Bug#1032074: libdbd-mysql-perl: Also a problem with /usr/bin/mysql
Russell King
rmk+debian at armlinux.org.uk
Tue Jun 27 16:18:56 BST 2023
Some further information:
Despite following the recommended debian upgrades, my /usr/bin/mysql
appears to have been left over from mariadb-client-core-10.1 and thus
was ancient, so we can disregard the packet traces from this. Even more
misleading, both the dbitracing from libdbd-mysql-perl and that version
of mysql both report error 2026 but without much detail, which leads one
to believe they are the same when they very much are not. Specifically, /
usr/bin/mysql discards the reason reported from the SSL library why the
SSL connection failed - and this is a lesson that hiding error messages
by replacing them with something else is bad!
Digging into libdbd-mysql-perl, it turns out this regression is down to
this change in mariadb:
https://github.com/mariadb-corporation/mariadb-connector-c/commit/
a37b7c3965706f9a062baaba0c494dd6efb2c306
Under Bullseye, mysql_get_client_version() reports 100519.
Under Bookworm, mysql_get_client_version() reports 30305.
This number is important. In libdbd-mysql-perl, dbdimp.h has this check:
static inline bool ssl_verify_also_enforce_ssl(void) {
#ifdef MARIADB_BASE_VERSION
my_ulonglong version = mysql_get_client_version();
return ((version >= 50544 && version < 50600) || (version >=
100020 && version < 100100) || version >= 100106);
#else
return false;
#endif
}
Consequently, under Bullseye, this would return true, but under
Bookworm, this now returns false.
This has the effect that libdbd-mysql-perl now refuses any combination of
options that ask it to enforce SSL in mysql_dr_connect():
if (ssl_enforce) {
...
#elif defined(HAVE_SSL_VERIFY)
if (!ssl_verify_also_enforce_ssl()) {
set_ssl_error(sock, "Enforcing SSL encryption is not
supported");
return NULL;
}
So, any combination of options (such as merely setting "mysql_ssl=1")
results in this error message.
This is a regression in libdbd-mysql-perl caused by the above referenced
commit in mariadb's client library which changes the return value of
mysql_get_client_version() to return the _package_ version, and thus a
very much smaller number than libdbd-mysql-perl expects.
More information about the pkg-perl-maintainers
mailing list