search

GoogleCloudPlatform / cloud-sql-jdbc-socket-factory

A collection of Java libraries for connecting securely to Cloud SQL
Apache License 2.0
234 stars 119 forks source link

Is allowPublicKeyRetrieval property supported? #2085

Open tjlee opened 5 days ago

tjlee commented 5 days ago

Question

In DataGrip project we've received a request https://youtrack.jetbrains.com/issue/DBE-22097/DataGrip-MySQLCloud-SQL-proxy-driver-does-not-respect-the-allowPublicKeyRetrieval-advanced-configuration-option .

So, I'm interested is allowPublicKeyRetrieval either supported or not for JDBC connections?

Code

No response

Additional Details

No response

jackwotherspoon commented 5 days ago

Hi @tjlee thanks for raising an issue on the Java Connector 😄

Let me take a look into this for you and report back as I believe caching sha2 support with this lib should work...

hessjcg commented 1 day ago

Hi @tjlee I'm tested out allowPublicKeyRetrieval with the Java connector and it did not immediately work. I'm going to continue to investigate.

hessjcg commented 1 day ago

The mysql sha2 password protocol sends passwords in plain text when the connection uses an SSLSocket. The Cloud SQL Java Connector always creates SSLSocket. So the mysql-connector-j plugin will always send a plain-text password when used together with the Cloud SQL Java Connector. See CachingSha2PasswordPlugin.java:106

There is a bug in the server-side of the Cloud SQL implementation that breaks the caching_sha2_password authentication plugin for all of the Cloud SQL Connectors and Cloud SQL Auth Proxy. The caching_sha2_password plugin is default authentication plugin in Mysql 8.4 and higher.

We are working on a fix. See also https://github.com/GoogleCloudPlatform/cloud-sql-proxy/issues/2317