Merge pull request #4537 from sysown/v2.x-disable_ssl_tickets

Fix clients reconnect with SSL by disabling SSL tickets
sysown · May 16, 2024 · 3cdbeba · 3cdbeba
2 parents 3316c8f + afc79e1
commit 3cdbeba
Show file tree

Hide file tree

Showing 33 changed files with 631 additions and 336 deletions.
diff --git a/deps/json/json_fwd.hpp b/deps/json/json_fwd.hpp
@@ -0,0 +1,175 @@
+//     __ _____ _____ _____
+//  __|  |   __|     |   | |  JSON for Modern C++
+// |  |  |__   |  |  | | | |  version 3.11.2
+// |_____|_____|_____|_|___|  https://github.com/nlohmann/json
+//
+// SPDX-FileCopyrightText: 2013-2022 Niels Lohmann <https://nlohmann.me>
+// SPDX-License-Identifier: MIT
+
+#ifndef INCLUDE_NLOHMANN_JSON_FWD_HPP_
+#define INCLUDE_NLOHMANN_JSON_FWD_HPP_
+
+#include <cstdint> // int64_t, uint64_t
+#include <map> // map
+#include <memory> // allocator
+#include <string> // string
+#include <vector> // vector
+
+// #include <nlohmann/detail/abi_macros.hpp>
+//     __ _____ _____ _____
+//  __|  |   __|     |   | |  JSON for Modern C++
+// |  |  |__   |  |  | | | |  version 3.11.2
+// |_____|_____|_____|_|___|  https://github.com/nlohmann/json
+//
+// SPDX-FileCopyrightText: 2013-2022 Niels Lohmann <https://nlohmann.me>
+// SPDX-License-Identifier: MIT
+
+
+
+// This file contains all macro definitions affecting or depending on the ABI
+
+#ifndef JSON_SKIP_LIBRARY_VERSION_CHECK
+    #if defined(NLOHMANN_JSON_VERSION_MAJOR) && defined(NLOHMANN_JSON_VERSION_MINOR) && defined(NLOHMANN_JSON_VERSION_PATCH)
+        #if NLOHMANN_JSON_VERSION_MAJOR != 3 || NLOHMANN_JSON_VERSION_MINOR != 11 || NLOHMANN_JSON_VERSION_PATCH != 2
+            #warning "Already included a different version of the library!"
+        #endif
+    #endif
+#endif
+
+#define NLOHMANN_JSON_VERSION_MAJOR 3   // NOLINT(modernize-macro-to-enum)
+#define NLOHMANN_JSON_VERSION_MINOR 11  // NOLINT(modernize-macro-to-enum)
+#define NLOHMANN_JSON_VERSION_PATCH 2   // NOLINT(modernize-macro-to-enum)
+
+#ifndef JSON_DIAGNOSTICS
+    #define JSON_DIAGNOSTICS 0
+#endif
+
+#ifndef JSON_USE_LEGACY_DISCARDED_VALUE_COMPARISON
+    #define JSON_USE_LEGACY_DISCARDED_VALUE_COMPARISON 0
+#endif
+
+#if JSON_DIAGNOSTICS
+    #define NLOHMANN_JSON_ABI_TAG_DIAGNOSTICS _diag
+#else
+    #define NLOHMANN_JSON_ABI_TAG_DIAGNOSTICS
+#endif
+
+#if JSON_USE_LEGACY_DISCARDED_VALUE_COMPARISON
+    #define NLOHMANN_JSON_ABI_TAG_LEGACY_DISCARDED_VALUE_COMPARISON _ldvcmp
+#else
+    #define NLOHMANN_JSON_ABI_TAG_LEGACY_DISCARDED_VALUE_COMPARISON
+#endif
+
+#ifndef NLOHMANN_JSON_NAMESPACE_NO_VERSION
+    #define NLOHMANN_JSON_NAMESPACE_NO_VERSION 0
+#endif
+
+// Construct the namespace ABI tags component
+#define NLOHMANN_JSON_ABI_TAGS_CONCAT_EX(a, b) json_abi ## a ## b
+#define NLOHMANN_JSON_ABI_TAGS_CONCAT(a, b) \
+    NLOHMANN_JSON_ABI_TAGS_CONCAT_EX(a, b)
+
+#define NLOHMANN_JSON_ABI_TAGS                                       \
+    NLOHMANN_JSON_ABI_TAGS_CONCAT(                                   \
+            NLOHMANN_JSON_ABI_TAG_DIAGNOSTICS,                       \
+            NLOHMANN_JSON_ABI_TAG_LEGACY_DISCARDED_VALUE_COMPARISON)
+
+// Construct the namespace version component
+#define NLOHMANN_JSON_NAMESPACE_VERSION_CONCAT_EX(major, minor, patch) \
+    _v ## major ## _ ## minor ## _ ## patch
+#define NLOHMANN_JSON_NAMESPACE_VERSION_CONCAT(major, minor, patch) \
+    NLOHMANN_JSON_NAMESPACE_VERSION_CONCAT_EX(major, minor, patch)
+
+#if NLOHMANN_JSON_NAMESPACE_NO_VERSION
+#define NLOHMANN_JSON_NAMESPACE_VERSION
+#else
+#define NLOHMANN_JSON_NAMESPACE_VERSION                                 \
+    NLOHMANN_JSON_NAMESPACE_VERSION_CONCAT(NLOHMANN_JSON_VERSION_MAJOR, \
+                                           NLOHMANN_JSON_VERSION_MINOR, \
+                                           NLOHMANN_JSON_VERSION_PATCH)
+#endif
+
+// Combine namespace components
+#define NLOHMANN_JSON_NAMESPACE_CONCAT_EX(a, b) a ## b
+#define NLOHMANN_JSON_NAMESPACE_CONCAT(a, b) \
+    NLOHMANN_JSON_NAMESPACE_CONCAT_EX(a, b)
+
+#ifndef NLOHMANN_JSON_NAMESPACE
+#define NLOHMANN_JSON_NAMESPACE               \
+    nlohmann::NLOHMANN_JSON_NAMESPACE_CONCAT( \
+            NLOHMANN_JSON_ABI_TAGS,           \
+            NLOHMANN_JSON_NAMESPACE_VERSION)
+#endif
+
