Bug #111062 Cannot disable TLS in MySQL 8.0.33
Submitted: 17 May 2023 18:49 Modified: 19 May 2023 13:37
Reporter: Gabriel Gritsch Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Options Severity:S3 (Non-critical)
Version:8.0.33 OS:MacOS
Assigned to: CPU Architecture:ARM
Tags: SSL, tls

[17 May 2023 18:49] Gabriel Gritsch
Description:
This is nearly a copy of #106459 but for the newest version as it still does not work.

It seems that there is no clear way to disable SSL/TLS.

How to repeat:
I tried it with the old optn ssl=0 and also with tls_version='' but both throw warnings in the logfile.
Please see the following logs. the third one is with both ssl/tls options disabled.

###################################################################

ssl=0
#tls_version=''

2023-05-17T18:36:24.6NZ mysqld_safe Starting mysqld daemon with databases from /services/mysql/db
2023-05-17T18:36:24.392220Z 0 [Warning] [MY-011068] [Server] The syntax '--ssl=off' is deprecated and will be removed in a future release. Please use --tls-version='' instead.
2023-05-17T18:36:24.392327Z 0 [System] [MY-010116] [Server] /bin/mysqld (mysqld 8.0.33) starting as process 50183
2023-05-17T18:36:24.396964Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2023-05-17T18:36:24.426971Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2023-05-17T18:36:24.486854Z 0 [Warning] [MY-011302] [Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL context is not usable without certificate and private key"'
2023-05-17T18:36:24.486894Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /tmp/mysqlx.sock
2023-05-17T18:36:24.486910Z 0 [System] [MY-010931] [Server] /bin/mysqld: ready for connections. Version: '8.0.33'  socket: '/tmp/mysql.sock'  port: 3306  Homebrew.

###################################################################

#ssl=0
tls_version=''

2023-05-17T18:37:55.6NZ mysqld_safe Starting mysqld daemon with databases from /services/mysql/db
2023-05-17T18:37:55.161382Z 0 [System] [MY-010116] [Server] /bin/mysqld (mysqld 8.0.33) starting as process 50650
2023-05-17T18:37:55.165999Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2023-05-17T18:37:55.195959Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2023-05-17T18:37:55.246933Z 0 [Warning] [MY-013595] [Server] Failed to initialize TLS for channel: mysql_main. See below for the description of exact issue.
2023-05-17T18:37:55.246946Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: TLS version is invalid
2023-05-17T18:37:55.255752Z 0 [Warning] [MY-011302] [Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL context is not usable without certificate and private key"'
2023-05-17T18:37:55.255793Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /tmp/mysqlx.sock
2023-05-17T18:37:55.255809Z 0 [System] [MY-010931] [Server] /bin/mysqld: ready for connections. Version: '8.0.33'  socket: '/tmp/mysql.sock'  port: 3306  Homebrew.

###################################################################

#ssl=0
#tls_version=''

2023-05-17T18:40:29.6NZ mysqld_safe Starting mysqld daemon with databases from /services/mysql/db
2023-05-17T18:40:29.501047Z 0 [System] [MY-010116] [Server] /bin/mysqld (mysqld 8.0.33) starting as process 51554
2023-05-17T18:40:29.505564Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2023-05-17T18:40:29.535101Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2023-05-17T18:40:29.589251Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2023-05-17T18:40:29.589269Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2023-05-17T18:40:29.594359Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /tmp/mysqlx.sock
2023-05-17T18:40:29.594374Z 0 [System] [MY-010931] [Server] /bin/mysqld: ready for connections. Version: '8.0.33'  socket: '/tmp/mysql.sock'  port: 3306  Homebrew.

