search

brianmario / mysql2

A modern, simple and very fast Mysql library for Ruby - binding to libmysql
http://github.com/brianmario/mysql2
MIT License
2.25k stars 550 forks source link

Unable to disable TLS verification when using mariadb-connector-c >= 3.4.0 #1379

Open jpalermo opened 1 month ago

jpalermo commented 1 month ago

Mariadb connector c release notes for 3.4.0 mention enable MYSQL_OPT_SSL_VERIFY_SERVER_CERT by default.

Using mysql2 with that connector does not allow connecting to a server without using TLS. Setting ssl_mode to disabled seems to do nothing.

irb(main):005:0> client = Mysql2::Client.new(:host => "HOST", :username => "USERNAME", :password => 'PASSWORD', :ssl_mode => :disabled)
gem_home/ruby/3.2.0/gems/mysql2-0.5.6/lib/mysql2/client.rb:97:in `connect': TLS/SSL error: Certificate verification failure: The certificate is NOT trusted. (Mysql2::Error::ConnectionError)

irb(main):012:0> Mysql2::Client.info
=> {:id=>30401, :version=>"3.4.1", :header_version=>"10.8.8"}
jpalermo commented 3 weeks ago

If anybody else is running into this issue, we couldn't figure out where the disconnect is between the mysql2 code and the mariadb-connector-c library. It all seems like it's setting the correct flags, but for some reason it refuses to disable TLS.

We worked around it by compiling the mariadb-connector-c with the -DDEFAULT_SSL_VERIFY_SERVER_CERT=0 which defaults it to the old behavior.

methane commented 1 week ago

Since mariadb-connector-c 3.4.2 (not released yet), MARIADB_TLS_DISABLE_PEER_VERIFICATION envvar can be used to disable this behavior. https://mariadb.com/kb/en/mariadb-connector-c-3-4-2-release-notes/

Maybe, you can write disable-ssl-verify-server-cert or disable-ssl in [client] section in your ~/.my.cnf to disable verification or entire TLS. But I don't confirmed it yet.