Description:
### Description
When a client connects to MySQL Router with SSL enabled, the `_client_ip` connection attribute is not added to the connection attributes sent to the MySQL server, even though the code in `client_greeting_after_tls()` appears to add it.
### Steps to Reproduce
1. Configure MySQL Router client_ssl_mode=PREFERRED (default)
2. Connect a client to the router with SSL enabled (e.g., `mysql --ssl-mode=REQUIRED`)
3. Check connection attributes on the MySQL server side (e.g., using `performance_schema.session_connect_attrs`)
4. Observe that `_client_ip` is missing
### Code Analysis
The issue appears to be related to the different code paths for SSL and non-SSL connections:
**Non-SSL path:**
- In `ServerGreetor::client_greeting_server_adjust_caps()` (line 428-444), when SSL is not enabled, `_client_ip` is added via `initial_connection_attributes()`
- Then `client_greeting_full()` also adds the attributes
**SSL path:**
- In `ServerGreetor::client_greeting_server_adjust_caps()` (line 428-445), when SSL is enabled, the code does NOT add `_client_ip` (the `if (!ssl)` condition prevents it)
- Later, `client_greeting_after_tls()` (line 975-1055) attempts to add attributes including `_client_ip` via `initial_connection_attributes()` (line 987)
### Environment
- MySQL Router version: [8.0.44]
- MySQL Server version: [8.0.40]
### Additional Notes
The non-SSL path works correctly because attributes are added in `client_greeting_server_adjust_caps()`. The SSL path relies solely on `client_greeting_after_tls()`, which may fail if attribute verification fails, causing the `_client_ip` to be lost.
How to repeat:
### DEFAULT SSL router.conf
[routing:test_rw]
bind_address = 0.0.0.0
bind_port = 6446
destinations = 127.0.0.1:3306
routing_strategy = first-available
mysql -u root -pmsandbox -h 127.0.0.1 -P 6446 --ssl-mode=REQUIRED
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 51
Server version: 8.0.40 MySQL Community Server - GPL
Copyright (c) 2000, 2025, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> \s
--------------
mysql Ver 9.4.0 for macos15.4 on arm64 (Homebrew)
Connection id: 51
Current database:
Current user: root@localhost
SSL: Cipher in use is TLS_AES_128_GCM_SHA256
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 8.0.40 MySQL Community Server - GPL
Protocol version: 10
Connection: 127.0.0.1 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 6446
Binary data as: Hexadecimal
Uptime: 4 days 7 hours 21 min 13 sec
Threads: 2 Questions: 487 Slow queries: 0 Opens: 277 Flush tables: 3 Open tables: 198 Queries per second avg: 0.001
--------------
mysql> SELECT * FROM performance_schema.session_connect_attrs ;
+----------------+-----------------+------------+------------------+
| PROCESSLIST_ID | ATTR_NAME | ATTR_VALUE | ORDINAL_POSITION |
+----------------+-----------------+------------+------------------+
| 51 | _os | macos15.4 | 0 |
| 51 | _platform | arm64 | 1 |
| 51 | _client_version | 9.4.0 | 2 |
| 51 | _client_name | libmysql | 3 |
| 51 | _pid | 79511 | 4 |
| 51 | os_user | hongbin | 5 |
| 51 | program_name | mysql | 6 |
+----------------+-----------------+------------+------------------+
7 rows in set (0.001 sec)
### DISABLE SSL router.conf
[routing:test_rw]
bind_address = 0.0.0.0
bind_port = 6446
client_ssl_mode=DISABLED
destinations = 127.0.0.1:3306
routing_strategy = first-available
mysql -u root -pmsandbox -h 127.0.0.1 -P 6446
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 49
Server version: 8.0.40 MySQL Community Server - GPL
Copyright (c) 2000, 2025, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> \s
--------------
mysql Ver 9.4.0 for macos15.4 on arm64 (Homebrew)
Connection id: 0
Current database:
Current user: root@localhost
SSL: Not in use
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 8.0.40 MySQL Community Server - GPL
Protocol version: 10
Connection: 127.0.0.1 via TCP/IP
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
TCP port: 6446
Binary data as: Hexadecimal
Uptime: 4 days 7 hours 19 min 34 sec
Threads: 2 Questions: 480 Slow queries: 0 Opens: 276 Flush tables: 3 Open tables: 197 Queries per second avg: 0.001
--------------
mysql> SELECT * FROM performance_schema.session_connect_attrs ;
+----------------+-----------------+------------+------------------+
| PROCESSLIST_ID | ATTR_NAME | ATTR_VALUE | ORDINAL_POSITION |
+----------------+-----------------+------------+------------------+
| 50 | _os | macos15.4 | 0 |
| 50 | _platform | arm64 | 1 |
| 50 | _client_version | 9.4.0 | 2 |
| 50 | _client_name | libmysql | 3 |
| 50 | _pid | 78695 | 4 |
| 50 | os_user | hongbin | 5 |
| 50 | program_name | mysql | 6 |
| 50 | _client_ip | 127.0.0.1 | 7 |
| 50 | _client_port | 61573 | 8 |
+----------------+-----------------+------------+------------------+
9 rows in set (0.001 sec)
Suggested fix:
The `_client_ip` attribute should be added to connection attributes regardless of whether the client uses SSL or not, so that the MySQL server can identify the client's IP address for auditing, logging, and performance schema purposes.