Suggested fix:
The setting tls_version='' should disable SSL/TLS completly and also prevent generation of (selfsigned) certificate files.
[18 May 2023 4:52] Harin Vadodaria
Hi,

Setting --tls-version='' is the correct way to disable TLS. In the 2nd case mentioned in bug description:

###################################################################

#ssl=0
tls_version=''

2023-05-17T18:37:55.6NZ mysqld_safe Starting mysqld daemon with databases from /services/mysql/db
2023-05-17T18:37:55.161382Z 0 [System] [MY-010116] [Server] /bin/mysqld (mysqld 8.0.33) starting as process 50650
2023-05-17T18:37:55.165999Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2023-05-17T18:37:55.195959Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2023-05-17T18:37:55.246933Z 0 [Warning] [MY-013595] [Server] Failed to initialize TLS for channel: mysql_main. See below for the description of exact issue.
2023-05-17T18:37:55.246946Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: TLS version is invalid
2023-05-17T18:37:55.255752Z 0 [Warning] [MY-011302] [Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL context is not usable without certificate and private key"'
2023-05-17T18:37:55.255793Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /tmp/mysqlx.sock
2023-05-17T18:37:55.255809Z 0 [System] [MY-010931] [Server] /bin/mysqld: ready for connections. Version: '8.0.33'  socket: '/tmp/mysql.sock'  port: 3306  Homebrew.

###################################################################

Warnings related to SSL configuration failures are indicators that TLS is disabled.

To disable automatic generation of certificates, please set auto_generate_certs to OFF.
For more details, refer to: https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_auto_generate_...
[18 May 2023 7:14] Gabriel Gritsch
Thank you for the quick answer but I see a few issues:

if I pass --tls-version='' as a parameter it leads in an error (yes, version 8.0.33):

2023-05-18T07:05:32.285830Z 0 [ERROR] [MY-013835] [Server] Option --tls-version or --admin-tls-version is set to an invalid value ''.

If I set tls_version='' in my.cnf it works partially.
SSL/TLS is disabled but it shows the 3 listed warnings.
Whats the sense to show warnings regarding SSL/TLS if its disabled explicitly?

2023-05-18T07:08:33.828439Z 0 [Warning] [MY-013595] [Server] Failed to initialize TLS for channel: mysql_main. See below for the description of exact issue.
2023-05-18T07:08:33.828454Z 0 [Warning] [MY-010069] [Server] Failed to set up SSL because of the following SSL library error: TLS version is invalid
2023-05-18T07:08:33.838042Z 0 [Warning] [MY-011302] [Server] Plugin mysqlx reported: 'Failed at SSL configuration: "SSL context is not usable without certificate and private key"'

first line: It did not FAIL, it was DISABLED, so no need to warn!?
second line: why should there be an SSL library error? SSL is disabled so there should be no SS-lib error!?
third line: for sure its not usable becaue its disabled. so why throw the warning?

thank you and best regards
[18 May 2023 7:44] Harin Vadodaria
Hi,

Just to confirm my understanding: TLS connections are disabled when --tls-version='' is supplied and this is expected behavior.

However, your concerns are:
1. The option does not behave consistently
2. Additional warnings at start-up are added on server start up

Thus, as a part of the bug fix, we will try to simplify error messages. It is likely that we would keep at least one warning in place to inform user that TLS is disabled.

Thanks,
- Harin
[18 May 2023 7:51] Gabriel Gritsch
Correct, the parameter does not work correctly (it generates an error) but the value in the cnf file works.

One warning that TLS was disabled sounds reasonable.
[18 May 2023 10:12] Harin Vadodaria
Verified as described.
[19 May 2023 13:37] Gabriel Gritsch
One more comment:

The setting auto_generate_certs=0 disables the creation of the following six files:

ca-key.pem
ca.pem
client-cert.pem
client-key.pem
server-cert.pem
server-key.pem

but these two are still created:

private_key.pem
public_key.pem

is that intended or also an issue?
[22 May 2023 10:42] Harin Vadodaria
This is intended. These files are controlled by different system variables.
Please see:
https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_caching_sha2_p...
https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_sha256_passwor...

Please set these variables to OFF if these files are not needed.
[22 May 2023 12:39] MySQL Verification Team
Thank you, Harin.