Bug #101536 tls1.2 issue
Submitted: 10 Nov 2020 9:54 Modified: 19 Jan 2021 4:23
Reporter: zhijian wang Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Router Severity:S3 (Non-critical)
Version:8.0.22 OS:CentOS (8.2)
Assigned to: MySQL Verification Team CPU Architecture:Any

[10 Nov 2020 9:54] zhijian wang
Description:
We update our mysql-MGR-cluster and mysqlrouter version from 8.0.21 to
8.0.22.

but we found an issue about TLS1.2 between mysql-java-client to
mysql-MGR-cluster though mysqlrouter 8.0.22.

the issue information is :Invalid TLS padding data.

If mysqlrouter downgrade version back to 8.0.21,everything will be OK.If we set option "ssl_mode=disable" on mysqlrouter.conf and mysqlclient side , everything will be ok too. 

How to repeat:
Could you give me any advice?
[10 Nov 2020 14:46] MySQL Verification Team
Hi,

Thanks for reporting the bug. The only advice is to downgrate to 8.0.21 for now till we fix this

all best
Bogdan
[12 Nov 2020 13:54] MySQL Verification Team
Hi,

Did you try also updating the java connector to 8.0.22 ?

all best
Bogdan
[12 Nov 2020 14:42] MySQL Verification Team
Hi

Two more questions
 - what connector are you using now
 - can you connect directly to mysql server (without router) with it

thanks
Bogdan
[19 Nov 2020 0:38] zhijian wang
Hi

 1. we use openjdk-11.0.9,which is the latest version
 2.there is no issue if we skip mysqlrouter. it works well if connect to mysql-MGR-cluster directly with SSL
[20 Nov 2020 9:31] MySQL Verification Team
Hi,

> 1. we use openjdk-11.0.9,which is the latest version

that is java version, but what version of MySQL connector you use with it?

> 2.there is no issue if we skip mysqlrouter. it works well if connect to mysql-MGR-cluster directly with SSL

If I understood ok you used .21 router and server and upgraded both to .22.

If you upgrade only mysqld to .22 and leave router to .21 does it work ok?

thanks
Bogdan
[24 Nov 2020 1:06] zhijian wang
Hi,

Hi

> 1. we use openjdk-11.0.9,which is the latest version

that is java version, but what version of MySQL connector you use with it?

A:we use mysql-connector-java-8.0.22.jar

> 2.Yes,if we upgrade only mysql-MGR-cluster to .22 and leave router .21,it works ok.
[1 Dec 2020 14:18] MySQL Verification Team
Hi,

Our dev team is having issues reproducing this properly. I will be testing their procedure too but can you please test on your system too.

Here's what they did:
- I set up a new cluster from scratch with MySQL Shell 8.0.22 and MySQL
Server
  8.0.22.  I forced TLSv1.2 in my.cnf (by default connections were
established
  using TLSv1.3; which also works fine)
- I bootstrapped Router 8.0.22 against it
- I installed MySQL Connectors/J 8.0.22 and OpenJDK 11.0.9, and ran my Java
"helloworld" program, and it works just fine.

Can you provide more detail about your setup?  Or could you try running my
simple program (adjust it as needed) to see if it works for you?
Details follow.
[1 Dec 2020 14:19] MySQL Verification Team
$ mysqlsh -i -e "dba.getCluster().status()" root:r@0:3310
  MySQL Shell 8.0.22

  Copyright (c) 2016, 2020, Oracle and/or its affiliates.
  Oracle is a registered trademark of Oracle Corporation and/or its
affiliates.
  Other names may be trademarks of their respective owners.

