WL#7712: Support SSL by default in libmysql
Affects: Server-5.7 — Status: Complete
Work is underway to enable SSL for all MySQL Server 5.7 deployments. Similarly, C connector should exhibit the following default behavior: * Use SSL whenever it is supported by/enabled on the server * Not validate server SSL certificates (hostname nor CA) A hardened deployment will require (not just prefer) SSL, and will use securely-deployed keys signed by a trusted CA. All connectors should support such a use case by offering modes exhibiting the following behavior: * Require SSL. * Validate hostname in server-supplied SSL certificate against the hostname to which the connector is connecting. * Validate the CA which signed the server certificate against the public key of the CA, as supplied to the connector by the deployer. * Support server-side x509 client certification verification by use of client private key.
FR1 : If none of the SSL options are specified, libmysql client should attempt an SSL connection if it is supported by server. FR2 : If SSL connection is not possible as per FR1, libmysql client should fall back to unencrypted connection.
IS 1 : Use/enforcement of SSL is controlled by use_ssl and enforce_ssl variables in client library. There are 3 possible combinations: 1. use_ssl=1, enforce_ssl=0 => Use SSL if available otherwise fallback to unencrypted connection 2. use_ssl=1, enforce_ssl=1 => Enforce SSL connection and fail if one is not established 3. use_ssl=0, enforce_ssl=0 => Use unencrypted connection Current behavior is 3. After this worklog, default behavior would be option 1 above. For clients other than mysqltest, this would mean: Default (Without any ssl configuration option) : Use SSL if available otherwise fallback to unencrypted connection. List of clients affected are: mysql, mysqltest, mysql_config_editor, mysql_install_db, mysql_plugin, mysql_secure_installation, mysql_upgrade, mysqladmin, mysqlbinlog, mysqlcheck, mysqldump, mysqlimport, mysqlshow, mysqlslap. IS 2: Backward compatibility IS 2.1: Client which are explicitly configured to skip SSL using either --skip-ssl or --ssl=0 shall not change from previous behavior. Client will always connect using unencrypted channel. IS 2.2: Client which are explicitly configured to SSL using either --ssl or --ssl=1 shall not change from previous behavior. Client will always connect using ssl. IS 2.3: In order to limit the impact of this change on tests, mysqltest should attempt unecrypted connection by default. IS 2.4: If no ssl configuration is used (Without any ssl configuration option), client will see a change in behavior if server supports SSL connections as mentioned in IS 1.
Copyright (c) 2000, 2020, Oracle Corporation and/or its affiliates. All rights reserved.