Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix clients reconnect with SSL by disabling SSL tickets #4537

Merged
merged 8 commits into from
May 16, 2024

Conversation

JavierJF
Copy link
Collaborator

@JavierJF JavierJF commented May 6, 2024

Issue description

Having SSL session tickets enabled can lead to failed SSL handshakes when the client tries to reuse a previously issued session ticket. Some clients, like for example, MySQL > 8.0.29, attempt session reuses during reconnect operations.

Solution

SSL sessions resume/tickets aren't supported right now, we should explicitly disable them. This will prevent the generation of this unused and potentially faulty session tickets.

PR details

This PR also introduces some major changes for TAP tests:

  • Tests can now be compile against different MySQL connectors, in a per-test basis. Making reuse of the tests utilities library, which is now also compiled against each one of the supported connectors.
  • A new version of the MySQL client library (MySQL 8.4.0) has been added as a dependency for the TAP tests.

Aside of these, also multiple minor changes have also been introduced in the TAP tests compilation to reduce their size and increase compilation speed:

  • Removed std::regex as a dependency, this should be avoided in the future.
  • Added forward declaration for header only library nlohmann::json. This library imposes significant pre-processing overhead when included in every object file.
  • Allow for uninitialized members in the 'mysql_*' warning override utilities. This prevent crashes when mixing the 'real' version of the functions with their overload counterparts.

SSL sessions resume/tickets aren't supported right now, disabling them
shouldn't have negative effects. On the other hand, enabling them can
lead to invalid SSL handshakes when the client tries to reuse a
previously issued session ticket. Some clients, e.g: MySQL > 8.0.29,
attempt session reuses during reconnect operations.
- Split 'libtap' into different binaries. This allows for the reuse of
  'TAP' utilities that make use of MySQL or other third party library
  versions. Each of these tests that require special library versions
  that aren't the common ones embedded into the dynamic library
  'libtap.so' should be compiled defining special helper targets, in the
  'tests' folder Makefile itself. These helper targets with specify the
  linking of the required version of the library for the test. Each
  MySQL client version supported by the 'tap' tests that breaks headers
  compatibility should be compiled into a different object file,
  following the previous described procedure.
- Add MySQL 8.4.0 client library as a new TAP test dependency.
- Multiple compilation fixes consequence of the introduced change to
  'libtap.a'.
- Added as ProxySQL dependency the forward declaration header for
  'nlohmann::json'. This header is the proper way of including the
  library is headers which are sensible of being included in multiples
  files. This speeds compilation times of each TAP test.
- Removed 'std::regex' dependency from 'utils.cpp', and replaced by
  project dependency 're2'. Library 'std::regex' should not be used in
  any place that introduces it as a dependency for later objects, it's
  heavy, slow, and should be avoided in general.
Tests reconnect with and without SSL for 'libmariadb' and 'libmysql'.
@mirostauder
Copy link
Collaborator

retest this please

@JavierJF JavierJF merged commit 3cdbeba into v2.x May 16, 2024
45 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants