DBD-MariaDB icon indicating copy to clipboard operation
DBD-MariaDB copied to clipboard

Published 20 hours ago verified publisher icon perl5-dbi

Handshake error connecting from client 8.0.17 to mysql server 5.1.7

Open ibrierley opened this issue 4 years ago • 11 comments

See also this issue...

https://github.com/perl5-dbi/DBD-mysql/issues/320#issuecomment-591047832

Which has a stack trace, version info etc.

ibrierley avatar Feb 25 '20 22:02 ibrierley

Same issue. Any updates?

cBrou avatar Jul 04 '21 11:07 cBrou

I gave up with Perl and Mariadb in the end, bit of a shame. I ended up removing mariadb and installing mysql on centos. I also ran an older version of mysql in a docker container in some cases to transition versions.

ibrierley avatar Jul 07 '21 11:07 ibrierley

Here is an update: https://github.com/perl5-dbi/DBD-MariaDB/pull/190 This pull request implements a new connection parameter mariadb_auth_plugin which forces client to use specified authentication method when connecting to mysql server.

New mysql 8.x client versions use by default new authentication method not supported by the older mysql servers. Older servers support mysql_native_password auth method.

Example how to use this new mariadb_auth_plugin parameter with mysql_native_password method:

my $dbh = DBI->connect("DBI:MariaDB:$db", $user, $pass, { mariadb_auth_plugin => 'mysql_native_password' });

@cBrou or @ibrierley or @ShyLionTjmn Could you test this change if it helps for you?

pali avatar Jul 14 '23 23:07 pali

Above mentioned pull request add an option mariadb_auth_plugin for setting password authentication method (plugin) and it does it via mysql_options(sock, MYSQL_DEFAULT_AUTH, auth_plugin) call. But unfortunately MySQL 8.x client library is buggy and this pull request does not help with connecting to MySQL 5.1 servers (without additional modifications).

MySQL 8.x client library ignores the MYSQL_DEFAULT_AUTH connection option set by library/program if the server does not announce CLIENT_PLUGIN_AUTH capability in greeting packet. CLIENT_PLUGIN_AUTH capability indicates that server may support other authentication methods than mysql_native_password.

MySQL client library since version 8.0.4 uses by default caching_sha2_password authentication method (previous versions used mysql_native_password).

So when MySQL 8.0.4+ client library try to connect to MySQL pre-5.5.7 servers (which do not support CLIENT_PLUGIN_AUTH capability), library fallback to default authentication (which is caching_sha2_password) and because caching_sha2_password is not supported by MySQL pre-5.5.7 servers, the connection fails with ERROR 1043 (08S01): Bad handshake.

This is a clear bug in MySQL 8.0.4+ client library and I have not found any way how to workaround it without patching client library itself.

Here is the proper fix for the MySQL 8.x client library which is part of the MySQL server package:

--- mysql8/sql-common/client.cc	2023-07-23 15:21:07.545622792 +0200
+++ mysql8/sql-common/client.cc	2023-07-23 15:37:47.929255681 +0200
@@ -3954,7 +3956,14 @@ int run_plugin_auth(MYSQL *mysql, char *
               mysql, auth_plugin_name, MYSQL_CLIENT_AUTHENTICATION_PLUGIN)))
       DBUG_RETURN(1); /* oops, not found */
   } else {
-    auth_plugin = &caching_sha2_password_client_plugin;
+    /*
+     * If CLIENT_PLUGIN_AUTH capability is not announced by server (pre-5.5.7)
+     * then only the old native_password_client_plugin is supported by server.
+     */
+    if (mysql->server_capabilities & CLIENT_PLUGIN_AUTH)
+      auth_plugin = &caching_sha2_password_client_plugin;
+    else
+      auth_plugin = &native_password_client_plugin;
     auth_plugin_name = auth_plugin->name;
   }

With this change also command line mysql utility from MySQL 8.x package is able to connect to MySQL 5.1 and 4.1 servers.

You should report this bug to the MySQL developers or Oracle support channel.

pali avatar Jul 23 '23 13:07 pali

As here is modified patch for the MySQL 8.0.26+:

--- mysql8/sql-common/client.cc	2023-07-23 15:52:40.715822119 +0200
+++ mysql8/sql-common/client.cc	2023-07-23 15:54:02.628415270 +0200
@@ -5759,8 +5759,13 @@ static mysql_state_machine_status authsm
   if (ctx->auth_plugin_name == nullptr || ctx->auth_plugin == nullptr) {
     /*
       If everything else fail we use the built in plugin
+      If CLIENT_PLUGIN_AUTH capability is not announced by server (pre-5.5.7)
+      then only the old native_password_client_plugin is supported by server.
     */
-    ctx->auth_plugin = &caching_sha2_password_client_plugin;
+    if (mysql->server_capabilities & CLIENT_PLUGIN_AUTH)
+      ctx->auth_plugin = &caching_sha2_password_client_plugin;
+    else
+      ctx->auth_plugin = &native_password_client_plugin;
     ctx->auth_plugin_name = ctx->auth_plugin->name;
   }

pali avatar Jul 23 '23 13:07 pali

This mysql bug is already tracked in mysql issue tracker: https://bugs.mysql.com/bug.php?id=90994

pali avatar Aug 13 '23 12:08 pali

After discussion with MySQL developers, this MySQL 8 client library issue should be fixed in the upcoming October MySQL 8.0.35 release (I guess in the next week). With that fixed release it should be able to connect to the MySQL pre-5.5.7 servers with MySQL 8 client library again.

cc: @cBrou @ibrierley @ShyLionTjmn

pali avatar Oct 11 '23 21:10 pali

Great, thanks for the update.

ibrierley avatar Oct 11 '23 22:10 ibrierley

Should be fixed in upstream by https://github.com/mysql/mysql-server/commit/f05a2daa5f8288174c48eea248bf92c92dcf6e3a

choroba avatar Nov 13 '23 18:11 choroba

It should be part of MYSQL versions 8.0.35 and 8.2.0

choroba avatar Nov 13 '23 18:11 choroba

Can anyone please verify it's OK now?

choroba avatar Nov 13 '23 19:11 choroba