packet 254 not implemented -- still struggling with #111
Comments
|
Into MySQL 9 now. Everyone must encourage more security. Please give me links etc to what is achieved so far. (Especially Crystal source..) |
|
The rust crate implements the protocol (not a wrapper) and has support for the |
|
The protocol documentation can be found at https://dev.mysql.com/doc/dev/mysql-server/latest/page_caching_sha2_authentication_exchanges.html |
|
Thanks. Is golang worth looking at? |
|
I don't think that dropping the current authentication method is a good call. First it would be disruptive when upgrading an application, and second, I am not sure there is a risk in the client keep supporting old authentication scheme. Is the server that should be configured to not allow it. Am I wrong? If needed we could make it harder to use old authentication, but I would not suggest dropping the support for it. It seems that a couple of years ago I started to do some refactors to support sha2_password in master...bcardiff:crystal-mysql:sha2_password but I didn't finish it. I don't recall any specifics so feel free to ignore it. But the key seems to be extracting the list of authentication plugins available. Please share if you are blocked, contributions are appreciated! 🙇 |
|
Thank you for the link. |
|
Just for the record: Same image works on
Still a lot of work to do!! I don't now if it's matter just now but I'm working a git crystal/mysql source copy and not a cloned one. |
|
👏 I'm not sure how you are going to send a PR if you are not working from a fork. But let's not make that a stopper. Feel free to send your progress somehow in case you rather have feedback at this stage. Thanks |
|
The capability 'perform_full_authentication' defined by mysql server seems to be hard to implement. Looking into the mysqlserver 'sql/aut/sha_2password.cc' I found This is the only placed where that capability is used.
So my suggestion at the moment is to not implement 'perform_full_authentication'. I can't see any difference - as a Use Case - whether the DB.open holds fixed or parametric values of user/password. What to do? Besides that the auth 'caching_sha2_password' and 'mysql_native_password' works as mentioned above |
|
Adding support to just caching_sha2_password seems fine. If you are not familiar with Docker and GitHub actions tweaking those to add CI for the additions can happen later, by someone else. No worries. If you have instructions on how you setup a mysql using the newer authentication and that works for you, I can take care of the CI setup probably. But feel free to keep working on those for sure. |
|
Thank you for your patience. I am 'struggling' to set up a proper folder with my changes so that that folder can be easily referenced as 'dependendcy: - mysql: - path: 'myworkingmysqllib' in all my old crystal mysql project shard.yml files. Later on we can decide how to continue. At least I will match a cloned version |
|
In your apps dependencies:
mysql:
path: /path/to/your/crystal-mysqlAfter that you need to do With that you should be able to compile your apps with your crystal-mysql working copy. Feel free to attach a .zip or send a link to it here in this issue if doing git/github is a blocker. |
|
In order to earn time I will attach a zip file here.
|
|
Hera is a good link too on ALTER USER ... |
|
Zipped source above build and executed on
|
|
FYI I tested the code locally and it works. I need to do some cleanups and probably specs/CI because currently a test user is created with old auth method. Still on my radar. Thanks for the patch! |
|
@willy610 in your tests, what kind of connection are you using with MySQL? Unix Socket, plain unsecured socket, or TLS? |
|
In my test I have only used 'localhost' and I think that implies Unix
Socket
As I understand a mysql server just serve one connection type after
restart.
So I have used 'localhost' in the DB.Open in all my tests.
I have tried using explicit ip adress - not localhost - to other
machines but my mysql server is not listening. And that's ok I think
I think I can elaborate and start one of my mysql server to listen to
port on ip instead of localhost. Give som days just.
In that case it will be 'plain unsecured socket'
Neither TLS nor SSL is investigated
So
-Unix Socket YES (On macOS)
-plain unsecured socket NO
-TLS NO
2024-12-17 21:07 skrev Brian J. Cardiff:
@willy610 [1] in your tests, what kind of connection are you using with
MySQL? Unix Socket, plain unsecured socket, or TLS?
--
Reply to this email directly, view it on GitHub [2], or unsubscribe
[3].