+#ifndef NLOHMANN_JSON_NAMESPACE_BEGIN
+#define NLOHMANN_JSON_NAMESPACE_BEGIN                \
+    namespace nlohmann                               \
+    {                                                \
+    inline namespace NLOHMANN_JSON_NAMESPACE_CONCAT( \
+                NLOHMANN_JSON_ABI_TAGS,              \
+                NLOHMANN_JSON_NAMESPACE_VERSION)     \
+    {
+#endif
+
+#ifndef NLOHMANN_JSON_NAMESPACE_END
+#define NLOHMANN_JSON_NAMESPACE_END                                     \
+    }  /* namespace (inline namespace) NOLINT(readability/namespace) */ \
+    }  // namespace nlohmann
+#endif
+
+
+/*!
+@brief namespace for Niels Lohmann
+@see https://github.com/nlohmann
+@since version 1.0.0
+*/
+NLOHMANN_JSON_NAMESPACE_BEGIN
+
+/*!
+@brief default JSONSerializer template argument
+
+This serializer ignores the template arguments and uses ADL
+([argument-dependent lookup](https://en.cppreference.com/w/cpp/language/adl))
+for serialization.
+*/
+template<typename T = void, typename SFINAE = void>
+struct adl_serializer;
+
+/// a class to store JSON values
+/// @sa https://json.nlohmann.me/api/basic_json/
+template<template<typename U, typename V, typename... Args> class ObjectType =
+         std::map,
+         template<typename U, typename... Args> class ArrayType = std::vector,
+         class StringType = std::string, class BooleanType = bool,
+         class NumberIntegerType = std::int64_t,
+         class NumberUnsignedType = std::uint64_t,
+         class NumberFloatType = double,
+         template<typename U> class AllocatorType = std::allocator,
+         template<typename T, typename SFINAE = void> class JSONSerializer =
+         adl_serializer,
+         class BinaryType = std::vector<std::uint8_t>>
+class basic_json;
+
+/// @brief JSON Pointer defines a string syntax for identifying a specific value within a JSON document
+/// @sa https://json.nlohmann.me/api/json_pointer/
+template<typename RefStringType>
+class json_pointer;
+
+/*!
+@brief default specialization
+@sa https://json.nlohmann.me/api/json/
+*/
+using json = basic_json<>;
+
+/// @brief a minimal map-like container that preserves insertion order
+/// @sa https://json.nlohmann.me/api/ordered_map/
+template<class Key, class T, class IgnoredLess, class Allocator>
+struct ordered_map;
+
+/// @brief specialization that maintains the insertion order of object keys
+/// @sa https://json.nlohmann.me/api/ordered_json/
+using ordered_json = basic_json<nlohmann::ordered_map>;
+
+NLOHMANN_JSON_NAMESPACE_END
+
+#endif  // INCLUDE_NLOHMANN_JSON_FWD_HPP_
diff --git a/src/proxy_tls.cpp b/src/proxy_tls.cpp
@@ -417,8 +417,15 @@ int ProxySQL_create_or_load_TLS(bool bootstrap, std::string& msg) {
 		// verifications purposes.
 		if (!SSL_CTX_load_verify_locations(GloVars.global.ssl_ctx, ssl_ca_fp, ssl_ca_fp)) {
 			proxy_error("Unable to load CA certificates location for verification. Shutting down\n");
-			exit(EXIT_SUCCESS); // we exit gracefully to not be restarted
 		}
+
+		// Completely disable session tickets and session-cache. SSL sessions resume/tickets aren't supported
+		// right now, so disabling them shouldn't have negative effects. On the other hand, enabling them can
+		// lead to invalid SSL handshakes when the client tries to reuse a previously issued session ticket.
+		// In this scenario an invalid handshake will take place, and the client will be disconnected. Some
+		// clients (MySQL > 8.0.29) attempt session reuses during reconnect operations.
+		SSL_CTX_set_options(GloVars.global.ssl_ctx, SSL_OP_NO_TICKET);
+		SSL_CTX_set_session_cache_mode(GloVars.global.ssl_ctx, SSL_SESS_CACHE_OFF);
 	} else {
 		// here we use global.tmp_ssl_ctx instead of global.ssl_ctx
 		// because we will try to swap at the end
@@ -478,6 +485,9 @@ int ProxySQL_create_or_load_TLS(bool bootstrap, std::string& msg) {
 	}
 	if (ret == 0) {
 		SSL_CTX_set_verify(GloVars.global.ssl_ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, callback_ssl_verify_peer);
+		// Completely disable session tickets and session-cache. See comment above.
+		SSL_CTX_set_options(GloVars.global.ssl_ctx, SSL_OP_NO_TICKET);
+		SSL_CTX_set_session_cache_mode(GloVars.global.ssl_ctx, SSL_SESS_CACHE_OFF);
 	}
 	X509_free(x509);
 	EVP_PKEY_free(pkey);

