mariadb connector/c client not using SSL
Hey there. I am trying to get a local application which uses the mariadb client library to connect to a server with SSL. On my client system, I have added “ssl-ca” and “ssl-verify-server-cert” to the [client] section of my my.cnf. I can see these in effect with both “mariadb --help” and with “my_print_defaults client”. And, using mariadb client itself with all of the right connection parameters (host/port/username/port/schema) it connects just fine. However, a program of mine which uses mysql_real_connect() fails, reporting “Access denied for user ‘foo’@’ip’ (using password: YES)”. This is, I assume, because the user on the database side requires ssl, and my client is not using ssl. I’ve added: (void)mysql_optionsv(conn, MYSQL_READ_DEFAULT_FILE, NULL); Into my sources before calling mysql_real_connect(). I thought that would make it pull the params from the config file, and all should be good. But, that’s clearly not enough. Can someone help me figure out what I’m missing? Thank you. * Chris
However, a program of mine which uses mysql_real_connect() fails, reporting “Access denied for user ‘foo’@’ip’ (using password: YES)”. This is, I assume, because the user on the database side requires ssl, and my client is not using ssl.
looks to me you are missing a grant or so grant select on foo.* to foouser ... flush privileges;
I don’t know for certain you aren’t correct. _But_, the point was that the mariadb client proper can make the same connection successfully. Same username, password, and schema; from the same source host. So I’m fairly certain the problem isn’t on the server side. * Chris From: Marc <Marc@f1-outsourcing.eu> Date: Wednesday, July 24, 2024 at 15:54 To: Chris Ross (cross2) <cross2@cisco.com>, discuss@lists.mariadb.org <discuss@lists.mariadb.org> Subject: RE: mariadb connector/c client not using SSL
However, a program of mine which uses mysql_real_connect() fails, reporting “Access denied for user ‘foo’@’ip’ (using password: YES)”. This is, I assume, because the user on the database side requires ssl, and my client is not using ssl.
looks to me you are missing a grant or so grant select on foo.* to foouser ... flush privileges;
Hi, Chris, It seems that your concern is not "cannot connect with SSL", but "my application doesn't read the config file". You can verify the latter with strace or, easier, by adding some invalid option to the config file and see if there'll be a failure. Also, what is connector c version and the server version? 3.3 and 10.6? Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org On Jul 24, Chris Ross (cross2) via discuss wrote:
Hey there. I am trying to get a local application which uses the mariadb client library to connect to a server with SSL.
On my client system, I have added “ssl-ca” and “ssl-verify-server-cert” to the [client] section of my my.cnf. I can see these in effect with both “mariadb --help” and with “my_print_defaults client”. And, using mariadb client itself with all of the right connection parameters (host/port/username/port/schema) it connects just fine.
However, a program of mine which uses mysql_real_connect() fails, reporting “Access denied for user ‘foo’@’ip’ (using password: YES)”. This is, I assume, because the user on the database side requires ssl, and my client is not using ssl.
I’ve added:
(void)mysql_optionsv(conn, MYSQL_READ_DEFAULT_FILE, NULL);
Into my sources before calling mysql_real_connect(). I thought that would make it pull the params from the config file, and all should be good. But, that’s clearly not enough.
Can someone help me figure out what I’m missing? Thank you.
That’s possible, but given the call to mysql_optionsv(MYSQL_READ_DEFAULT_FILE) it should be. Let me confirm that with strace… Huh. Thank you. You’re right. It reads shared libs, nsswitch and misc other system data, and openssl.cnf. Never opens my.cnf. The library is part of a mariadb 10.6.14 installation on the client, and the server seems to be 10.5.21. I don’t know what version of “connector/C” is included with mariadb 10.6.14. Do those map directly? * Chris From: Sergei Golubchik <serg@mariadb.org> Date: Thursday, July 25, 2024 at 02:37 To: Chris Ross (cross2) <cross2@cisco.com> Cc: discuss@lists.mariadb.org <discuss@lists.mariadb.org> Subject: Re: [MariaDB discuss] mariadb connector/c client not using SSL Hi, Chris, It seems that your concern is not "cannot connect with SSL", but "my application doesn't read the config file". You can verify the latter with strace or, easier, by adding some invalid option to the config file and see if there'll be a failure. Also, what is connector c version and the server version? 3.3 and 10.6? Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org On Jul 24, Chris Ross (cross2) via discuss wrote:
Hey there. I am trying to get a local application which uses the mariadb client library to connect to a server with SSL.