  Type '\help' or '\?' for help; '\quit' to exit.
  WARNING: Using a password on the command line interface can be insecure.
Creating a session to 'root@0:3310'
  Fetching schema names for autocompletion... Press ^C to stop.
  Your MySQL connection id is 98
  Server version: 8.0.22 MySQL Community Server - GPL
  No default schema selected; type \use <schema> to set one.
  {
      "clusterName": "mycluster",
      "defaultReplicaSet": {
          "name": "default",
          "primary": "192.168.43.111:3310",
          "ssl": "REQUIRED",
          "status": "OK",
          "statusText": "Cluster is ONLINE and can tolerate up to ONE
failure.",
          "topology": {
              "192.168.43.111:3310": {
                  "address": "192.168.43.111:3310",
                  "mode": "R/W",
                  "readReplicas": {},
                  "replicationLag": null,
                  "role": "HA",
                  "status": "ONLINE",
                  "version": "8.0.22"
              },
              "192.168.43.111:3320": {
                  "address": "192.168.43.111:3320",
                  "mode": "R/O",
                  "readReplicas": {},
                  "replicationLag": null,
                  "role": "HA",
                  "status": "ONLINE",
                  "version": "8.0.22"
              },
              "192.168.43.111:3330": {
                  "address": "192.168.43.111:3330",
                  "mode": "R/O",
                  "readReplicas": {},
                  "replicationLag": null,
                  "role": "HA",
                  "status": "ONLINE",
                  "version": "8.0.22"
              }
          },
          "topologyMode": "Single-Primary"
      },
      "groupInformationSourceMember": "192.168.43.111:3310"
  }

  $ mysql -uroot --password=$HA_PASS -h 0 -P 6446 -e "SELECT @@version"
  mysql: [Warning] Using a password on the command line interface can be
insecure.
  +-----------+
  | @@version |
  +-----------+
  | 8.0.22    |
  +-----------+

  # all 3 nodes have analogous configs.  Everythig was autogenerated by Shell
  # except 3 lines I added right before `[client]` (`general_log`,
  # `general_log_file` and `tls_version`), and restarted the cluster.
  $ cat ~/mysql-sandboxes/3310/my.cnf
  [mysqld]
  port = 3310
  loose_mysqlx_port = 33100
  server_id = 2806562773
  socket = mysqld.sock
  loose_mysqlx_socket = mysqlx.sock
  basedir = /usr
  datadir = /home/benny/mysql-sandboxes/3310/sandboxdata
  loose_log_syslog = OFF
  report_port = 3310
  report_host = 192.168.43.111
  log_error = /home/benny/mysql-sandboxes/3310/sandboxdata/error.log
  relay_log_info_repository = TABLE
  master_info_repository = TABLE
  gtid_mode = ON
  log_slave_updates = ON
  transaction_write_set_extraction = XXHASH64
  binlog_format = ROW
  log_bin
  enforce_gtid_consistency = ON
  pid_file = /home/benny/mysql-sandboxes/3310/3310.pid
  secure_file_priv = /home/benny/mysql-sandboxes/3310/mysql-files
  general_log_file = /home/benny/mysql-sandboxes/3310/sandboxdata/general.log
  general_log = 1
  tls_version = TLSv1.2
  [client]
  port = 3310
  user = root
  protocol = TCP

------------------------------------------------------------------------------
--
JAVA VERSIONS
------------------------------------------------------------------------------
--

  $ javac --version
  javac 11.0.9

  $ java --version
  openjdk 11.0.9 2020-10-20
  OpenJDK Runtime Environment 18.9 (build 11.0.9+11)
  OpenJDK 64-Bit Server VM 18.9 (build 11.0.9+11, mixed mode)

  $ echo $CLASSPATH
  /usr/share/java/mysql-connector-java-8.0.22.jar:

------------------------------------------------------------------------------
--
JAVA OUTPUT
------------------------------------------------------------------------------
--

  $ javac FirstExample.java && java FirstExample 6446
  [Inf] Port number = 6446
  Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver
class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered
via the SPI and manual loading of the driver class is generally unnecessary.
  Connecting ...
  Running query ...
    Ssl_cipher = ECDHE-RSA-AES256-GCM-SHA384
    Ssl_version = TLSv1.2
  Goodbye!

  # lines logged by Router
  2020-12-01 13:24:16 routing DEBUG [7fb8c3fff700] [routing:mycluster_rw]
fd=43 connection accepted at 0.0.0.0:6446
  2020-12-01 13:24:16 routing DEBUG [7fb8ecd40700] fd=43: trying
192.168.43.111:3310 (192.168.43.111:3310)
  2020-12-01 13:24:16 routing DEBUG [7fb8ecd40700] [routing:mycluster_rw]
fd=43 connected 127.0.0.1:50504 -> 192.168.43.111:3310 as fd=44
  2020-12-01 13:24:16 routing DEBUG [7fb8ecd40700] [routing:mycluster_rw]
fd=43 -- 44: connection closed (up: 3822b; down: 2118b)