diff --git a/test/deps/Makefile b/test/deps/Makefile
@@ -10,7 +10,7 @@ DEPS_PATH := $(PROXYSQL_PATH)/deps
 default: all
 
 .PHONY: all
-all: mariadb_client mysql_client
+all: mariadb_client mysql_client mysql8_client
 
 
 ### test deps targets
@@ -25,15 +25,6 @@ mariadb-connector-c/mariadb-connector-c/libmariadb/libmariadbclient.a:
 
 mariadb_client: mariadb-connector-c/mariadb-connector-c/libmariadb/libmariadbclient.a
 
-
-#mysql-connector-c/mysql-connector-c/libmysql/libmysqlclient.a:
-#	cd mysql-connector-c && rm -rf mysql-connector-c-*-src/ || true
-#	cd mysql-connector-c && tar -zxf mysql-connector-c-*-src.tar.gz
-#	cd mysql-connector-c/mysql-connector-c && patch -p0 < ../CMakeLists.txt.patch
-#	cd mysql-connector-c/mysql-connector-c && patch -p0 < ../install_macros.cmake.patch
-#	cd mysql-connector-c/mysql-connector-c && cmake . -DCMAKE_BUILD_TYPE=RelWithDebInfo -DOPENSSL_ROOT_DIR=$(DEPS_PATH)/libssl/openssl
-#	cd mysql-connector-c/mysql-connector-c && CC=${CC} CXX=${CXX} ${MAKE} mysqlclient mysql
-
 mysql-connector-c/mysql-boost-5.7.44.tar.gz:
 	cd mysql-connector-c && curl -C - -O -s https://cdn.mysql.com//Downloads/MySQL-5.7/mysql-boost-5.7.44.tar.gz || wget -nc -q https://cdn.mysql.com//Downloads/MySQL-5.7/mysql-boost-5.7.44.tar.gz
 
@@ -42,12 +33,25 @@ mysql-connector-c/mysql-connector-c/libmysql/libmysqlclient.a: mysql-connector-c
 	cd mysql-connector-c && tar -zxf mysql-boost-5.7.*.tar.gz
 	cd mysql-connector-c && ln -fsT $$(ls -1d mysql-5.7.*/) mysql-connector-c
 	cd mysql-connector-c/mysql-connector-c && cmake . -DWITH_BOOST=./boost -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_CXX_FLAGS_RELWITHDEBINFO="-O0 -ggdb -DNDEBUG -fPIC" -DOPENSSL_ROOT_DIR=$(DEPS_PATH)/libssl/openssl
-#	cd mysql-connector-c/mysql-connector-c && cmake . -DWITH_BOOST=./boost -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_FLAGS_DEBUG="-O0 -ggdb -fPIC" -DOPENSSL_ROOT_DIR=$(DEPS_PATH)/libssl/openssl
 	cd mysql-connector-c/mysql-connector-c && CC=${CC} CXX=${CXX} ${MAKE} mysqlclient mysql
 	cd mysql-connector-c/mysql-connector-c && cp archive_output_directory/libmysqlclient.a libmysql/
 
