[MDEV-30178] Explicit errors on required secured transport

The error message for user connections using insecure transport when secured transport is required is very uninformative and doesn't mention the requirement of secure transport at all. To make the error message more relevant, introduce a new error 'ER_SECURE_TRANSPORT_REQUIRED', copy of MySQL error message with the error code 08004 (SQL-server rejected establishment SQL-connection). Move the code of 'require_secure_transport' to be executed before authentication verification, as it's not part of authentication but rather verifying if connection should be allowed in the first place. All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
2025-01-16 20:12:31 +01:00 · 2023-03-09 20:05:17 +00:00 · 2023-03-09 20:05:17 +00:00 · 742f960eeb
commit 742f960eeb
parent 038d29258d
5 changed files with 329 additions and 23 deletions
--- a/mysql-test/main/require_secure_transport.result
+++ b/mysql-test/main/require_secure_transport.result
@ -1,6 +1,6 @@
 CREATE TABLE t1 (t int(1));
 SET GLOBAL require_secure_transport=ON;
-ERROR 28000: Access denied for user 'root'@'localhost' (using password: NO)
+ERROR HY000: Connections using insecure transport are prohibited while --require_secure_transport=ON.
 connection default;
 SET GLOBAL require_secure_transport=OFF;
 disconnect without_ssl;
--- a/mysql-test/main/require_secure_transport.test
+++ b/mysql-test/main/require_secure_transport.test
@ -2,7 +2,7 @@
 CREATE TABLE t1 (t int(1));
 SET GLOBAL require_secure_transport=ON;
 --disable_query_log
--error ER_ACCESS_DENIED_ERROR
+--error ER_SECURE_TRANSPORT_REQUIRED
 connect without_ssl,localhost,root,,,,,TCP NOSSL;
 --enable_query_log
 connection default;
--- a/sql/share/errmsg-utf8.txt
+++ b/sql/share/errmsg-utf8.txt
@ -11001,6 +11001,304 @@ ER_ALTER_OPERATION_NOT_SUPPORTED_REASON_GIS
        eng "Do not support online operation on table with GIS index"
        spa "No soporta operación en línea en tabla con índice GIS"
        sw "Haiwezi kufanya operesheni ya mtandaoni kwenye jedwali na faharisi ya GIS"
+
+ER_MYSQL_3061
+        eng ""
+
+ER_MYSQL_3062
+        eng ""
+
+ER_MYSQL_3063
+        eng ""
+
+ER_MYSQL_3064
+        eng ""
+
+ER_MYSQL_3065
+        eng ""
+
+ER_MYSQL_3066
+        eng ""
+
+ER_MYSQL_3067
+        eng ""
+
+ER_MYSQL_3068
+        eng ""
+
+ER_MYSQL_3069
+        eng ""
+
+ER_MYSQL_3070
+        eng ""
+
+ER_MYSQL_3071
+        eng ""
+
+ER_MYSQL_3072
+        eng ""
+
+ER_MYSQL_3073
+        eng ""
+
+ER_MYSQL_3074
+        eng ""
+
+ER_MYSQL_3075
+        eng ""
+
+ER_MYSQL_3076
+        eng ""
+
+ER_MYSQL_3077
+        eng ""
+
+ER_MYSQL_3078
+        eng ""
+
+ER_MYSQL_3079
+        eng ""
+
+ER_MYSQL_3080
+        eng ""
+
+ER_MYSQL_3081
+        eng ""
+
+ER_MYSQL_3082
+        eng ""
+
+ER_MYSQL_3083
+        eng ""
+
+ER_MYSQL_3084
+        eng ""
+
+ER_MYSQL_3085
+        eng ""
+
+ER_MYSQL_3086
+        eng ""
+
+ER_MYSQL_3087
+        eng ""
+
+ER_MYSQL_3088
+        eng ""
+
+ER_MYSQL_3089
+        eng ""
+
+ER_MYSQL_3090
+        eng ""
+
+ER_MYSQL_3091
+        eng ""
+
+ER_MYSQL_3092
+        eng ""
+
+ER_MYSQL_3093
+        eng ""
+
+ER_MYSQL_3094
+        eng ""
+
+ER_MYSQL_3095
+        eng ""
+
+ER_MYSQL_3096
+        eng ""
+
+ER_MYSQL_3097
+        eng ""
+
+ER_MYSQL_3098
+        eng ""
+
+ER_MYSQL_3099
+        eng ""
+
+ER_MYSQL_3100
+        eng ""
+
+ER_MYSQL_3101
+        eng ""
+
+ER_MYSQL_3102
+        eng ""
+
+ER_MYSQL_3103
+        eng ""
+
+ER_MYSQL_3104
+        eng ""
+
+ER_MYSQL_3105
+        eng ""
+
+ER_MYSQL_3106
+        eng ""
+
+ER_MYSQL_3107
+        eng ""
+
+ER_MYSQL_3108
+        eng ""
+
+ER_MYSQL_3109
+        eng ""
+
+ER_MYSQL_3110
+        eng ""
+
+ER_MYSQL_3111
+        eng ""
+
+ER_MYSQL_3112
+        eng ""
+
+ER_MYSQL_3113
+        eng ""
+
+ER_MYSQL_3114
+        eng ""
+
+ER_MYSQL_3115
+        eng ""
+
+ER_MYSQL_3116
+        eng ""
+
+ER_MYSQL_3117
+        eng ""
+
+ER_MYSQL_3118
+        eng ""
+
+ER_MYSQL_3119
+        eng ""
+
+ER_MYSQL_3120
+        eng ""
+
+ER_MYSQL_3121
+        eng ""
+
+ER_MYSQL_3122
+        eng ""
+
+ER_MYSQL_3123
+        eng ""
+
+ER_MYSQL_3124
+        eng ""
+
+ER_MYSQL_3125
+        eng ""
+
+ER_MYSQL_3126
+        eng ""
+
+ER_MYSQL_3127
+        eng ""
+
+ER_MYSQL_3128
+        eng ""
+
+ER_MYSQL_3129
+        eng ""
+
+ER_MYSQL_3130
+        eng ""
+
+ER_MYSQL_3131
+        eng ""
+
+ER_MYSQL_3132
+        eng ""
+
+ER_MYSQL_3133
+        eng ""
+
+ER_MYSQL_3134
+        eng ""
+
+ER_MYSQL_3135
+        eng ""
+
+ER_MYSQL_3136
+        eng ""
+
+ER_MYSQL_3137
+        eng ""
+
+ER_MYSQL_3138
+        eng ""
+
+ER_MYSQL_3139
+        eng ""
+
+ER_MYSQL_3140
+        eng ""
+
+ER_MYSQL_3141
+        eng ""
+
+ER_MYSQL_3142
+        eng ""
+
+ER_MYSQL_3143
+        eng ""
+
+ER_MYSQL_3144
+        eng ""
+
+ER_MYSQL_3145
+        eng ""
+
+ER_MYSQL_3146
+        eng ""
+
+ER_MYSQL_3147
+        eng ""
+
+ER_MYSQL_3148
+        eng ""
+
+ER_MYSQL_3149
+        eng ""
+
+ER_MYSQL_3150
+        eng ""
+
+ER_MYSQL_3151
+        eng ""
+
+ER_MYSQL_3152
+        eng ""
+
+ER_MYSQL_3153
+        eng ""
+
+ER_MYSQL_3154
+        eng ""
+
+ER_MYSQL_3155
+        eng ""
+
+ER_MYSQL_3156
+        eng ""
+
+ER_MYSQL_3157
+        eng ""
+
+ER_MYSQL_3158
+        eng ""
+
+ER_SECURE_TRANSPORT_REQUIRED 08004
+        eng "Connections using insecure transport are prohibited while --require_secure_transport=ON."
+
 # MariaDB extra error numbers starts from 4000
 skip-to-error-number 4000