  # lines logged in Server general log
  2020-12-01T13:24:16.697941Z       119 Connect   root@c18 on mysql using
SSL/TLS
  2020-12-01T13:24:16.707062Z       119 Query     /*
mysql-connector-java-8.0.22 (Revision:
d64b664fa93e81296a377de031b8123a67e6def2) */SELECT
@@session.auto_increment_increment AS auto_increment_increment,
@@character_set_client AS character_set_client, @@character_set_connection AS
character_set_connection, @@character_set_results AS character_set_results,
@@character_set_server AS character_set_server, @@collation_server AS
collation_server, @@collation_connection AS collation_connection,
@@init_connect AS init_connect, @@interactive_timeout AS interactive_timeout,
@@license AS license, @@lower_case_table_names AS lower_case_table_names,
@@max_allowed_packet AS max_allowed_packet, @@net_write_timeout AS
net_write_timeout, @@performance_schema AS performance_schema, @@sql_mode AS
sql_mode, @@system_time_zone AS system_time_zone, @@time_zone AS time_zone,
@@transaction_isolation AS transaction_isolation, @@wait_timeout AS
wait_timeout
  2020-12-01T13:24:16.732939Z       119 Query     SET NAMES utf8mb4
  2020-12-01T13:24:16.733832Z       119 Query     SET character_set_results =
NULL
  2020-12-01T13:24:16.734952Z       119 Query     SET autocommit=1
  2020-12-01T13:24:16.746943Z       119 Query     SELECT * FROM
performance_schema.session_status WHERE VARIABLE_NAME IN
('Ssl_version','Ssl_cipher')
  2020-12-01T13:24:16.804785Z       119 Quit
[1 Dec 2020 14:19] MySQL Verification Team
------------------------------------------------------------------------------
--
JAVA SOURCE
------------------------------------------------------------------------------
--

  $ cat FirstExample.java
  import java.sql.*;

  public class FirstExample {
    // REFERENCE:
https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-jdbc-url-fo
rmat.html
    // build and run: javac FirstExample.java && java FirstExample 3306

    static final String JDBC_DRIVER = "com.mysql.jdbc.Driver";
    static final String DB_URL_PREFIX = "jdbc:mysql://localhost:";
    static final String DB = "mysql";

    //  Database credentials
    static final String USER = "root";
    static final String PASS = "r";

    public static void main(String[] args) {
      // get port number
      String port;
      if (args.length < 1) {
        System.err.println("[Err] Port number not given");
        return;
      } else {
        port = args[0];
        System.err.println("[Inf] Port number = " + port);
      }

      Connection conn = null;
      Statement stmt = null;
      try {
        // register JDBC driver
        Class.forName("com.mysql.jdbc.Driver");

        // connect
        System.out.println("Connecting ...");
        conn = DriverManager.getConnection(DB_URL_PREFIX + port + "/" +
DB,USER,PASS);

        if(false) {
          //+---------------------------------+-----------+
          //| user                            | host      |
          //+---------------------------------+-----------+
          //| mysql_innodb_cluster_2806562773 | %         |
          //| mysql_router1_ah41gbwqowmq      | %         |
          //| root                            | %         |
          //| mysql.infoschema                | localhost |
          //| mysql.session                   | localhost |
          //| mysql.sys                       | localhost |
          //| root                            | localhost |
          //+---------------------------------+-----------+

          // run query
          System.out.println("Running query ...");
          stmt = conn.createStatement();
          String sql = "SELECT user, host from mysql.user";
          ResultSet rs = stmt.executeQuery(sql);

          // process results
          while(rs.next()) {
            System.out.println("  " + rs.getString("user") + "@" +
rs.getString("host"));
          }

          // cleanup
          rs.close();
          stmt.close();
          conn.close();
        } else {
          //+---------------+-----------------------------+
          //| VARIABLE_NAME | VARIABLE_VALUE              |
          //+---------------+-----------------------------+
          //| Ssl_cipher    | ECDHE-RSA-AES128-GCM-SHA256 |
          //| Ssl_version   | TLSv1.2                     |
          //+---------------+-----------------------------+

          // run query
          System.out.println("Running query ...");
          stmt = conn.createStatement();
          String sql = "SELECT * FROM performance_schema.session_status WHERE
VARIABLE_NAME IN ('Ssl_version','Ssl_cipher')";
          ResultSet rs = stmt.executeQuery(sql);

          // process results
          while(rs.next()) {
            System.out.println("  " + rs.getString("VARIABLE_NAME") + " = " +
rs.getString("VARIABLE_VALUE"));
          }

