Use caching_sha2_password for proxy auth #24
Conversation
dbussink
force-pushed
the
dbussink/implement-caching-sha2-auth
branch
3 times, most recently
from
4cb0abe to
dec3c0a
Compare
Up until now, mysql_native_password was used for auth. This is however removed in MySQL 9.x and this is the default that Homebrew installs on MacOS. While we can also try to deal with installing older versions on MacOS, alternatively we update the auth for the proxy to caching_sha2_password. The one thing that this breaks is very old MySQL 5.7 clients. Anything older than MySQL 5.7.23 (released 2018-07-27) would break with this. We don't really support 5.7 for the proxy anyway though. Signed-off-by: Dirkjan Bussink <[email protected]>
dbussink
force-pushed
the
dbussink/implement-caching-sha2-auth
branch
from
dec3c0a to
d96ed5f
Compare
| return nil, err | ||
| } | ||
|
|
||
| // Salt must be a legal UTF8 string. |
There was a problem hiding this comment.
This causes the salt generation to not be uniformly random. It may be better to just hex encode the randomly generated bytes, so we get a uniform random string still.
There was a problem hiding this comment.
This does not matter in practice since it's not actually used. I merely copied what is already there in Vitess (and this likely does the same as MySQL). So if this needs fixing, it should be fixed in Vitess.
There was a problem hiding this comment.
Hex encoding btw here is worse entropy wise though. Since it means half the entropy from the original source bytes (10 instead of 20) and the final character set is much smaller then.
There was a problem hiding this comment.
Heh, yeh, MySQL does do the same thing.
There was a problem hiding this comment.
Hex encoding btw here is worse entropy wise though. Since it means half the entropy from the original source bytes (10 instead of 20) and the final character set is much smaller then.
Not if all 40 characters are used. 20 bytes worth of entropy, but actually uniformly random.
There was a problem hiding this comment.
@GrahamCampbell It is not possible to use more characters. This is hardcoded to 20 in the MySQL protocol. There's no flexibility here afaik.
Heh, yeh, MySQL does do the same thing.
Yeah, so not something we will change here or in Vitess then. If you think it's worth it, you could report it to MySQL then.
Up until now, mysql_native_password was used for auth. This is however removed in MySQL 9.x and this is the default that Homebrew installs on MacOS.
While we can also try to deal with installing older versions on MacOS, alternatively we update the auth for the proxy to
caching_sha2_password.
The one thing that this breaks is very old MySQL 5.7 clients. Anything older than MySQL 5.7.23 (released 2018-07-27) would break with this. We don't really support 5.7 for the proxy anyway though.