On my client system, I have added “ssl-ca” and “ssl-verify-server-cert” to the [client] section of my my.cnf. I can see these in effect with both “mariadb --help” and with “my_print_defaults client”. And, using mariadb client itself with all of the right connection parameters (host/port/username/port/schema) it connects just fine.
However, a program of mine which uses mysql_real_connect() fails, reporting “Access denied for user ‘foo’@’ip’ (using password: YES)”. This is, I assume, because the user on the database side requires ssl, and my client is not using ssl.
I’ve added:
(void)mysql_optionsv(conn, MYSQL_READ_DEFAULT_FILE, NULL);
Into my sources before calling mysql_real_connect(). I thought that would make it pull the params from the config file, and all should be good. But, that’s clearly not enough.
Can someone help me figure out what I’m missing? Thank you.
On the “what version of Connector/C” issue, it looks like an omission in https://mariadb.com/kb/en/about-mariadb-connector-c/#mariadb-106 that prevents an answer to your question. The “Latest Releases” section at the top tells me what’s included in 10.6.16, 10.6.17, and 10.6.18. But, the 10.6 table lower on that page lists only 10.6.1-10.6.8. If someone at MariaDB can get that fixed, that would be helpful. 😊 * Chris From: Chris Ross (cross2) <cross2@cisco.com> Date: Thursday, July 25, 2024 at 10:18 To: Sergei Golubchik <serg@mariadb.org> Cc: discuss@lists.mariadb.org <discuss@lists.mariadb.org> Subject: Re: [MariaDB discuss] mariadb connector/c client not using SSL That’s possible, but given the call to mysql_optionsv(MYSQL_READ_DEFAULT_FILE) it should be. Let me confirm that with strace… Huh. Thank you. You’re right. It reads shared libs, nsswitch and misc other system data, and openssl.cnf. Never opens my.cnf. The library is part of a mariadb 10.6.14 installation on the client, and the server seems to be 10.5.21. I don’t know what version of “connector/C” is included with mariadb 10.6.14. Do those map directly? · Chris From: Sergei Golubchik <serg@mariadb.org> Date: Thursday, July 25, 2024 at 02:37 To: Chris Ross (cross2) <cross2@cisco.com> Cc: discuss@lists.mariadb.org <discuss@lists.mariadb.org> Subject: Re: [MariaDB discuss] mariadb connector/c client not using SSL Hi, Chris, It seems that your concern is not "cannot connect with SSL", but "my application doesn't read the config file". You can verify the latter with strace or, easier, by adding some invalid option to the config file and see if there'll be a failure. Also, what is connector c version and the server version? 3.3 and 10.6? Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org On Jul 24, Chris Ross (cross2) via discuss wrote:
Hey there. I am trying to get a local application which uses the mariadb client library to connect to a server with SSL.
On my client system, I have added “ssl-ca” and “ssl-verify-server-cert” to the [client] section of my my.cnf. I can see these in effect with both “mariadb --help” and with “my_print_defaults client”. And, using mariadb client itself with all of the right connection parameters (host/port/username/port/schema) it connects just fine.
However, a program of mine which uses mysql_real_connect() fails, reporting “Access denied for user ‘foo’@’ip’ (using password: YES)”. This is, I assume, because the user on the database side requires ssl, and my client is not using ssl.
I’ve added:
(void)mysql_optionsv(conn, MYSQL_READ_DEFAULT_FILE, NULL);
Into my sources before calling mysql_real_connect(). I thought that would make it pull the params from the config file, and all should be good. But, that’s clearly not enough.
Can someone help me figure out what I’m missing? Thank you.
Hi, Chris, On Jul 25, Chris Ross (cross2) wrote:
That’s possible, but given the call to mysql_optionsv(MYSQL_READ_DEFAULT_FILE) it should be. Let me confirm that with strace…
Huh. Thank you. You’re right. It reads shared libs, nsswitch and misc other system data, and openssl.cnf. Never opens my.cnf.
The library is part of a mariadb 10.6.14 installation on the client, and the server seems to be 10.5.21. I don’t know what version of “connector/C” is included with mariadb 10.6.14. Do those map directly?
