmost I had a quick look at open questions here: The interface proposed in this PR looks good to me. There are the following open points from my point of view:

• Windows support
  • This is the largest open point
  • Requires changes to mysqlclient-sys, which may require restructuring the code there. That's the point that is quite fuzzy for me now.
• Rebasing the PR to the current master branch
• Tests?

[thomasmost]

Got it! I will see if I can get in there and work this out.

[p-alik]

Will rebase the feature branch.

[thomasmost]

@p-alik how can I help get these tests passing?

[thomasmost]

@weiznich now this is lookin pretty good

[weiznich]

@thomasmost Yes the diesel side of this change looks good, beside the fact that this only supports linux/macos. I would like to solve the windows issue first before finally merging this. As already mentioned that would require updating the bindings in mysqlclient-sys, which requires access to bindgen on windows. That's unfortunately something I cannot help with other than merging PR's and cutting releases.
I image something like following here:

• Update the generated bindings in mysqlclient-sys via a PR there (that should likely update bindings for both variants)
• Update this PR to use the mysqlclient-sys version based on the previous PR to check everything works fine
• I will merge the mysqlclient-sys PR + cut a release there
• Update this PR again to use the now newly released mysqlclient-sys version
• Merge this PR

[weiznich]

Looks good for me if the following things are added:

• A changelog entry here + adjusting the minimal supported mysqlclient-sys version under "REMOVED"
• A note in the documentation of MysqlConnection::establish on the available options.

[p-alik]

Added requested notes to the changelog.

[thomasmost]

LGTM!

[thomasmost]

@weiznich one last follow-up; just so I understand, are we talking days, weeks, or months before this gets included in a release of the crate?

Until that time, any reason I can't get my app working with an (admittedly, unstable) build using the master branch as its dependency, i.e.

[dependencies]
diesel = { git = "https://github.com/diesel-rs/diesel", features = ["mysql", "extras", "chrono"] }

?

[weiznich]

one last follow-up; just so I understand, are we talking days, weeks, or months before this gets included in a release of the crate?

We generally do not give any estimates when a certain release happens other than: When it's done. Additionally as this PR is not merged yet (due to missing documentation) it's not certain if the next release will contain this feature or not.

Until that time, any reason I can't get my app working with an (admittedly, unstable) build using the master branch as its dependency, i.e.

Please open an discussion thread about that with more details about what you understand under "can't get working". A PR is definitively not the right place to discuss such issues.

[p-alik]

as this PR is not merged yet (due to missing documentation) it's not certain if the next release will contain this feature or not.

9dc434e aims to add missed documentation.

[thomasmost]

Until that time, any reason I can't get my app working with an (admittedly, unstable) build using the master branch as its dependency, i.e.

Please open an discussion thread about that with more details about what you understand under "can't get working". A PR is definitively not the right place to discuss such issues.

I think you misunderstood me @weiznich — I wasn't asking for support — nvm

Thanks again for your work on this crate

[yerke]

@p-alik @weiznich Thank you very much for working on this!

[libsilverwolf]

Is this feature also usable with diesel-cli ?

I tried

DATABASE_URL="mysql://***:3306/port?ssl_mode=required" diesel print-schema

but got

Could not connect to database via `mysql://***:3306/port?ssl_mode=required`: Connections using insecure transport are prohibited while --require_secure_transport=ON.

I'm using MariaDB.

$ diesel --version
diesel 
 Version: 2.2.1
 Supported Backends: mysql