Disable TLS connections (using MariaDB Connector/C 3.4.x)

[9EOR9]

Since version 3.4.0, MariaDB Connector/C enables TLS by default, including server certificate verification. While some distributions, such as Fedora, have disabled this feature, it is currently not possible to disable TLS in DBD-MariaDB when linking against Connector/C version 3.4.4 (whether built from source or downloaded from MariaDB.com).

In C, TLS can be effectively disabled by turning off server certificate verification:

uint8_t verify= 0;
rc= mysql_options(mysql, MYSQL_OPT_VERIFY_SERVER_CERT, &verify);

However, the same approach does not work with DBD-MariaDB:

my $dsn = "DBI:MariaDB:database=test;mariadb_socket=/tmp/mysql.sock;mariadb_ssl_verify_server_cert=0";
my $dbh = DBI->connect($dsn, 'mirrorcache', '');

$dbh or die 'couldnt connect';

This results in the following error:
DBI connect('database=test;mariadb_socket=/tmp/mysql.sock;mariadb_ssl_verify_server_cert=0','mirrorcache',...) failed: TLS/SSL error: SSL is required, but the server does not support it

This issue was initially reported as CONC-773

[andrii-suse]

Just for reference: the workaround is to assign env variable MARIADB_TLS_DISABLE_PEER_VERIFICATION (to 1). (It should work for perl-DBD-mysql as well)

[9EOR9]

Yes, exactly for this purpose I added the workaround in 3.4.4 - (see CONC-747)

[choroba]

Just to make sure: the new behaviour started in 3.4.0. There are three possible combinations:

1. SSL turned off.
2. SSL turned on, no certificate verification.
3. SSL turned on, certificate verification on.

It makes no sense to turn SSL off but turn certificate verification on, right?
How to achieve these three states in the connector library?

[andrii-suse]

@choroba the short answer: the problem is that in recent versions the default behavior became "SSL turned ON" and there is really no option to turn it OFF completely, except of using ssl_verify_server_cert option.

the longer answer: the problem is that in the latest MariaDB versions (since 11.4 iirc) the default behavior is "SSL turned on" at both client and server side. And the only way to "turn SSL off" on client side is using flag mariadb_ssl_verify_server_cert=0 (there is no other flag in libmariadbclient which can turn it OFF iiuc),

I.e. If you start MariaDB server 11.4+ with --disable-ssl - the command line client will still have "SSL turned on" and will not be able to connect unless it's SSL is turned off explicilty, e.g. with --ssl-verify-server-cert=0

We need DBD-MariaDB to handle the flag the same way, because there is no other way to turn SSL off for the libmariadbclient

I hope somebody corrects if I mentioned something wrong, but the overall idea should be correct.