          // cleanup
          rs.close();
          stmt.close();
          conn.close();
        }

      } catch(SQLException se) {
        // handle errors from JDBC
        se.printStackTrace();
      } catch(Exception e) {
        // handle errors from Class.forName
        e.printStackTrace();
      } finally {
        // clean up

        try {
          if(stmt!=null)
            stmt.close();
        } catch(SQLException dummy) {
          // nothing we can do
        }

        try {
          if(conn!=null)
            conn.close();
        } catch(SQLException se) {
          se.printStackTrace();
        }
      }

      System.out.println("Goodbye!");
    }
  }

------------------------------------------------------------------------------
--
ROUTER VERSION AND CONFIG
------------------------------------------------------------------------------
--

  $ bin/mysqlrouter --version
  MySQL Router  Ver 8.0.22 for Linux on x86_64 (MySQL Community - GPL)

  # Configuration is as bootstrap generated it, except for lines starting
with
  # '#' which I overrode with my own versions
  $ cat /usr/local/router-instance/mysqlrouter.conf
  # File automatically generated during MySQL Router bootstrap
  [DEFAULT]
  #logging_folder=/usr/local/router-instance/log
  logging_folder=
  runtime_folder=/usr/local/router-instance/run
  data_folder=/usr/local/router-instance/data
  keyring_path=/usr/local/router-instance/data/keyring
  master_key_path=/usr/local/router-instance/mysqlrouter.key
  connect_timeout=15
  read_timeout=30
  dynamic_state=/usr/local/router-instance/data/state.json

  [logger]
  #level = INFO
  level = DEBUG

  [metadata_cache:mycluster]
  cluster_type=gr
  router_id=1
  user=mysql_router1_ah41gbwqowmq
  metadata_cluster=mycluster
  #ttl=0.5
  ttl=60
  auth_cache_ttl=-1
  #auth_cache_refresh_interval=2
  auth_cache_refresh_interval=60
  use_gr_notifications=0

  [routing:mycluster_rw]
  bind_address=0.0.0.0
  bind_port=6446
  destinations=metadata-cache://mycluster/?role=PRIMARY
  routing_strategy=first-available
  protocol=classic

  [routing:mycluster_ro]
  bind_address=0.0.0.0
  bind_port=6447
  destinations=metadata-cache://mycluster/?role=SECONDARY
  routing_strategy=round-robin-with-fallback
  protocol=classic

  [routing:mycluster_x_rw]
  bind_address=0.0.0.0
  bind_port=64460
  destinations=metadata-cache://mycluster/?role=PRIMARY
  routing_strategy=first-available
  protocol=x

  [routing:mycluster_x_ro]
  bind_address=0.0.0.0
  bind_port=64470
  destinations=metadata-cache://mycluster/?role=SECONDARY
  routing_strategy=round-robin-with-fallback
  protocol=x

  [http_server]
  port=8443
  ssl=1
  ssl_cert=/usr/local/router-instance/data/router-cert.pem
  ssl_key=/usr/local/router-instance/data/router-key.pem

  [http_auth_realm:default_auth_realm]
  backend=default_auth_backend
  method=basic
  name=default_realm

  [rest_router]
  require_realm=default_auth_realm

  [rest_api]

  [http_auth_backend:default_auth_backend]
  backend=metadata_cache

  [rest_routing]
  require_realm=default_auth_realm

  [rest_metadata_cache]
  require_realm=default_auth_realm
[2 Dec 2020 10:35] Pawel Mroszczyk
Same program running again, but with SSL debug enabled

Attachment: debug_ssl.txt (text/plain), 102.26 KiB.

[2 Dec 2020 13:31] MySQL Verification Team
Hi,

Since the router team had issues reproducing this I got my setup up to reproduce it again and I found that I was not reproducing the padding issue but was not paying enough attention and just reproduced the "not verified cert" problem that's not a bug.