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@ -14170,8 +14170,8 @@ static void server_mpvio_info(MYSQL_PLUGIN_VIO *vio,

 static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user)
 {
-  Vio *vio= thd->net.vio;
 #ifdef HAVE_OPENSSL
+  Vio *vio= thd->net.vio;
  SSL *ssl= (SSL *) vio->ssl_arg;
  X509 *cert;
 #endif
@ -14183,26 +14183,8 @@ static bool acl_check_ssl(THD *thd, const ACL_USER *acl_user)
    if X509 certificate attributes are OK
  */
  switch (acl_user->ssl_type) {
-  case SSL_TYPE_NOT_SPECIFIED:                  // Impossible
-  case SSL_TYPE_NONE:                           // SSL is not required
-    if (opt_require_secure_transport)
-    {
-      enum enum_vio_type type= vio_type(vio);
-#ifdef HAVE_OPENSSL
-      return type != VIO_TYPE_SSL &&
-#ifndef _WIN32
-             type != VIO_TYPE_SOCKET;
-#else
-             type != VIO_TYPE_NAMEDPIPE;
-#endif
-#else
-#ifndef _WIN32
-      return type != VIO_TYPE_SOCKET;
-#else
-      return type != VIO_TYPE_NAMEDPIPE;
-#endif
-#endif
-    }
+  case SSL_TYPE_NOT_SPECIFIED:  // Impossible
+  case SSL_TYPE_NONE:           // SSL is not required FOR THIS SPECIFIC USER
    return 0;
 #ifdef HAVE_OPENSSL
  case SSL_TYPE_ANY:                            // Any kind of SSL is ok
--- a/sql/sql_connect.cc
+++ b/sql/sql_connect.cc
@ -829,6 +829,21 @@ bool init_new_connection_handler_thread()
  return 0;
 }

+static bool check_require_secured_transport(THD *thd)
+{
+  Vio *vio= thd->net.vio;
+  if (opt_require_secure_transport)
+  {
+    enum enum_vio_type type= vio_type(vio);
+
+    return
+      (type != VIO_TYPE_SSL) &&
+      (type != VIO_TYPE_NAMEDPIPE) &&
+      (type != VIO_TYPE_SOCKET);
+  }
+  return 0;
+}
+
 /**
  Set client address during authentication.

@ -1081,6 +1096,17 @@ static int check_connection(THD *thd)
    return 1; /* The error is set by alloc(). */
  }

+  if(check_require_secured_transport(thd))
+  {
+    Host_errors errors;
+    errors.m_ssl= 1;
+    inc_host_errors(thd->main_security_ctx.ip, &errors);
+    status_var_increment(thd->status_var.access_denied_errors);
+    my_error(ER_SECURE_TRANSPORT_REQUIRED, MYF(0));
+
+    return 1;
+  }
+
  auth_rc= acl_authenticate(thd, 0);
  if (auth_rc == 0 && connect_errors != 0)
  {