Bug #84849 Extend MySQL handshake to allow TLS with SNI and virtual servers
Submitted: 6 Feb 2017 21:01 Modified: 20 Jul 2023 6:09
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: C API (client library) Severity:S4 (Feature request)
Version:8.0 OS:Any
Assigned to: CPU Architecture:Any
Tags: SNI, SSL, tls

[6 Feb 2017 21:01] Daniël van Eeden

After the server sends an (unencrypted) Initial Handshake Packet the client responds with either of these:
- SSL Connection Request Packet
- Protocol::HandshakeResponse41

I would like if both of these gets extended with the hostname of the server.

That would allow:
1. Use of SSL with SNI to host multiple MySQL servers on one IP address.
2. Use of multiple virtual hosts, even if SSL is not used.

With 1. the server needs the hostname to be able to select the correct server certificate if multiple are available.

This *might* be put into the connection attributes if that makes sense.

MySQL Router could (later on) take advantage of this feature.

Example setup:
 - IN A mydbrouter1.example.com
 - IN CNAME mydb1.example.com → mydbrouter1.example.com
 - IN CNAME mydb2.example.com → mydbrouter1.example.com
 - IN CNAME mydb3.example.com → mydbrouter1.example.com

How to repeat:
See description.
[30 Mar 2017 14:51] Daniël van Eeden
SNI would fix this for connections which use TLS, but non-TLS connections also need some early indication about to which host the connection should go.
[31 Mar 2017 11:00] Simon Mudd
Also applicable on the MySQL X protocol level
[6 Apr 2017 11:25] Daniël van Eeden
Bug #82872 	Add TLS SNI support to the client. (contribution)
[2 May 2018 13:29] Georgi Kodinov
Duplicate bug #90704.
[23 Aug 2021 13:20] Georgi Kodinov
See also the related Bug#104649
[20 Jul 2023 6:09] Daniël van Eeden
From https://dev.mysql.com/doc/relnotes/mysql/8.1/en/news-8-1-0.html

"MySQL now implements client-side Server Name Indication (SNI), which is an extension to the TLS protocol. Client applications can pass a server name to the libmysqlclient C API library with the new MYSQL_OPT_TLS_SNI_SERVERNAME option for mysql_options(). Similarly, each MySQL client program now includes a --tls-sni-servername command option to pass in a name. The new Tls_sni_server_name server status variable indicates the name if one is set for the session. Our thanks to Meta for the contribution. (Bug #33176362, WL #14839)"