So using 
 - mysqld 8.0.22
 - MySQL innodb cluster with 8.0.22 servers
 - MySQL router 8.0.22
 - openjdk 11 + MySQL connector 8.0.22

I have no issues reproducing.

simplest code example:

[root@centos7-1 ~]# cat bug.java
import java.sql.*;

  public class bug {
    static final String JDBC_DRIVER = "com.mysql.jdbc.Driver";
    static final String USER = "root";
    static final String PASS = "";

    public static void main(String[] args) {
      Connection conn = null;
      Statement stmt = null;
      try {
        Class.forName("com.mysql.jdbc.Driver");
//        conn = DriverManager.getConnection("jdbc:mysql://localhost:3307/mysql?useSSL=true&requireSSL=true&verifyServerCertificate=true", USER, PASS);
        conn = DriverManager.getConnection("jdbc:mysql://localhost:3307/mysql?useSSL=true&requireSSL=true&verifyServerCertificate=false", USER, PASS);
//        conn = DriverManager.getConnection("jdbc:mysql://localhost:3307/mysql?useSSL=true&requireSSL=true", USER, PASS);
        stmt = conn.createStatement();
        String sql = "select CHANNEL, VALUE from performance_schema.tls_channel_status where PROPERTY = 'Current_tls_version'";
        ResultSet rs = stmt.executeQuery(sql);
        while(rs.next()) System.out.println("  " + rs.getString("CHANNEL") + " = " +rs.getString("VALUE"));
        rs.close();
        stmt.close();
        conn.close();

      } catch(SQLException se) {
        se.printStackTrace();
      } catch(Exception e) {
        e.printStackTrace();
      } finally {
        try {
          if(stmt!=null)
            stmt.close();
        } catch(SQLException dummy) {
        }

        try {
          if(conn!=null)
            conn.close();
        } catch(SQLException se) {
          se.printStackTrace();
        }
      }

    }
  }

[root@centos7-1 ~]# javac bug.java
[root@centos7-1 ~]# java -cp mysql-connector-java-8.0.22.jar:. bug
Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary.
  mysql_main = TLSv1.2
  mysql_admin = TLSv1,TLSv1.1,TLSv1.2
[root@centos7-1 ~]# java -version
openjdk version "11.0.9" 2020-10-20 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.9+11-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.9+11-LTS, mixed mode, sharing)
[root@centos7-1 ~]# javac -version
javac 11.0.9
[root@centos7-1 ~]#
[2 Dec 2020 13:32] MySQL Verification Team
Hi,

Can you please follow example in the attached file and turn of debugging as described here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

Thanks
Bogdan
[2 Dec 2020 13:33] MySQL Verification Team
Hi,

Also, can you please use config as our router team is using to see if you will reproduce the problem

thanks
Bogdan
[3 Dec 2020 6:46] zhijian wang
Hi,

Our testing environment:
1、java version 
openjdk version "11.0.9" 2020-10-20 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.9+11-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.9+11-LTS, mixed mode, sharing)

2、/etc/mysqlrouter/mysqlrouter.conf
Version: MySQL Router  Ver 8.0.22 for Linux on x86_64 (MySQL Community - GPL)

/etc/mysqlrouter/mysqlrouter.conf
# File automatically generated during MySQL Router bootstrap
[DEFAULT]
name=system
user=mysqlrouter
keyring_path=/var/lib/mysqlrouter/keyring
master_key_path=/etc/mysqlrouter/mysqlrouter.key
connect_timeout=15
read_timeout=30
dynamic_state=/var/lib/mysqlrouter/state.json

[logger]
level = INFO

[metadata_cache:wxMysqlTestCluster1]
cluster_type=gr
router_id=3
user=mysql_router3_q5ew3texai86
metadata_cluster=wxMysqlTestCluster1
ttl=0.5
auth_cache_ttl=-1
auth_cache_refresh_interval=2
use_gr_notifications=0
#ssl_mode=DISABLED

[routing:wxMysqlTestCluster1_rw]
bind_address=0.0.0.0
bind_port=6446
destinations=metadata-cache://wxMysqlTestCluster1/?role=PRIMARY
routing_strategy=first-available
protocol=classic
#ssl_mode=DISABLED

[routing:wxMysqlTestCluster1_ro]
bind_address=0.0.0.0
bind_port=6447
destinations=metadata-cache://wxMysqlTestCluster1/?role=SECONDARY
routing_strategy=round-robin-with-fallback
protocol=classic

[routing:wxMysqlTestCluster1_x_rw]
bind_address=0.0.0.0
bind_port=64460
destinations=metadata-cache://wxMysqlTestCluster1/?role=PRIMARY
routing_strategy=first-available
protocol=x

[routing:wxMysqlTestCluster1_x_ro]
bind_address=0.0.0.0
bind_port=64470
destinations=metadata-cache://wxMysqlTestCluster1/?role=SECONDARY
routing_strategy=round-robin-with-fallback
protocol=x

