Support SSL

[mirromutth]

The caching_sha2_password full authentication phase must be handled on SSL. So if want to provide the best support for MySQL 8.0, should provide SSL support.

[mp911de]

How does MySQL handle SSL? Is there some sort of handshake? With netty, you would use SslHandler. For Postgres and SQL Server, SslHandler is wrapped in a custom handler/adapter because both databases require some wrapping around SSL. Take a look at r2dbc/r2dbc-postgresql#104 how SSL support would be done for Postgres.

[mirromutth]

@mp911de MySQL handle SSL after Handshake Request. Handshake Request is a server side message, include random password salt and server capabilities.

The client need send Handshake Response after Handshake Request in plain connection, and Handshake Response has two parts, client capabilities' part and authentication part.

In SSL connection, client should send the first part of Handshake Response (and set client SSL capability to 1), then client send Client Hello, server send Server Hello, ... After standard 4-steps SSL handshake, the client should send the second part of Handshake Response. Full authentication phase is optional and only enabled by fast authentication failed and handling SSL. Therefore, can be considered that the full authentication phase is not in the handshake phase, but affected by handshake phase.

More intuitive:

• [Server] Handshake Request message (Version 10 includes server capabilities, 9 is deprecated)
• [Client] The first part of Handshake Response message (client SSL capability should be 1)
• [Client] (SSL) Client Hello (TLSv1.2 for now)
• [Server] (SSL) Server Hello
• [Client] (SSL) Certificate, client key exchange, etc.
• [Server] (SSL) New Session Ticket, change Cipher Spec, etc. TLS handshake completed, all of the following messages are encrypted.
• [Client] The second part of Handshake Response message (include hash authentication)
• [Server] The Authentication MoreData message, 3 means fast authentication success, 4 means failed and enable full authentication phase. Whatever, MySQL handshake phase is completed.

For convenience of comparison, attach plain connection:

• [Server] Handshake Request message
• [Client] Full Handshake Response message in one packet (client SSL capability should be 0, include hash authentication)
• [Server] The Authentication MoreData message, MySQL handshake phase is completed. Plain connection will never has full authentication phase, 4 means all authentication failed, just close connection (no sql state).

[mp911de]

This sounds similar to what SQL Server is doing. Depending on the Server/user configuration, we enable the SSL handler and let the SSL handshake happen. As soon as this is done, we send authentication over SSL. Depending on the server/client config, we either disable SSL or remain in SSL mode. This is a bit of a dance, especially because SQL server requires SSL handshake frames to be wrapped with SQL server headers. In any case, here's the SQL server SSL code: https://github.com/r2dbc/r2dbc-mssql/tree/master/src/main/java/io/r2dbc/mssql/client/ssl

[mirromutth]

SSL has supported, and another problem happened, see #33 .