jumpwire-db-gateway icon indicating copy to clipboard operation
jumpwire-db-gateway copied to clipboard

Published 20 hours ago verified publisher icon extragoodlabs

SNI doesn't work with MySQL clients before 8.1

Open hexedpackets opened this issue 1 year ago • 0 comments

SNI support was only added to the MySQL CLI and libraries in 8.1: https://dev.mysql.com/doc/relnotes/mysql/8.1/en/news-8-1-0.html

Attempting to use TLS with an earlier MySQL client will fail if JumpWire is configured to use SNI instead of a static cert. This primarily affects setups using ACME issued certs. Since the client doesn't support the SNI extension, the configured sni_fun is never called. I think the only way around this is to keep the disk location of the default cert in the SSL options, even when using SNI. If a SNI hint indicates a different cert should be used instead of the static cert, it should get overwritten with the result of the SNI function.

Stacktrace for reference:

[error] module=gen_server GenServer #PID<0.3988.0> terminating
** (stop) exited in: :gen_statem.call(#PID<0.3992.0>, {:start, 5000}, :infinity)
    ** (EXIT) an exception was raised:
        ** (FunctionClauseError) no function clause matching in :public_key.pkix_decode_cert/2
            (public_key 1.13.3.1) public_key.erl:516: :public_key.pkix_decode_cert([], :otp)
            (ssl 10.9.1.2) ssl_handshake.erl:1741: :ssl_handshake.get_cert_params/1
            (ssl 10.9.1.2) tls_handshake_1_3.erl:2432: :tls_handshake_1_3.get_certificate_params/1
            (ssl 10.9.1.2) tls_handshake_1_3.erl:2995: :tls_handshake_1_3.select_server_cert_key_pair/7
            (ssl 10.9.1.2) tls_handshake_1_3.erl:676: :tls_handshake_1_3.do_start/2
            (ssl 10.9.1.2) tls_connection_1_3.erl:578: :tls_connection_1_3.do_server_start/2
            (stdlib 4.3.1.3) gen_statem.erl:1426: :gen_statem.loop_state_callback/11
            (ssl 10.9.1.2) tls_connection.erl:160: :tls_connection.init/1
    (stdlib 4.3.1.3) gen.erl:243: :gen.do_call/4
    (stdlib 4.3.1.3) gen_statem.erl:900: :gen_statem.call_dirty/4
    (ssl 10.9.1.2) ssl_gen_statem.erl:1243: :ssl_gen_statem.call/2
    (ssl 10.9.1.2) ssl_gen_statem.erl:234: :ssl_gen_statem.handshake/2
    (ssl 10.9.1.2) ssl_gen_statem.erl:220: :ssl_gen_statem.handshake/7
    (ranch 2.1.0) /Users/hexedpackets/repos/jumpwire/jumpwire/deps/ranch/src/ranch_ssl.erl:180: :ranch_ssl.handshake/3
    (jumpwire 4.0.0) lib/jumpwire/proxy/mysql.ex:301: JumpWire.Proxy.MySQL.handle_client_auth/3
    (jumpwire 4.0.0) lib/jumpwire/proxy/mysql.ex:278: JumpWire.Proxy.MySQL.client_recv/2

hexedpackets avatar Dec 01 '23 18:12 hexedpackets