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@bcardiff Just setting up 'plain unsecured socket' - that is no local host - between a mysql Ver 8.0.3 and a Ver 9.0.1 |
|
I was checking your contributions and they do work in some scenarios but not all. That's fine, it's still a big step forward. With your contributions we are able to connect to mysql 8.0 using The code path that would authenticate in that situation is not implemented in your previous contributions. So only cached passwords are supported. That could be fine as a step forward! crystal-mysql only supports plain unsecured socket connection. A TCP socket is always used. Unfortunately that is the kind of connection that seems discouraged by MySQL going forward. Time for some maintenance in this shard to unblock things I guess 😅 . |
|
I didn't see this coming with none localhost... When launching a mysql server without 'localhost' two connection types are accepted
Two execution paths but probably partly using shared logic/architecture/knowledge. Will elaborate the paths and try to implement |
|
Thanks for feed back.
Just for the record
The very SQL FLUSH PRIVILEGES will reset also the user.plugin to
'caching_sha2_password'
That caused me problem. Solved temporarily
1. update user.plugin to 'my_sql_native_password'
2. In client excute any sql statement for this user (BESIDE FLUSH
PRIVILEGES)
Things will be cashed!!
3. update user.plugin to 'caching_sha2_password'
4. Continue. Will work.
My solution can't connect with a brand new user with plugin
'caching_sha2_password'
This is a true limitation in my implementation. Will work on that
2024-12-20 22:04 skrev Brian J. Cardiff:
I was checking your contributions and they do work in some scenarios
but not all. That's fine, it's still a big step forward.
With your contributions we are able to connect to mysql 8.0 using
caching_sha2_password. Most of the specs pass. But some specs creates
users and perform a FLUSH PRIVILEGES. This invalidates the password
cache as explained in
https://dev.mysql.com/blog-archive/mysql-8-0-4-new-default-authentication-plugin-caching_sha2_password/
The code path that would authenticate in that situation is not
implemented in your previous contributions. So only cached passwords
are supported. That could be fine as a step forward!
crystal-mysql only supports plain unsecured socket connection. A TCP
socket is always used. Unfortunately that is the kind of connection
that seems discouraged by MySQL going forward.
Time for some maintenance in this shard to unblock things I guess 😅 .
--
Reply to this email directly, view it on GitHub [1], or unsubscribe
[2].
You are receiving this because you were mentioned.Message ID:
***@***.***>
Links:
------
[1]
#111 (comment)
[2]
https://github.com/notifications/unsubscribe-auth/ABPLCPZJJJBC46HKGDWBEI32GSA6FAVCNFSM6AAAAABSGW4NAOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNJXG4YTIMRQGI
--=_947adf39cba68eef0e87177133a2a7ee
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen=
eva,sans-serif'>
<p>Thanks for feed back.</p>
<p>Just for the record</p>
<p>The very SQL <code class=3D"v1notranslate">FLUSH PRIVILEGES</code> will =
reset also the user.plugin to '<code class=3D"v1notranslate">caching_sha2_p=
assword'<br />That caused me problem</code>. Solved temporarily</p>
<p>1. update user.plugin to 'my_sql_native_password'</p>
<p>2. In client excute any sql statement for this user (BESIDE <code class=
=3D"v1notranslate">FLUSH PRIVILEGES</code>)<br />Things will be cashed!!</p>
<p>3. update user.plugin to '<code class=3D"v1notranslate">caching_sha=
2_password'</code></p>
<p>4. Continue. Will work.</p>
<p>My solution can't connect with a brand new user with plugin '<code class=
=3D"v1notranslate">caching_sha2_password'<br /></code>This is a true limita=
tion in my implementation. Will work on that</p>
<div id=3D"signature"></div>
<p><br /></p>
<p id=3D"reply-intro">2024-12-20 22:04 skrev Brian J. Cardiff:</p>
<blockquote type=3D"cite" style=3D"padding: 0 0.4em; border-left: #1010ff 2=
px solid; margin: 0">
<div id=3D"replybody1">
<p><br /></p>
<p dir=3D"auto">I was checking your contributions and they do work in some =
scenarios but not all. That's fine, it's still a big step forward.</p>
<p dir=3D"auto">With your contributions we are able to connect to mysql 8.0=
using <code class=3D"v1notranslate">caching_sha2_password</code>. Most of =
