{"id":52,"date":"2021-04-07T12:21:58","date_gmt":"2021-04-07T12:21:58","guid":{"rendered":"https:\/\/wiki.reuters-it.com\/?p=52"},"modified":"2021-06-11T12:20:52","modified_gmt":"2021-06-11T12:20:52","slug":"mysql-authentication-plugin-caching_sha2_password-reported-error-authentication-requires-secure-connection","status":"publish","type":"post","link":"https:\/\/wiki.reuters-it.com\/?p=52","title":{"rendered":"MySQL: Authentication plugin &#8218;caching_sha2_password&#8216; reported error: Authentication requires secure connection"},"content":{"rendered":"\n<p>MySQL 8.0 ships with:<\/p>\n\n\n\n<ul><li>SSL\/TLS enabled by default<\/li><li>caching_sha2_plugin authentication<\/li><\/ul>\n\n\n\n<p>DBD::mysql by default:<\/p>\n\n\n\n<ul><li>Has SSL\/TLS disabled<\/li><\/ul>\n\n\n\n<p>This results in the connection failing as the caching_sha2_plugin needs either SSL\/TLS or RSA for the <em>initial<\/em> connection. Once the server has the entry in the cache secure connections are not required.<\/p>\n\n\n\n<p>What the user has to do is:<\/p>\n\n\n\n<ol><li>Enable SSL\/TLS (<code>mysql_ssl=1<\/code>)<\/li><li>Specify the RSA public key of the server (<code>mysql_server_pubkey=\/path\/to\/pubkey.pem<\/code>)<\/li><li>Enable RSA public key requests (<code>mysql_get_server_pubkey=1<\/code>)<\/li><\/ol>\n\n\n\n<p>Option 3 is not secure as this allow a MitM attack. (attacker specifies its own pubkey)<br>Option 2 can&#8217;t be enabled by default as we don&#8217;t know where the pubkey is etc.<br>Option 1 can be the default, but this is a change in behavior other users might not expect.<\/p>\n\n\n\n<p>Other options:<br>4. Catch the connection error and re-try with SSL\/TLS enabled (hackish)<br>5. Make TLS default a compile time option<br>6. Make TLS the default when compiling against Oracle MySQL 8.0<\/p>\n\n\n\n<p>One thing to avoid is the situation where the defaults depends on too many variables (compile time option, server version, client version, MySQL vs. MariaDB).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>MySQL 8.0 ships with: SSL\/TLS enabled by default caching_sha2_plugin authentication DBD::mysql by default: Has SSL\/TLS disabled This results in the connection failing as the caching_sha2_plugin needs either SSL\/TLS or RSA for the initial connection. Once the server has the entry in the cache secure connections are not required. What the user has to do is:&#8230; <a href=\"https:\/\/wiki.reuters-it.com\/?p=52\">weiterlesen &raquo;<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,11,5],"tags":[],"_links":{"self":[{"href":"https:\/\/wiki.reuters-it.com\/index.php?rest_route=\/wp\/v2\/posts\/52"}],"collection":[{"href":"https:\/\/wiki.reuters-it.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.reuters-it.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.reuters-it.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.reuters-it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=52"}],"version-history":[{"count":1,"href":"https:\/\/wiki.reuters-it.com\/index.php?rest_route=\/wp\/v2\/posts\/52\/revisions"}],"predecessor-version":[{"id":53,"href":"https:\/\/wiki.reuters-it.com\/index.php?rest_route=\/wp\/v2\/posts\/52\/revisions\/53"}],"wp:attachment":[{"href":"https:\/\/wiki.reuters-it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=52"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.reuters-it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=52"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.reuters-it.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=52"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}