Giters

jonhoo / msql-srv

Bindings for writing a server that can act as MySQL/MariaDB

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Remove support for old handshake

aochagavia opened this issue · comments

commented

Currently, the library includes the following code to handle an old version of the client handshake

msql-srv/src/commands.rs

Lines 47 to 63 in 26a5c35

} else {
// HandshakeResponse320
let (i, maxps1) = nom::number::complete::le_u16(i)?;
let (i, maxps2) = nom::number::complete::le_u8(i)?;
let maxps = (maxps2 as u32) << 16 | maxps1 as u32;
let (i, username) = nom::bytes::complete::take_until(&b"\0"[..])(i)?;
Ok((
i,
ClientHandshake {
capabilities: CapabilityFlags::from_bits_truncate(cap as u32),
maxps,
collation: 0,
username: Some(username),
},
))
}

This gives the impression that the library supports that version of the protocol, but that is probably not the case. Since the old handshake was replaced in version 3.21.0, released in 1998, I think it is safe to assume no MySQL client out there will be using it. IMO it would make sense to remove it from the codebase, both to simplify the code and to avoid confusion for people less familiar with the MySQL protocol.

commented

Oh, interesting — I think I actually observed this being used by a MySQL client at some point, but that could also be a faulty memory on my part. I wonder if it was the Python MySQL library maybe 🤔 Even though the handshake was removed a long time ago, I don't think it's inconceivable that library implementations written in the open-source ecosystem still use that version of the handshake. I wonder what the best way to gather data on this to make an informed decision is. I lean towards keeping the implementation since this is a server implementation, and so we sort of need to implement the lowest common denominator about clients that may be used in the real world.

commented

Fair enough. For context, I opened the issue based on my experience developing a similar library for the Java ecosystem (currently in the process of being open sourced), meant to implement MySQL 5.x compatible servers that can be safely exposed to the internet. I am not an expert in the history of MySQL, but I assume basic security features like pluggable authentication and TLS upgrades were not available before version 3.21.0, which is why I ended up choosing not to support the old handshake and thought you might want to drop it as well.

Thanks for this project, btw! It served as a nice source of inspiration. If you want, I can share a link to the open sourced repository (when it is available), so you can take a look at our e2e test suite. It connects to a test server from multiple programming languages, to ensure the protocol works for a bunch of commonly used libraries, and it is dockerized so it can run easily from GitHub actions. There are also other interesting things to look at, like the implementation of mysq_native_authentication, which is ambiguously described in the official docs and took some experimentation to get right.