the specs pass. But some specs creates users and perform a <code class=3D"v=
1notranslate">FLUSH PRIVILEGES</code>. This invalidates the password cache =
as explained in <a href=3D"https://dev.mysql.com/blog-archive/mysql-8-0-4-n=
ew-default-authentication-plugin-caching_sha2_password/" target=3D"_blank" =
rel=3D"noopener noreferrer">https://dev.mysql.com/blog-archive/mysql-8-0-4-=
new-default-authentication-plugin-caching_sha2_password/</a></p>
<p dir=3D"auto">The code path that would authenticate in that situation is =
not implemented in your previous contributions. So only cached passwords ar=
e supported. That could be fine as a step forward!</p>
<p dir=3D"auto">crystal-mysql only supports plain unsecured socket connecti=
on. A TCP socket is always used. Unfortunately that is the kind of connecti=
on that seems discouraged by MySQL going forward.</p>
<p dir=3D"auto">Time for some maintenance in this shard to unblock things I=
guess =F0=9F=98=85 .</p>
<p style=3D"font-size: small; -webkit-text-size-adjust: none; color: #666;"=
—<br />Reply to this email directly, <a href=3D"https://github.com/c=
rystal-lang/crystal-mysql/issues/111#issuecomment-2557714202" target=3D"_bl=
ank" rel=3D"noopener noreferrer">view it on GitHub</a>, or <a href=3D"https=
://github.com/notifications/unsubscribe-auth/ABPLCPZJJJBC46HKGDWBEI32GSA6FA=
VCNFSM6AAAAABSGW4NAOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNJXG4YTIMRQG=
I" target=3D"_blank" rel=3D"noopener noreferrer">unsubscribe</a>.<br />You =
are receiving this because you were mentioned.<img src=3D"https://github.co=
m/notifications/beacon/ABPLCP5M6SXWKIZXGZRILU32GSA6FA5CNFSM6AAAAABSGW4NAOWG=
G33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTUYOOPRU.gif" widt=
h=3D"1" height=3D"1" /><span style=3D"color: transparent; font-size: 0; dis=
play: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; hei=
ght: 0; max-width: 0; max-height: 0; mso-hide: all;">Message ID: <span><=
crystal-lang/crystal-mysql#111/2557714202</span><span>@</span><span>=
github</span><span>.</span><span>com></span></span></p>
</div>
</blockquote>
</body></html>
…--=_947adf39cba68eef0e87177133a2a7ee--
|
|
Will look into secure connections to remote mysql servers. And unsecure. Secure connections have impact on resolving So my work order will be:
|
|
I need some hints on how to continue with cypher in the Of course I want to use a crystal native implementation if it's there. Looking into mariadb client ( Then in https://docs.openssl.org/3.3/man3/EVP_PKEY_encrypt/ I found that the cypher is a OAEP (for RSA keys) Also golang ( Rust talks about Asking openssl So if a cipher according to rfc8017 is present in Crystal OpenSSL::Cipher("???") I want to find it with it's proper name. |
|
The You need the server public key, either provided with the connection or will need to request it. Then it is used to initialize the EVP_PKEY_CTX. OpenSSL will then use the information from the pubkey to set the context up (hash digest, ...). You can go with raw LibC calls to OpenSSL for starters. There likely isn't Crystal bindings for EVP_PKEY_CTX yet. We can use the experience here to add them to stdlib later. But let's get this working first. |
|
Status report.
I will provide a zip on my development 'lib' still with some traces etc later this week. Can be used for openssl debug |
|
Thanks! I am working on TLS support actually :-) |
|
Attached you find my latest contribution. The embedding of c openssl still does not work. You also find a separate file For the record: Anyone with general interest in Finite State Machine could download the attachment and look inte the |
I know that this is not a new issue, but I'm trying to connect to a MySQL 8 server, which has been set to use legacy (v5.7) authentication. This is working in other languages that have an issue with the new authentication process (e.g. Nim), but I can't get it to work in Crystal. I've tried it on both OSX and Ubuntu. No difference.
I've tried the published solutions like CREATE/ALTER USER 'test'@'localhost' IDENTIFIED WITH mysql_native_password BY 'mypassword'; and the user is definitely using the native_password auth.
Short of switching languages or databases, can anyone suggest something to try?
Thanks in advance for any suggestions!
[Exception.txt] (https://github.com/crystal-lang/crystal-mysql/files/12506665/Exception.txt)
The text was updated successfully, but these errors were encountered: