[Enhancement] Enforce SSL connection from the client when SSL is enabled on the server #56176
+16
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
rstyp
commented
Feb 21, 2025
| * Allow only encrypted connections from clients | ||
| **/ | ||
| @ConfField | ||
| public static boolean require_secure_transport = false; |
There was a problem hiding this comment.
Similar config as in MySql server
stevenzwu
reviewed
Feb 21, 2025
| @@ -106,6 +106,7 @@ public enum ErrorCode { | |||
| ERR_NO_SUCH_QUERY(1365, new byte[] {'4', '2', '0', '0', '0'}, "Unknown query id: %s"), | |||
|
|
|||
| ERR_CANNOT_USER(1396, new byte[] {'H', 'Y', '0', '0', '0'}, "Operation %s failed for %s"), | |||
| ERR_SECURE_TRANSPORT_REQUIRED(1403, new byte[] {'0', '8', '0', '0', '4'}, "Server rejected the insecure connection"), | |||
There was a problem hiding this comment.
how did we choose the error code 1403?
From the comment in this class, it seems that we should find the corresponding error code for MySQL server/protocol.
// Try our best to compatible with MySQL's
With that, should this be the error code?
Error number: 3159; Symbol: [ER_SECURE_TRANSPORT_REQUIRED](https://dev.mysql.com/doc/mysql-errors/5.7/en/server-error-reference.html#error_er_secure_transport_required); SQLSTATE: HY000
Message: Connections using insecure transport are prohibited while --require_secure_transport=ON.
With the [require_secure_transport](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_require_secure_transport) system variable, clients can connect only using secure transports. Qualifying connections are those using SSL, a Unix socket file, or shared memory.
There was a problem hiding this comment.
Thanks, @stevenzwu, for checking. I’ll revisit the error code.
stevenzwu
reviewed
Feb 21, 2025
| @@ -20,6 +20,7 @@ public enum NegotiateState { | |||
| READ_AUTH_SWITCH_PKG_FAILED("read auth switch package failed"), | |||
| ENABLE_SSL_FAILED("enable ssl failed"), | |||
| READ_SSL_AUTH_PKG_FAILED("read ssl auth package failed"), | |||
| SERVER_REJECTED_INSECURE_CONNECTION("server rejected the insecure connection"), | |||
There was a problem hiding this comment.
nit: maybe remove server for consistency with other state enum msg, as the state is used by server. so it is implicitly assumed
INSECURE_CONNECTION_REJECTED(" insecure connection rejected"),
stevenzwu
reviewed
Feb 21, 2025
| @@ -139,6 +139,13 @@ public static NegotiateResult negotiate(ConnectContext context) throws IOExcepti | |||
| return new NegotiateResult(null, NegotiateState.READ_FIRST_AUTH_PKG_FAILED); | |||
| } | |||
|
|
|||
| if (Config.require_secure_transport && !authPacket.isSSLConnRequest()) { | |||
| LOG.debug("server refused insecure client connection"); | |||
rstyp
changed the title
rstyp
force-pushed
the
enforce-ssl-oss
branch
from
62d1017 to
5a5a3c1
Compare
stevenzwu
reviewed
Feb 21, 2025
| @@ -139,6 +139,13 @@ public static NegotiateResult negotiate(ConnectContext context) throws IOExcepti | |||
| return new NegotiateResult(null, NegotiateState.READ_FIRST_AUTH_PKG_FAILED); | |||
| } | |||
|
|
|||
| if (Config.require_secure_transport && !authPacket.isSSLConnRequest()) { | |||
| LOG.warn("Copy string literal text to the clipboard"); | |||
stevenzwu
approved these changes
Feb 21, 2025
rstyp
force-pushed
the
enforce-ssl-oss
branch
from
5a5a3c1 to
23c2d98
Compare
kevincai
approved these changes
Feb 22, 2025
|
[Java-Extensions Incremental Coverage Report]✅ pass : 0 / 0 (0%) |
[FE Incremental Coverage Report]❌ fail : 4 / 8 (50.00%) file detail
|
[BE Incremental Coverage Report]✅ pass : 0 / 0 (0%) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why I'm doing:
Even when SSL is enabled on server, JDBC clients can still connect without SSL by default, as the server allows connections with or without SSL.
What I'm doing:
Introducing a new boolean config flag to enforce secure connections from clients. When flag is set to true, If clients are connecting without SSL, server refuses client connections
Fixes #56175
What type of PR is this:
Does this PR entail a change in behavior?
If yes, please specify the type of change:
Checklist:
Bugfix cherry-pick branch check: