MySQL+TLS not working with v2.0.0-beta1

[dduportal]

Do you want to request a feature or report a bug?

Bug

Did you try using a 1.7.x configuration for the version 2.0?

• Yes
• No

What did you do?

Context: https://community.containo.us/t/cant-connect-to-mysql-server-connection-refused.

After successfully running MySQL behind Traefik in plain TCP, we tried to enable TLS encryption for MySQL connection to benefit from HostSNI routing, on 2 cases:

• TLS termination at Traefik level
• TLS termination at MySQL server level (TLS pass trough for Traefik)

What did you expect to see?

Both examples working: using the mysql client with the option --ssl-mode=REQUIRED should work when going trough Traefik in both cases.

What did you see instead?

Neither of the 2 cases work: the mysql client hangs once the password is sent.

Output of traefik version: (What version of Traefik are you using?)

Version:      2.0.0-beta1
Codename:     faisselle
Go version:   go1.12.7
Built:        2019-07-19T16:04:34Z
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

I've put a complete reproduction case in this gist: https://gist.github.com/dduportal/5b9e5f286b666a7cba7bd9f9ad4a1219 .

If applicable, please paste the log output in DEBUG level (--log.level=DEBUG switch)

N.A.

[dduportal]

• Tried with mysql:8 instead of mysql:5.7: same behavior.
• It looks like that the mysql client is trying to "negociate" the fact that the connection should be plain or encrypted with the remote server - https://dev.mysql.com/doc/refman/5.7/en/encrypted-connections.html

[dduportal]

It looks like that we cannot use HostSNI routing with MySQL: https://bugs.mysql.com/bug.php?id=84849.

There is a contribution, which is stalling since 2017: https://bugs.mysql.com/bug.php?id=82872 .
Maybe we should raise our hand on this topic?