• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

skeema / skeema / 12285678174
93%
main: 92%

Build:
Build:
LAST BUILD BRANCH: refs/tags/v1.14.0
DEFAULT BRANCH: main
Ran 11 Dec 2024 10:09PM UTC
Jobs 1
Files 77
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

11 Dec 2024 09:06PM UTC coverage: 93.215% (+0.06%) from 93.156%
12285678174

push

github

evanelias
TLS: restore compatibility with older server flavors

Recent versions of Golang have modernized the TLS-related defaults for network
clients, which improves security, but has the unfortunate side-effect of
breaking TLS compatibility with very old servers. This commit overrides these
TLS defaults in situations where the server is known to be old (based on the
value of Skeema's flavor option), or the server hasn't been introspected at
all yet (i.e. `skeema init` or `skeema add-environment`).

The specific changes here include:

1. When communicating with a server older than MySQL 8.0 or MariaDB 10.2, or
   an unknown/not-yet-introspected server, cipher suites using RSA key
   exchange are now enabled. Golang 1.22+ normally disables these by default,
   but DB servers built against OpenSSL 1.0 need them, since ECDHE cipher
   suites do not work correctly in these server versions. See MySQL bug 82935
   for example. (Percona Server 5.7 fixes this, and is exempted from this
   change.)

2. When communicating with a server older than MySQL 5.7, or an unknown/not-
   yet-introspected server, the minimum TLS version is now reduced to TLS 1.0.
   Golang 1.18+ normally uses a minimum of TLS 1.2, but MySQL 5.5-5.6 don't
   support that.

The cipher suite change is especially important for MySQL 5.7 compatibility,
because MySQL 5.7+ enables TLS by default using a self-signed cert at server
initialization time. Skeema's ssl-mode option defaults to "preferred"
(matching the behavior of the standard `mysql` CLI) which means if the server
has TLS enabled, the client will attempt to use it. Without these extra cipher
suites, connection then fails due to cipher suite mismatch, because using
ssl-mode=preferred does not include any retry/fallback logic in cases of TLS
handshake issues.

This commit includes unit test coverage for all relevant flavors, and
partial integration test coverage including the cipher suite logic via
testing against MySQL 5.7+'s self-signed certs... (continued)

123 of 123 new or added lines in 4 files covered. (100.0%)

10194 of 10936 relevant lines covered (93.22%)

1.11 hits per line

Jobs
ID Job ID Ran Files Coverage
1 12285678174.1 11 Dec 2024 10:09PM UTC 0
93.22
GitHub Action Run
Source Files on build 12285678174
Detailed source file information is not available for this build.
  • Back to Repo
  • 6d2daf07 on github
  • Prev Build on main (#12128365934)
  • Next Build on tls-fixes-old-flavors (#12334053357)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc