MySQL: Authentication plugin ‚caching_sha2_password‘ reported error: Authentication requires secure connection

MySQL 8.0 ships with:

SSL/TLS enabled by default
caching_sha2_plugin authentication

DBD::mysql by default:

Has SSL/TLS disabled

This results in the connection failing as the caching_sha2_plugin needs either SSL/TLS or RSA for the initial connection. Once the server has the entry in the cache secure connections are not required.

What the user has to do is:

Enable SSL/TLS (mysql_ssl=1)
Specify the RSA public key of the server (mysql_server_pubkey=/path/to/pubkey.pem)
Enable RSA public key requests (mysql_get_server_pubkey=1)

Option 3 is not secure as this allow a MitM attack. (attacker specifies its own pubkey)
Option 2 can’t be enabled by default as we don’t know where the pubkey is etc.
Option 1 can be the default, but this is a change in behavior other users might not expect.

Other options:
4. Catch the connection error and re-try with SSL/TLS enabled (hackish)
5. Make TLS default a compile time option
6. Make TLS the default when compiling against Oracle MySQL 8.0

One thing to avoid is the situation where the defaults depends on too many variables (compile time option, server version, client version, MySQL vs. MariaDB).

Richards Wiki

MySQL: Authentication plugin ‚caching_sha2_password‘ reported error: Authentication requires secure connection

Letzte Beiträge