[http_server]
port=8443
ssl=1
ssl_cert=/var/lib/mysqlrouter/router-cert.pem
ssl_key=/var/lib/mysqlrouter/router-key.pem

[http_auth_realm:default_auth_realm]
backend=default_auth_backend
method=basic
name=default_realm

[rest_router]
require_realm=default_auth_realm

[rest_api]

[http_auth_backend:default_auth_backend]
backend=metadata_cache

[rest_routing]
require_realm=default_auth_realm

[rest_metadata_cache]
require_realm=default_auth_realm

3、mysqlshell and Cluster:

[root@dorado ~]# mysqlsh 
MySQL Shell 8.0.22

Copyright (c) 2016, 2020, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.

Type '\help' or '\?' for help; '\quit' to exit.
 MySQL  JS > \connect root@dorado
Creating a session to 'root@dorado'
Fetching schema names for autocompletion... Press ^C to stop.
Your MySQL connection id is 44 (X protocol)
Server version: 8.0.22 MySQL Community Server - GPL
No default schema selected; type \use <schema> to set one.
 MySQL  dorado:33060+ ssl  JS >  var cluster=dba.getCluster('')
Dba.getCluster: The cluster with the name '' does not exist. (MYSQLSH 51101)
 MySQL  dorado:33060+ ssl  JS >  var cluster=dba.getCluster()
 MySQL  dorado:33060+ ssl  JS > cluster.status()
{
    "clusterName": "wxMysqlTestCluster1", 
    "defaultReplicaSet": {
        "name": "default", 
        "primary": "delphinus:3306", 
        "ssl": "REQUIRED", 
        "status": "OK", 
        "statusText": "Cluster is ONLINE and can tolerate up to ONE failure.", 
        "topology": {
            "delphinus:3306": {
                "address": "delphinus:3306", 
                "mode": "R/W", 
                "readReplicas": {}, 
                "replicationLag": null, 
                "role": "HA", 
                "status": "ONLINE", 
                "version": "8.0.22"
            }, 
            "dorado:3306": {
                "address": "dorado:3306", 
                "mode": "R/O", 
                "readReplicas": {}, 
                "replicationLag": null, 
                "role": "HA", 
                "status": "ONLINE", 
                "version": "8.0.22"
            }, 
            "volans:3306": {
                "address": "volans:3306", 
                "mode": "R/O", 
                "readReplicas": {}, 
                "replicationLag": null, 
                "role": "HA", 
                "status": "ONLINE", 
                "version": "8.0.22"
            }
        }, 
        "topologyMode": "Single-Primary"
    }, 
    "groupInformationSourceMember": "delphinus:3306"
}
 MySQL  dorado:33060+ ssl  JS >

#########################

I will test again after adding option TLS1.2 force in my.cnf
[3 Dec 2020 14:05] MySQL Verification Team
Hi,

I cannot reproduce even if I don't have that in my.cnf.

Can you try my code example (modify for yourself)?

[root@centos7-1 ~]# cat bug.java
import java.sql.*;

  public class bug {
    static final String USER = "root";
    static final String PASS = "";

    public static void main(String[] args) {
      Connection conn = null;
      Statement stmt = null;
      try {
        Class.forName("com.mysql.cj.jdbc.Driver");
        // configure here location of your router
        conn = DriverManager.getConnection("jdbc:mysql://localhost:3307/mysql?useSSL=true&requireSSL=true&verifyServerCertificate=false&enabledTLSProtocols=TLSv1.2&sslMode=REQUIRED", USER, PASS);
        stmt = conn.createStatement();
        String sql = "select CHANNEL, VALUE from performance_schema.tls_channel_status where PROPERTY = 'Current_tls_version'";
        ResultSet rs = stmt.executeQuery(sql);
        while(rs.next()) System.out.println("  " + rs.getString("CHANNEL") + " = " +rs.getString("VALUE"));
        rs.close();
        stmt.close();
        conn.close();

      } catch(SQLException se) {
        se.printStackTrace();
      } catch(Exception e) {
        e.printStackTrace();
      } finally {
        try {
          if(stmt!=null)
            stmt.close();
        } catch(SQLException dummy) {
        }

        try {
          if(conn!=null)
            conn.close();
        } catch(SQLException se) {
          se.printStackTrace();
        }
      }

