Bug#1032074: libdbd-mysql-perl: Also a problem with /usr/bin/mysql

Russell King rmk+debian at armlinux.org.uk
Tue Jun 27 16:18:56 BST 2023 

Some further information:

Despite following the recommended debian upgrades, my /usr/bin/mysql 
appears to have been left over from mariadb-client-core-10.1 and thus 
was ancient, so we can disregard the packet traces from this. Even more 
misleading, both the dbitracing from libdbd-mysql-perl and that version 
of mysql both report error 2026 but without much detail, which leads one 
to believe they are the same when they very much are not. Specifically, /
usr/bin/mysql discards the reason reported from the SSL library why the 
SSL connection failed - and this is a lesson that hiding error messages 
by replacing them with something else is bad!

Digging into libdbd-mysql-perl, it turns out this regression is down to 
this change in mariadb:

https://github.com/mariadb-corporation/mariadb-connector-c/commit/
a37b7c3965706f9a062baaba0c494dd6efb2c306

Under Bullseye, mysql_get_client_version() reports 100519.
Under Bookworm, mysql_get_client_version() reports 30305.

This number is important. In libdbd-mysql-perl, dbdimp.h has this check:

static inline bool ssl_verify_also_enforce_ssl(void) {
#ifdef MARIADB_BASE_VERSION
        my_ulonglong version = mysql_get_client_version();
        return ((version >= 50544 && version < 50600) || (version >= 
100020 && version < 100100) || version >= 100106);
#else
        return false;
#endif
}

Consequently, under Bullseye, this would return true, but under 
Bookworm, this now returns false.

This has the effect that libdbd-mysql-perl now refuses any combination of 
options that ask it to enforce SSL in mysql_dr_connect():

        if (ssl_enforce) {
...
    #elif defined(HAVE_SSL_VERIFY)
              if (!ssl_verify_also_enforce_ssl()) {
                set_ssl_error(sock, "Enforcing SSL encryption is not 
supported");
                return NULL;
              }

So, any combination of options (such as merely setting "mysql_ssl=1") 
results in this error message.

This is a regression in libdbd-mysql-perl caused by the above referenced 
commit in mariadb's client library which changes the return value of 
mysql_get_client_version() to return the _package_ version, and thus a 
very much smaller number than libdbd-mysql-perl expects.

More information about the pkg-perl-maintainers mailing list