[MDEV-30178] Explicit errors on required secured transport

The error message for user connections using insecure transport when secured transport is required is very uninformative and doesn't mention the requirement of secure transport at all. To make the error message more relevant, introduce a new error 'ER_SECURE_TRANSPORT_REQUIRED', copy of MySQL error message with the error code 08004 (SQL-server rejected establishment SQL-connection). Move the code of 'require_secure_transport' to be executed before authentication verification, as it's not part of authentication but rather verifying if connection should be allowed in the first place. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2025-07-30 16:24:05 +03:00 · 2023-03-09 20:05:17 +00:00
parent 038d29258d
commit 742f960eeb
5 changed files with 329 additions and 23 deletions
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@ -14170,8 +14170,8 @@ static void server_mpvio_info(MYSQL_PLUGIN_VIO *vio,

 static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user)
 {
-  Vio *vio= thd->net.vio;
 #ifdef HAVE_OPENSSL
+  Vio *vio= thd->net.vio;
  SSL *ssl= (SSL *) vio->ssl_arg;
  X509 *cert;
 #endif
@ -14183,26 +14183,8 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user)
    if X509 certificate attributes are OK
  */
  switch (acl_user->ssl_type) {
-  case SSL_TYPE_NOT_SPECIFIED:                  // Impossible
-  case SSL_TYPE_NONE:                           // SSL is not required
-    if (opt_require_secure_transport)
-    {
-      enum enum_vio_type type= vio_type(vio);
-#ifdef HAVE_OPENSSL
-      return type != VIO_TYPE_SSL &&
-#ifndef _WIN32
-             type != VIO_TYPE_SOCKET;
-#else
-             type != VIO_TYPE_NAMEDPIPE;
-#endif
-#else
-#ifndef _WIN32
-      return type != VIO_TYPE_SOCKET;
-#else
-      return type != VIO_TYPE_NAMEDPIPE;
-#endif
-#endif
-    }
+  case SSL_TYPE_NOT_SPECIFIED:  // Impossible
+  case SSL_TYPE_NONE:           // SSL is not required FOR THIS SPECIFIC USER
    return 0;
 #ifdef HAVE_OPENSSL
  case SSL_TYPE_ANY:                            // Any kind of SSL is ok