    }
  }

[root@centos7-1 ~]# java -cp mysql-connector-java-8.0.22.jar:. bug
[3 Dec 2020 14:06] MySQL Verification Team
and if you can reproduce, please turn on SSL debugging as we mentioned before

Thanks
Bogdan
[4 Dec 2020 1:57] zhijian wang
port 3007?
is it mysqlrouter-rw-port number?
[4 Dec 2020 1:58] zhijian wang
3307?
is it mysqlrouter-rw port number?
[4 Dec 2020 12:36] MySQL Verification Team
Hi,

Yes, 3307 is RW port on my router but please adapt the host/port/user/pass to your system

all best
Bogdan
[7 Dec 2020 3:15] zhijian wang
Hi,

  My test result is below:

   mysql_main = TLSv1.2
   mysql_admin = TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
[8 Dec 2020 20:00] MySQL Verification Team
Hi,

>  My test result is below:
>
>   mysql_main = TLSv1.2
>   mysql_admin = TLSv1,TLSv1.1,TLSv1.2,TLSv1.3

So you managed to successfully connect and did not experience the bug?

Can you now modify that example so that you get bug?

thanks
Bogdan
[9 Dec 2020 2:35] zhijian wang
Hi,
  So far, I've summed up the test

===Before MySql-Route update to 8.0.22,Everything is OK===

===After MySql-Route update,issues===

Environment 1:
Program dependencies and parameters:
mysql-connector-java-8.0.22.jar
HikariCP-3.4.1.jar
spring-data-jpa-2.2.3.RELEASE.jar
Query page size=10000
issues below:
WARN:SQL Error: 0, SQLState: S1000
ERROR:GenericJDBCException: could not extract ResultSet
Caused by: java.sql.SQLException: arraycopy: last source index 96 out of bounds for byte[76]
    at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:129) ~[mysql-connector-java-8.0.22.jar:8.0.22]

Environment 2:
Program dependencies and parameters:
commons-dbcp-1.4.jar
mysql-connector-java-8.0.12.jar
ResultSet >1000。
issue below:
java.sql.SQLException: Invalid TLS padding data
    at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:129) ~[mysql-connector-java-8.0.12.jar:8.0.12]

Solution 1:MySql Route downgrade to 8.0.21
Solution 2:control Query Size or Result size within 1000。
Solution 3:add option sslMode=disabled in jdbcUrl
[9 Dec 2020 17:55] MySQL Verification Team
Hi,

When I'm getting a bigger select result I get

java.sql.SQLException: Tag mismatch!
        at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:129)
        at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:97)
        at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)
        at com.mysql.cj.jdbc.StatementImpl.executeQuery(StatementImpl.java:1200)
        at bug.main(bug.java:18)

and this is a different bug where mysqlrouter .22 can't handle big result set, has nothing to do with SSL, but I cannot reproduce your padding error.

Looking at your last reply looks like you get padding error only with old connector so I assume the SSL here is only hiding a known bug for .22 about "big results". If you cannot reproduce the problem with "small result set" (and looking at your previous test with my example you cannot) than this is just after effect of the known bug (that will be sorted out quickly).

I'm marking this as a duplicate of Bug# 101406

Kind regards
Bogdan
[10 Dec 2020 1:53] zhijian wang
Hi,

   Thank you very much.
   I will try the future version and reply you the result, thank you.
[10 Dec 2020 5:46] Pawel Mroszczyk
Posted by developer:
 
Marking this is a duplicate of BUG#32081158
[19 Jan 2021 4:23] zhijian wang
yum update issue:

MySQL 8.0 Community Server                                                                                                   206 kB/s | 1.3 MB     00:06    
MySQL Connectors Community                                                                                                    21 kB/s |  49 kB     00:02    
MySQL Tools Community                                                                                                         45 kB/s | 188 kB     00:04    
Last metadata expiration check: 0:00:01 ago on Tue 19 Jan 2021 12:19:56 PM CST.
Error: 
 Problem: package mysql-community-libs-8.0.22-1.el8.x86_64 requires mysql-community-client-plugins = 8.0.22-1.el8, but none of the providers can be installed
  - cannot install both mysql-community-client-plugins-8.0.23-1.el8.x86_64 and mysql-community-client-plugins-8.0.22-1.el8.x86_64
  - cannot install the best update candidate for package mysql-community-client-plugins-8.0.22-1.el8.x86_64
  - problem with installed package mysql-community-libs-8.0.22-1.el8.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)