Bug #85213 | ssl_mode=PREFERRED doesn't prefer SSL | ||
---|---|---|---|
Submitted: | 27 Feb 2017 18:55 | Modified: | 22 Oct 2018 16:50 |
Reporter: | Domas Mituzas | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: C API (client library) | Severity: | S1 (Critical) |
Version: | 5.7.17 | OS: | Any |
Assigned to: | CPU Architecture: | Any |
[27 Feb 2017 18:55]
Domas Mituzas
[28 Feb 2017 7:15]
Chiranjeevi Battula
Hello Domas Mituzas, Thank you for the bug report. Verified based on internal discussion with dev's. Thanks, Chiranjeevi.
[9 Mar 2017 7:34]
MySQL Verification Team
are you sure that local socket connection isn't considered a security with/without ssl? i see this in the function cli_calculate_client_flag (haven't checked in debugger). if(mysql->options.protocol == MYSQL_PROTOCOL_SOCKET && mysql->options.extension && mysql->options.extension->ssl_mode <= SSL_MODE_PREFERRED) { mysql->client_flag&= ~CLIENT_SSL; mysql->options.extension->ssl_mode= SSL_MODE_DISABLED; }
[22 Oct 2018 16:33]
Paul DuBois
Posted by developer: Updated: https://dev.mysql.com/doc/refman/8.0/en/encrypted-connection-options.html#option_general_s... https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-options.html#option_general_s... Added to --ssl-mode description: Encrypted connections over Unix sockets are disabled by default, so PREFERRED does not establish an encrypted connection. To enforce encryption for Unix socket connections, use REQUIRED or above.
[22 Oct 2018 16:50]
Domas Mituzas
I don't even. "MySQL - ignoring your preferences since 1995!" But sure, there's no better way to fix a weird behavior than to document it.