Unable to disable TLS verification when using mariadb-connector-c >= 3.4.0

Question

Unable to disable TLS verification when using mariadb-connector-c >= 3.4.0

Opened this issue 3 months ago · 3 comments

Mariadb connector c release notes for 3.4.0 mention enable MYSQL_OPT_SSL_VERIFY_SERVER_CERT by default.

Using mysql2 with that connector does not allow connecting to a server without using TLS. Setting ssl_mode to disabled seems to do nothing.

irb(main):005:0> client = Mysql2::Client.new(:host => "HOST", :username => "USERNAME", :password => 'PASSWORD', :ssl_mode => :disabled)
gem_home/ruby/3.2.0/gems/mysql2-0.5.6/lib/mysql2/client.rb:97:in `connect': TLS/SSL error: Certificate verification failure: The certificate is NOT trusted. (Mysql2::Error::ConnectionError)

irb(main):012:0> Mysql2::Client.info
=> {:id=>30401, :version=>"3.4.1", :header_version=>"10.8.8"}

Answer 1 · 2024-10-21T18:31:29.000Z

If anybody else is running into this issue, we couldn't figure out where the disconnect is between the mysql2 code and the mariadb-connector-c library. It all seems like it's setting the correct flags, but for some reason it refuses to disable TLS.

We worked around it by compiling the mariadb-connector-c with the -DDEFAULT_SSL_VERIFY_SERVER_CERT=0 which defaults it to the old behavior.

Answer 2 · 2024-11-07T06:04:26.000Z

Since mariadb-connector-c 3.4.2 (not released yet), MARIADB_TLS_DISABLE_PEER_VERIFICATION envvar can be used to disable this behavior.
https://mariadb.com/kb/en/mariadb-connector-c-3-4-2-release-notes/

Maybe, you can write disable-ssl-verify-server-cert or disable-ssl in [client] section in your ~/.my.cnf to disable verification or entire TLS. But I don't confirmed it yet.

Answer 3 · 2024-12-04T14:31:32.000Z

https://stackoverflow.com/questions/79242494/ssl-is-required-but-the-server-does-not-support-it-rails-with-mariadb#comment139735655_79242494