MySQL Bugs: #85732: Add flag if secure transport is required

Bug #85732	Add flag if secure transport is required
Submitted:	31 Mar 2017 8:36	Modified:	24 Apr 2017 9:03
Reporter:	Daniël van Eeden (OCA)	Email Updates:
Status:	Verified	Impact on me:	None
Category:	MySQL Server: Connection Handling	Severity:	S4 (Feature request)
Version:	5.7.17, 8.0.0	OS:	Any
Assigned to:		CPU Architecture:	Any
Tags:	protocol, SSL, tls, x protocol

Description:
https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_require_secure...

This is nice and works. But it has one issue:

A monitoring tool wants to connect to a large number of machines.
It wants to do this without using SSL/TLS because the handshake adds some latency and increases CPU usage (especially if TLS tickets are not used).
So the tool only wants to use TLS if it is required.

What happens now:
C: Connect
S: ServerHandshake(ssl flag set)
C: LoginRequest (ssl flag not set)
S: ER_NO_SECURE_TRANSPORTS_CONFIGURED
C: Connect
S: ServerHandshake(ssl flag set)
C: LoginRequest (ssl flag set)

How to repeat:
See description

Suggested fix:
Set a flag in the handshake packet if ssl is required:
C: Connect
S: ServerHandshake(ssl flag set, ssl_required flag set)
C: LoginRequest (ssl flag set)

One reason to add this feature (and the client would also need to be adapted to see it and use it) is that the "connection latency" issues when connecting to MySQL will not be affected by an attempt to connect which requires a second attempt to connect with TLS enabled.

This is useful for any connections where you want to minimise connection latency and do not want to worry about whether TLS is required on the downstream server or not.

The same issue which is referencing the "classic MySQL protocol" should be addressed in the "MySQL X protocol".

So please ensure that both protocols are adjusted in a similar and consistent way.

Added the X Protocol tag

Hello Daniël,

Thank you for the report and feature request!

Thanks,
Umesh