Bug #84849 Extend MySQL handshake to allow TLS with SNI and virtual servers
Submitted: 6 Feb 2017 21:01 Modified: 20 Jun 2018 7:57
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: C API (client library) Severity:S4 (Feature request)
Version:8.0 OS:Any
Assigned to: CPU Architecture:Any
Tags: SNI, SSL, tls

[6 Feb 2017 21:01] Daniël van Eeden 
Description:
https://dev.mysql.com/doc/internals/en/ssl-handshake.html
https://dev.mysql.com/doc/internals/en/plain-handshake.html

After the server sends an (unencrypted) Initial Handshake Packet the client responds with either of these:
- SSL Connection Request Packet
- Protocol::HandshakeResponse41

I would like if both of these gets extended with the hostname of the server.

That would allow:
1. Use of SSL with SNI to host multiple MySQL servers on one IP address.
2. Use of multiple virtual hosts, even if SSL is not used.

With 1. the server needs the hostname to be able to select the correct server certificate if multiple are available.

This *might* be put into the connection attributes if that makes sense.

MySQL Router could (later on) take advantage of this feature.

Example setup:
 - IN A mydbrouter1.example.com 192.168.1.10
 - IN CNAME mydb1.example.com → mydbrouter1.example.com
 - IN CNAME mydb2.example.com → mydbrouter1.example.com
 - IN CNAME mydb3.example.com → mydbrouter1.example.com

How to repeat:
See description.
[30 Mar 2017 14:51] Daniël van Eeden 
SNI would fix this for connections which use TLS, but non-TLS connections also need some early indication about to which host the connection should go.
[31 Mar 2017 11:00] Simon Mudd 
Also applicable on the MySQL X protocol level
[6 Apr 2017 11:25] Daniël van Eeden 
Related:
Bug #82872 	Add TLS SNI support to the client. (contribution)
[2 May 2018 13:29] Georgi Kodinov 
Duplicate bug #90704.
[23 Aug 2021 13:20] Georgi Kodinov 
See also the related Bug#104649