search

mysqljs / mysql

A pure node.js JavaScript Client implementing the MySQL protocol.
MIT License
18.28k stars 2.52k forks source link

When missing "ssl" option, returns only "ER_ACCESS_DENIED_ERROR" is confusing. #2465

Closed h13o closed 3 years ago

h13o commented 3 years ago

I have tried to connect the ssl required server hosted by Amazon RDS, I missed ssl option.

{
...
ssl: "Amazon RDS"
}

However, the error message was only,

code: 'ER_ACCESS_DENIED_ERROR',
  errno: 1045,
  sqlMessage: "Access denied for user 'xxx'@'xxx' (using password: YES)"
}

and it takes so long to find I missed the ssl option. Isn't there any better way to inform users the possibility of missing ssl option?

sidorares commented 3 years ago

I don't think there is a better way unfortunately. Once connected as admin you can see that account requires ssl to connect but if you trying to connect without ssl there is no info from the server to know that its the lack of ssl that caused 'access denied' error. @ruiquelhas maybe you can answer better?

dougwilson commented 3 years ago

Yea, at minimum this is MySQL server behavior, as that message is what your MySQL server is returning, after actually allowing you to connect without SSL, which is what you configured your connection for. It may be that Amazon RDS actually allows both SSL and non-SSL connections and then it implements SSL required to be a per-user setting?

h13o commented 3 years ago

Thank you @sidorares and @dougwilson! I understand it is the behavior of the MySQL server and RDS and should not be changed. I hope this issue may give a hint for the users similar to me.

ruiquelhas commented 3 years ago

The MySQL server doesn't provide any option for enforcing SSL/TLS for the connection setup, it only allows to enable or disable support for it.

The --ssl option specifies that the server permits but does not require encrypted connections. This option is enabled by default.

--ssl can be specified in negated form as --skip-ssl or a synonym (--ssl=OFF, --disable-ssl). In this case, the option specifies that the server does not permit encrypted connections, regardless of the settings of the tls_xxx and ssl_xxx system variables.

This means that, if you enable SSL in the server and you try to connect with SSL in the client, the server will reject the connection, but not the other way around. As @sidorares mentions, if you enable SSL in the server (which is the default behaviour), you can still connect without SSL in the client.

You can, however, require SSL to be used by specific specific user accounts (as @dougwilson mentions). Which is what I guess is happening here (I'm not familiar with Amazon RDS).

CREATE USER tls_user REQUIRE SSL;

So, in the end, it will always be an authentication error, which is what seems to be happening in your case. Can the error message be improved with additional context? Maybe, I'm not sure because I'm not familiar with the server internals. For that, I suggest you search for a similar issue in the MySQL bug tracker or submit enhancement request, if you don't find anything.