Bug #92260 With caching_sha2_password SSL should not be required on Unix socket
Submitted: 31 Aug 2018 17:55 Modified: 3 Nov 2018 3:56
Reporter: Piotr Jurkiewicz (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:Connector / Python Severity:S2 (Serious)
Version:8.0.13 OS:Any
Assigned to: CPU Architecture:Any
Tags: Contribution

[31 Aug 2018 17:55] Piotr Jurkiewicz
Description:
After server upgrade to 8.0 I can't connect to it. I get the following error:

2055: Lost connection to MySQL server at '/var/run/mysqld/mysqld.sock', system error: 1 [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:726)

I can disable SSL by passing parameter: 'ssl_disabled': True, especially since there is not point in using SSL on Unix socket connections which are impossible to eavesdrop.

However, after that I get other error:

"caching_sha2_password requires SSL"

How to repeat:
Connect to server using Unix socket as user with "caching_sha2_password" authentication type.

Suggested fix:
"caching_sha2_password" should not require SSL when it is used on Unix socket connections. Now it requires SSL even on (already secure) Unix socket connections, WHICH IS AGAINST THE DOCUMENTATION:

https://dev.mysql.com/doc/refman/8.0/en/caching-sha2-pluggable-authentication.html

"If the connection is secure, an RSA key pair is unnecessary and is not used. This applies to encrypted TCP connections that use TLS, as well as Unix socket-file and shared-memory connections. The password is sent as cleartext but cannot be snooped because the connection is secure."

According to the documentation, implementation of "caching_sha2_password" authentication in MySQL Connector should treat Unix socket connections as secure and send cleartext password on them.
[3 Sep 2018 9:26] MySQL Verification Team
Hello Piotr,

Thank you for the report.
Imho this is duplicate of Bug #91552, please see Bug #91552.

regards,
Umesh
[4 Oct 2018 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[2 Nov 2018 17:15] Piotr Jurkiewicz
Bug #91552 was another bug. It think was fixed in 8.0.13 (I am not experiencing it since upgrade to 8.0.13), probably by commit 9f2924aee681da0c29adc809a1736a1f99753a58.

The bug I am describing here is another one and is still present in 8.0.13:

"caching_sha2_password" requires secure connection to perform authentication. According to the documentation, secure connections are "encrypted TCP connections that use TLS, as well as Unix socket-file and shared-memory connections" (source: https://dev.mysql.com/doc/refman/8.0/en/caching-sha2-pluggable-authentication.html)

The problem is that Connector/Python does not follow documentation and does not recognize Unix socket connections as secure. It still requires SSL on Unix socket connections, what adds unnecessary overhead and is completely pointless, because Unix socket connections are impossible to eavesdrop. And, as I already mentioned, goes against the documentation.

To reproduce:

Connect to MySQL server via Unix socket with parameter 'ssl_disabled': True.

Expected result:

It should establish a plaintext connection to the MySQL server.

Actual result:

It fails to establish connection with "caching_sha2_password requires SSL" error.

Please also see attached a simple preliminary path which fixes the problem.
[2 Nov 2018 17:17] Piotr Jurkiewicz
Simple patch fixing the problem

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: unix_secure.patch (application/octet-stream, text), 1.95 KiB.

[2 Nov 2018 19:37] Piotr Jurkiewicz
Additionally, it may be useful to reverse default value of 'ssl_disabled' parameter in case of Unix sockets.

So:

- for TCP connections default value of 'ssl_disabled' is 'False', user can change to 'True' to have plaintext connection
- for Unix socket connection default value of 'ssl_disabled' is 'True', user can change to 'False' to have SSL connection
[3 Nov 2018 3:56] MySQL Verification Team
Thank you for the contribution.

regards,
Umesh