Description:
After server upgrade to 8.0 I can't connect to it. I get the following error:

2055: Lost connection to MySQL server at '/var/run/mysqld/mysqld.sock', system error: 1 [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:726)

I can disable SSL by passing parameter: 'ssl_disabled': True, especially since there is not point in using SSL on Unix socket connections which are impossible to eavesdrop.

However, after that I get other error:

"caching_sha2_password requires SSL"

How to repeat:
Connect to server using Unix socket as user with "caching_sha2_password" authentication type.

Suggested fix:
"caching_sha2_password" should not require SSL when it is used on Unix socket connections. Now it requires SSL even on (already secure) Unix socket connections, WHICH IS AGAINST THE DOCUMENTATION:

https://dev.mysql.com/doc/refman/8.0/en/caching-sha2-pluggable-authentication.html

"If the connection is secure, an RSA key pair is unnecessary and is not used. This applies to encrypted TCP connections that use TLS, as well as Unix socket-file and shared-memory connections. The password is sent as cleartext but cannot be snooped because the connection is secure."

According to the documentation, implementation of "caching_sha2_password" authentication in MySQL Connector should treat Unix socket connections as secure and send cleartext password on them.

Hello Piotr,

Thank you for the report.
Imho this is duplicate of Bug #91552, please see Bug #91552.

regards,
Umesh

No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

Bug #91552 was another bug. It think was fixed in 8.0.13 (I am not experiencing it since upgrade to 8.0.13), probably by commit 9f2924aee681da0c29adc809a1736a1f99753a58.

The bug I am describing here is another one and is still present in 8.0.13:

"caching_sha2_password" requires secure connection to perform authentication. According to the documentation, secure connections are "encrypted TCP connections that use TLS, as well as Unix socket-file and shared-memory connections" (source: https://dev.mysql.com/doc/refman/8.0/en/caching-sha2-pluggable-authentication.html)

The problem is that Connector/Python does not follow documentation and does not recognize Unix socket connections as secure. It still requires SSL on Unix socket connections, what adds unnecessary overhead and is completely pointless, because Unix socket connections are impossible to eavesdrop. And, as I already mentioned, goes against the documentation.

To reproduce:

Connect to MySQL server via Unix socket with parameter 'ssl_disabled': True.

Expected result:

It should establish a plaintext connection to the MySQL server.

Actual result:

It fails to establish connection with "caching_sha2_password requires SSL" error.

Please also see attached a simple preliminary path which fixes the problem.

Simple patch fixing the problem

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: unix_secure.patch (application/octet-stream, text), 1.95 KiB.

Additionally, it may be useful to reverse default value of 'ssl_disabled' parameter in case of Unix sockets.

So:

- for TCP connections default value of 'ssl_disabled' is 'False', user can change to 'True' to have plaintext connection
- for Unix socket connection default value of 'ssl_disabled' is 'True', user can change to 'False' to have SSL connection

Thank you for the contribution.

regards,
Umesh

Posted by developer:
 
Fixed by BUG#28295504.
Thank you for the bug report.

Posted by developer:
 
Fixed as of the upcoming MySQL Connector/Python 8.0.30 release, and here's the proposed changelog entry from the documentation team:

Disabled SSL usage with Unix socket connections.

Thank you for the bug report.