 mysql_client: mysql-connector-c/mysql-connector-c/libmysql/libmysqlclient.a
 
+mysql-connector-c-8.4.0/mysql-8.4.0.tar.gz:
+	cd mysql-connector-c-8.4.0 && curl -C - -O -s https://cdn.mysql.com//Downloads/MySQL-8.4/mysql-8.4.0.tar.gz || wget -nc -q https://cdn.mysql.com//Downloads/MySQL-8.4/mysql-8.4.0.tar.gz
+
+mysql-connector-c-8.4.0/mysql-connector-c/libmysql/libmysqlclient.a: mysql-connector-c-8.4.0/mysql-8.4.0.tar.gz
+	cd mysql-connector-c-8.4.0 && rm -rf mysql-*/ || true
+	cd mysql-connector-c-8.4.0 && tar -zxf mysql-*.tar.gz
+	cd mysql-connector-c-8.4.0 && ln -fsT $$(ls -1d mysql-8.4.*/) mysql-connector-c
+	cd mysql-connector-c-8.4.0/mysql-connector-c && cmake . -DFORCE_INSOURCE_BUILD=1 -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+		-DWITHOUT_SERVER=ON -DDOWNLOAD_BOOST=1 -DWITH_BOOST=./mysql-server/downloads/ -DWITH_UNIT_TESTS=OFF \
+		-DCMAKE_CXX_FLAGS_RELWITHDEBINFO="-O0 -ggdb -DNDEBUG -fPIC" -DOPENSSL_ROOT_DIR=$(DEPS_PATH)/libssl/openssl
+	cd mysql-connector-c-8.4.0/mysql-connector-c && CC=${CC} CXX=${CXX} ${MAKE}
+	cd mysql-connector-c-8.4.0/mysql-connector-c && cp archive_output_directory/libmysqlclient.a libmysql/
+
+mysql8_client: mysql-connector-c-8.4.0/mysql-connector-c/libmysql/libmysqlclient.a
 
 ### clean targets
 
@@ -56,6 +60,7 @@ mysql_client: mysql-connector-c/mysql-connector-c/libmysql/libmysqlclient.a
 cleanall:
 	cd mariadb-connector-c && rm -rf mariadb-connector-c-*/ || true
 	cd mysql-connector-c && rm -rf mysql-5.7.*/ || true
+	cd mysql-connector-c-8.4.0 && rm -rf mysql-8.4.*/ || true
 
 .PHONY: clean
 .SILENT: clean
@@ -65,3 +70,6 @@ clean:
 	cd mysql-connector-c/mysql-connector-c && $(MAKE) --no-print-directory clean || true
 	cd mysql-connector-c/mysql-connector-c && rm -f CMakeCache.txt || true
 	cd mysql-connector-c/mysql-connector-c && rm -f libmysql/libmysqlclient.a || true
+	cd mysql-connector-c-8.4.0/mysql-connector-c && $(MAKE) --no-print-directory clean || true
+	cd mysql-connector-c-8.4.0/mysql-connector-c && rm -f CMakeCache.txt || true
+	cd mysql-connector-c-8.4.0/mysql-connector-c && rm -f libmysql/libmysqlclient.a || true
diff --git a/test/deps/mysql-connector-c-8.4.0/mysql-connector-c b/test/deps/mysql-connector-c-8.4.0/mysql-connector-c
@@ -0,0 +1 @@
+mysql-8.4.0/
diff --git a/test/tap/Makefile b/test/tap/Makefile
@@ -13,7 +13,7 @@ test_deps:
 	cd ../deps && CC=${CC} CXX=${CXX} ${MAKE}
 
 .PHONY: tap
-tap:
+tap: test_deps
 	cd tap && CC=${CC} CXX=${CXX} ${MAKE}
 
 .PHONY: tests
@@ -25,9 +25,21 @@ tests_with_deps: tap test_deps
 	cd tests_with_deps && CC=${CC} CXX=${CXX} ${MAKE} $(MAKECMDGOALS)
 
 
+.PHONY: clean_utils
+.SILENT: clean_utils
+clean_utils:
+	cd tap && ${MAKE} -s clean_utils
+
 .PHONY: clean
 .SILENT: clean
 clean:
+	cd tap && ${MAKE} -s clean
+	cd tests && ${MAKE} -s clean
+	cd tests_with_deps && ${MAKE} -s clean
+
+.PHONY: cleanall
+.SILENT: cleanall
+cleanall:
 	cd ../deps && ${MAKE} -s clean
 	cd tap && ${MAKE} -s clean
 	cd tests && ${MAKE} -s clean