Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using TLS without configuration #1500

Merged
merged 21 commits into from
Jul 29, 2024
Merged

Using TLS without configuration #1500

merged 21 commits into from
Jul 29, 2024

Conversation

rusher
Copy link
Contributor

@rusher rusher commented Jul 26, 2024

Connector implementation of https://jira.mariadb.org/browse/MDEV-31855

Since MariaDB 11.4.1, TLS use has greatly been simplified.
Connector side doesn't require TLS configuration anymore, even with self-signed certificates.

Connectors can now validate ssl certificates using client password (using seed and server certificate SHA256 thumbprint).

limitations:

  • only possible when using mysql_native_password/client_ed25519 authentication
  • password is required

see https://mariadb.org/mission-impossible-zero-configuration-ssl/

rusher and others added 4 commits July 20, 2024 12:31
@rusher
Changing Permit redirection
3ea4d86 
This is based on https://jira.mariadb.org/browse/MDEV-15935: first OK_Packet can contain variable `redirect_url` using "mariadb/mysql://[{user}[:{password}]@]{host}[:{port}]/[{db}[?{opt1}={value1}[&{opt2}={value2}]]]']" format.

Signed-off-by: rusher <[email protected]>
@bgrainger
Allow 'localhost' as a server address.
4e58e42 
Signed-off-by: Bradley Grainger <[email protected]>
@rusher
permit skipping redirection test
e7b1fc7 
change redirection logging

Signed-off-by: rusher <[email protected]>
@rusher
Using TLS without configuration
89beadf 
Connector implementation of https://jira.mariadb.org/browse/MDEV-31855

Since MariaDB 11.4.1, TLS use has greatly been simplified. Connector side doesn't require TLS configuration anymore, even with self-signed certificates.

connectors now validate ssl certificates using client password (using seed and server certificate SHA256 thumbprint).

limitations:
 * only possible when using mysql_native_password/client_ed25519 authentication
 * password is required

see https://mariadb.org/mission-impossible-zero-configuration-ssl/

Signed-off-by: rusher <[email protected]>
@rusher
Copy link
Contributor Author

rusher commented Jul 26, 2024

PR is based on #1499, because require OKPayload information, so depending on your review, it can change a lot :) (and this PR is clearly more important than PR redirection)

@bgrainger
Merge master into ssl.
098bd5b 
Conflicts:
	.ci/config/config.compression+ssl.json
	.ci/config/config.compression.json
	.ci/config/config.json
	.ci/config/config.ssl.json
	azure-pipelines.yml
	src/MySqlConnector/Core/ConnectionPool.cs
	src/MySqlConnector/Core/ServerSession.cs
	src/MySqlConnector/Logging/Log.cs
	src/MySqlConnector/MySqlConnection.cs
	src/MySqlConnector/Protocol/Payloads/OkPayload.cs
	tests/IntegrationTests/RedirectionTests.cs
	tests/IntegrationTests/ServerFeatures.cs

Signed-off-by: Bradley Grainger <[email protected]>
@bgrainger
Delete setup step that should be done outside of tests.
d429b35 
Signed-off-by: Bradley Grainger <[email protected]>
@bgrainger
Delete unnecessary attribute constructor.
45dddae 
Signed-off-by: Bradley Grainger <[email protected]>
@bgrainger
Make Ed25519AuthenticationPlugin.Install threadsafe.
aff3418 
This can be executed concurrently by multithreaded tests.

Signed-off-by: Bradley Grainger <[email protected]>
@bgrainger
Use existing test accounts instead of creating new ones.
ec7f8e0 
Signed-off-by: Bradley Grainger <[email protected]>
@bgrainger
Fix MySql.Data build.
c354752 
Signed-off-by: Bradley Grainger <[email protected]>
@bgrainger
Delete SessionConnectionString property.
003934c 
This was a result of a bad merge.

Signed-off-by: Bradley Grainger <[email protected]>
@bgrainger
Revert word-wrapping.
71e680a 
Signed-off-by: Bradley Grainger <[email protected]>
@bgrainger
Add IAuthenticationMethod2 interface to avoid breaking change.
4a99d6a 
Refactor duplicated code in Ed25519AuthenticationPlugin.

Signed-off-by: Bradley Grainger <[email protected]>
@bgrainger
Defer copy of challenge until it's needed.
03d179e 
Signed-off-by: Bradley Grainger <[email protected]>
@bgrainger
Change parameter name for clarity and update documentation.
2aea924 
Signed-off-by: Bradley Grainger <[email protected]>
@bgrainger
Eliminate allocations when computing fingerprint hash.
b4d8baf 
Signed-off-by: Bradley Grainger <[email protected]>
@bgrainger bgrainger merged commit 1e009ea into mysql-net:master Jul 29, 2024
22 checks passed
@bgrainger
Copy link
Member

Fixed in 2.4.0; thanks for the contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bgrainger bgrainger bgrainger approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rusher @bgrainger