MDEV-13362: implement --require_secure_transport option

Currently, if a user wants to require TLS for every connection made over the network, then every user account on the system needs to be created with "REQUIRE SSL" or one of the other TLS options. Implementing a require_secure_transport system varuable (which, in particular, can be set using the --require_secure_transport=ON command line option) in the MariaDB Server would make it a lot easier to require TLS (or other secure transport) system-wide. This patch implements this new system variable, adds the ability to set it with SQL statements, from the command line and from the configuration file, and also contains improvements for mtr that allow the user to establish non-secure TCP/IP connections (for example, to verify the operation of the new option).
2025-08-08 11:22:35 +03:00 · 2020-03-02 23:46:07 +01:00
parent 9d7ed94f6a
commit 28fabc86db
14 changed files with 205 additions and 62 deletions
--- a/mysql-test/main/mysqld--help.result
+++ b/mysql-test/main/mysqld--help.result
@@ -1082,6 +1082,10 @@ The following specify which files/extra groups are read (specified before remain
 not sure, leave this option unset
 --report-user=name  The account user name of the slave to be reported to the
 master during slave registration
+ --require-secure-transport 
+ When this option is enabled, connections attempted using
+ insecure transport will be rejected. Secure transports
+ are SSL/TLS, Unix sockets or named pipes.
 --rowid-merge-buff-size=# 
 The size of the buffers used [NOT] IN evaluation via
 partial matching
@@ -1734,6 +1738,7 @@ report-host (No default value)
 report-password (No default value)
 report-port 0
 report-user (No default value)
+require-secure-transport FALSE
 rowid-merge-buff-size 8388608
 rpl-semi-sync-master-enabled FALSE
 rpl-semi-sync-master-timeout 10000