-
Notifications
You must be signed in to change notification settings - Fork 188
Support TLS connections when only ssl-ca
is set
#1555
Comments
This functionality causes serious problems for environments like Azure Database for MySQL, which allows you to require TLS but does not provide client certificates. |
|
The error messages you pasted is not exactly the same as what I saw. Mine is like:
|
That’s right, it’s because you were connecting to Azure Database for MySQL. It emits a different error message than MySQL Server 5.7. |
the error was raised here: https://github.com/pingcap/dm/blob/v2.0.0/pkg/conn/basedb.go#L122 |
Apparently we should patch https://github.com/pingcap/dm/blob/v2.0.0/pkg/conn/basedb.go#L66-L83 |
Ok, we will check it. |
@GMHDBJD just left one comment on the PR. |
Got it. We will fix it as soon as possible. |
The TLS issue isn't completely fixed. I got another similar error from worker side when I tried to create a migration task. Please update the TLS code for dumper/loader/syncer as well. errror:
|
@kolbe I found from the source code that TiCDC has the same problem. Could you please file tickets for all the other TiDB projects that you can think of would have the same problem? |
@GMHDBJD can you please look at #1555 (comment) and be sure that all parts of DM code that connect to upstream data sources match this behavior of using SSL if only |
closed by #1575 |
Feature Request
Is your feature request related to a problem? Please describe:
In some cases, an upstream (MySQL, etc.) server may be configured to require SSL/TLS, but not in an environment where client certificates are available.
This can be useful in situations where MySQL is configured using a specific CA key, and only clients that trust that same CA key are allowed to connect.
Describe the feature you'd like:
If only
ssl-ca
is set in the source configuration file, DM should try to connect using TLS without a client certificate.The text was updated successfully, but these errors were encountered: