go-sql-driver / mysql

83%

master: 82%

LAST BUILD ON BRANCH tls-mysql5-docs

branch: tls-mysql5-docs

CHANGE BRANCH

x

Reset

• tls-mysql5-docs
• 1.8
• 1.9
• ErrShortWrite
• add-charset
• atomic
• auth_refactoring
• auth_tests
• authentication
• backport-bench-1.9
• binary-littleendian
• bump-mysql-for-testing
• changelog
• clientDeprecateEOF
• cloudsql
• columntype
• compression
• conncheck-alloc
• conncheck_platforms
• connncheck_optional
• contributing
• copyright
• dolthub/master
• dsn_defaults
• empty_auth
• empty_sha256
• fil-register-set
• fix-1666
• fix-bench-massiverows
• fix-flaky-test
• fix-gomod
• fix-race-condition-of-test-concurrent
• fix-test
• fix-test2
• fix-unused-benchmarkExecContext
• fix_bigint_unsigned_scan_type
• fix_comment_typo
• fix_formatdsn_connectionattributes
• flaky_tests
• fmt
• formatdsn_err
• go-mod
• go1.19-is-released
• go1.21-and-mysql8.1-are-released
• go1.24-is-released
• go110
• handle_error_packets
• internal
• introduce-run-tests-parallel
• mark-as-helper
• master
• max-allowed-packet-parsing
• max_allowed_packet
• metadataSkip
• methane-patch-1
• migrate-set-output
• migrate-to-node16-actions
• misc_fixes
• modernize
• opt-read
• opt-read-19
• prepare-for-v1.7.0
• purego
• read_opt
• read_optimization
• readme_collation
• refs/tags/v1.6.0
• refs/tags/v1.7.0
• refs/tags/v1.7.1
• refs/tags/v1.8.0
• refs/tags/v1.8.1
• refs/tags/v1.9.0
• refs/tags/v1.9.1
• refs/tags/v1.9.2
• regression801
• release-v190
• release-v191
• return-original-error-from-transaction
• reuse-metadata
• revert-976-master
• sha256_password
• staticcheck
• strict
• tls-security
• tlsconfig
• travis
• travis-allow-failure
• travis-crossbuild
• travis-mysql8
• travis-update
• tx-19
• update-internals-links
• v1.4
• v1.4.0
• v1.4.1
• v1.5.0

Build # 12592841133

Build Type

Pull #1657

github

Committed by evanelias

Commit Message

Improve TLS documentation for older servers

Older/EOL database server versions tend to be built with ancient OpenSSL or
yaSSL, which lack support for modern cipher suites and/or lack TLS 1.2+. At
the same time, recent Golang versions have updated the default client
tls.Config in ways that are incompatible with these old server versions. This
commit improves TLS documentation to mention this incompatibility, provide
sample code for solving it, and explain how "preferred" plaintext fallback
mode is not triggered in cases of TLS incompatibilities.

Closes #1635 by providing example code for solving the handshake failure.

Additional information which may be helpful for reviewers/maintainers:

TLS version
* Go 1.18+ changes the default client TLS MinVersion to be TLS 1.2
* MySQL 5.5 and 5.6 supports TLS 1.0
* MySQL 5.7.0-5.7.27 supports TLS 1.1
* MySQL 5.7.28+ supports TLS 1.2
* MariaDB 10.1+ supports TLS 1.2
* I did not examine MySQL 5.1 or MariaDB 10.0 or anything more ancient

Cipher suites
* Go 1.22+ changes the default client TLS config to remove cipher suites which
  use RSA key exchange
* MySQL 8.0+ and MariaDB 10.2+ fully support ECDHE cipher suites and are
  compatible with Go's current default cipher suite list.
* MySQL 5.x typically needs RSA key exchange cipher suites, due to
  https://bugs.mysql.com/bug.php?id=82935. Likewise for MariaDB 10.1.
* There are some exceptions, for example Percona Server 5.7 is built with a
  newer OpenSSL, https://docs.percona.com/percona-server/5.7/security/ssl-improvement.html
* It is also possible to custom compile MySQL 5.7 with a newer OpenSSL
  version to solve the cipher suite issue, but this is not common.

Pull Request Pull Request #1657: Improve TLS documentation for older servers

Run Details

3250 of 3909 relevant lines covered (83.14%)

2462629.21 hits per line