Yes, they do. 10.6.14 answers both questions. You do mysql_optionsv(conn, MYSQL_READ_DEFAULT_FILE, NULL); but the code in the library looks like if (mysql->options.my_cnf_file || mysql->options.my_cnf_group) { so, NULL means "don't use the file". Documentation says that "If the argument is NULL, then only the default option files are read" which clearly is not quite the case. I'm checking it out and we'll fix the discrepancy. Meanwhile, you can set MYSQL_READ_DEFAULT_GROUP to "client" or "my_app" and I hope it'll read this group in all default files. Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org
From: Sergei Golubchik <serg@mariadb.org> Date: Thursday, July 25, 2024 at 02:37 To: Chris Ross (cross2) <cross2@cisco.com> Cc: discuss@lists.mariadb.org <discuss@lists.mariadb.org> Subject: Re: [MariaDB discuss] mariadb connector/c client not using SSL Hi, Chris,
It seems that your concern is not "cannot connect with SSL", but "my application doesn't read the config file". You can verify the latter with strace or, easier, by adding some invalid option to the config file and see if there'll be a failure.
Also, what is connector c version and the server version? 3.3 and 10.6?
On Jul 24, Chris Ross (cross2) via discuss wrote:
Hey there. I am trying to get a local application which uses the mariadb client library to connect to a server with SSL.
On my client system, I have added “ssl-ca” and “ssl-verify-server-cert” to the [client] section of my my.cnf. I can see these in effect with both “mariadb --help” and with “my_print_defaults client”. And, using mariadb client itself with all of the right connection parameters (host/port/username/port/schema) it connects just fine.
However, a program of mine which uses mysql_real_connect() fails, reporting “Access denied for user ‘foo’@’ip’ (using password: YES)”. This is, I assume, because the user on the database side requires ssl, and my client is not using ssl.
I’ve added:
(void)mysql_optionsv(conn, MYSQL_READ_DEFAULT_FILE, NULL);
Into my sources before calling mysql_real_connect(). I thought that would make it pull the params from the config file, and all should be good. But, that’s clearly not enough.
Can someone help me figure out what I’m missing? Thank you.
Good. Okay, thank you. So I was of course following the documentation. I hope you can figure out how to fix that, I presume this is just a bug that the code is wrong, and the implementation should match the doc? As you suggested, specifying a group causes it to work. That way I won’t have to hard-code a config file path, but I also would rather not have to hard-code a group. “client” is safe for me now I think, but since the documentation suggests multiple groups that are relevant, it’s a small risk to code one that could later change. Thank you for your help. * Chris From: Sergei Golubchik <serg@mariadb.org> Date: Thursday, July 25, 2024 at 11:10 To: Chris Ross (cross2) <cross2@cisco.com> Cc: discuss@lists.mariadb.org <discuss@lists.mariadb.org> Subject: Re: [MariaDB discuss] mariadb connector/c client not using SSL Hi, Chris, On Jul 25, Chris Ross (cross2) wrote:
That’s possible, but given the call to mysql_optionsv(MYSQL_READ_DEFAULT_FILE) it should be. Let me confirm that with strace…
Huh. Thank you. You’re right. It reads shared libs, nsswitch and misc other system data, and openssl.cnf. Never opens my.cnf.
The library is part of a mariadb 10.6.14 installation on the client, and the server seems to be 10.5.21. I don’t know what version of “connector/C” is included with mariadb 10.6.14. Do those map directly?
Yes, they do. 10.6.14 answers both questions. You do mysql_optionsv(conn, MYSQL_READ_DEFAULT_FILE, NULL); but the code in the library looks like if (mysql->options.my_cnf_file || mysql->options.my_cnf_group) { so, NULL means "don't use the file". Documentation says that "If the argument is NULL, then only the default option files are read" which clearly is not quite the case. I'm checking it out and we'll fix the discrepancy. Meanwhile, you can set MYSQL_READ_DEFAULT_GROUP to "client" or "my_app" and I hope it'll read this group in all default files. Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org
From: Sergei Golubchik <serg@mariadb.org> Date: Thursday, July 25, 2024 at 02:37 To: Chris Ross (cross2) <cross2@cisco.com> Cc: discuss@lists.mariadb.org <discuss@lists.mariadb.org> Subject: Re: [MariaDB discuss] mariadb connector/c client not using SSL Hi, Chris,
It seems that your concern is not "cannot connect with SSL", but "my application doesn't read the config file". You can verify the latter with strace or, easier, by adding some invalid option to the config file and see if there'll be a failure.
Also, what is connector c version and the server version? 3.3 and 10.6?
On Jul 24, Chris Ross (cross2) via discuss wrote:
Hey there. I am trying to get a local application which uses the mariadb client library to connect to a server with SSL.
On my client system, I have added “ssl-ca” and “ssl-verify-server-cert” to the [client] section of my my.cnf. I can see these in effect with both “mariadb --help” and with “my_print_defaults client”. And, using mariadb client itself with all of the right connection parameters (host/port/username/port/schema) it connects just fine.
However, a program of mine which uses mysql_real_connect() fails, reporting “Access denied for user ‘foo’@’ip’ (using password: YES)”. This is, I assume, because the user on the database side requires ssl, and my client is not using ssl.
I’ve added:
(void)mysql_optionsv(conn, MYSQL_READ_DEFAULT_FILE, NULL);
Into my sources before calling mysql_real_connect(). I thought that would make it pull the params from the config file, and all should be good. But, that’s clearly not enough.
Can someone help me figure out what I’m missing? Thank you.
Hi, Chris, On Jul 25, Chris Ross (cross2) wrote:
Good. Okay, thank you. So I was of course following the documentation. I hope you can figure out how to fix that, I presume this is just a bug that the code is wrong, and the implementation should match the doc?
I didn't know when I was replying, that's why I only said that "we'll fix the discrepancy". It seems that the documentation was incorrect. I've fixed it to describe the intended behavior.
As you suggested, specifying a group causes it to work. That way I won’t have to hard-code a config file path, but I also would rather not have to hard-code a group. “client” is safe for me now I think, but since the documentation suggests multiple groups that are relevant, it’s a small risk to code one that could later change.
You don't need to hard-code a group, you can use an empty string for the file name to have the desired behavior of "all default groups in all default files". Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org
Ahh, okay. So the updated documentation will suggest passing an empty string to MYSQL_READ_DEFAULT_FILE, and that will do what It erroneously said it would do with a NULL? Or, were you suggesting specifically that I pass an empty string for GROUP? Thanks again. * Chris From: Sergei Golubchik <serg@mariadb.org> Date: Tuesday, July 30, 2024 at 12:27 To: Chris Ross (cross2) <cross2@cisco.com> Cc: discuss@lists.mariadb.org <discuss@lists.mariadb.org> Subject: Re: [MariaDB discuss] mariadb connector/c client not using SSL Hi, Chris, On Jul 25, Chris Ross (cross2) wrote:
Good. Okay, thank you. So I was of course following the documentation. I hope you can figure out how to fix that, I presume this is just a bug that the code is wrong, and the implementation should match the doc?
I didn't know when I was replying, that's why I only said that "we'll fix the discrepancy". It seems that the documentation was incorrect. I've fixed it to describe the intended behavior.
As you suggested, specifying a group causes it to work. That way I won’t have to hard-code a config file path, but I also would rather not have to hard-code a group. “client” is safe for me now I think, but since the documentation suggests multiple groups that are relevant, it’s a small risk to code one that could later change.
You don't need to hard-code a group, you can use an empty string for the file name to have the desired behavior of "all default groups in all default files". Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org
Hi, Chris, I was suggesting that you pass the empty string to MYSQL_READ_DEFAULT_FILE, yes. /Sergei On Jul 30, Chris Ross (cross2) wrote:
Ahh, okay. So the updated documentation will suggest passing an empty string to MYSQL_READ_DEFAULT_FILE, and that will do what It erroneously said it would do with a NULL? Or, were you suggesting specifically that I pass an empty string for GROUP?
Thanks again.
* Chris
From: Sergei Golubchik <serg@mariadb.org> Date: Tuesday, July 30, 2024 at 12:27 To: Chris Ross (cross2) <cross2@cisco.com> Cc: discuss@lists.mariadb.org <discuss@lists.mariadb.org> Subject: Re: [MariaDB discuss] mariadb connector/c client not using SSL Hi, Chris,
On Jul 25, Chris Ross (cross2) wrote:
Good. Okay, thank you. So I was of course following the documentation. I hope you can figure out how to fix that, I presume this is just a bug that the code is wrong, and the implementation should match the doc?
I didn't know when I was replying, that's why I only said that "we'll fix the discrepancy".
It seems that the documentation was incorrect. I've fixed it to describe the intended behavior.
As you suggested, specifying a group causes it to work. That way I won’t have to hard-code a config file path, but I also would rather not have to hard-code a group. “client” is safe for me now I think, but since the documentation suggests multiple groups that are relevant, it’s a small risk to code one that could later change.
You don't need to hard-code a group, you can use an empty string for the file name to have the desired behavior of "all default groups in all default files".
Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org
participants (3)
-
Chris Ross (cross2) -
Marc -
Sergei Golubchik