backend: keep backend TLS config consistent with frontend TLS config (#…

…303)
pingcap · Jun 6, 2023 · 95c9c3c · 95c9c3c
1 parent e89da8f
commit 95c9c3c
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 1 deletion.
diff --git a/pkg/proxy/backend/authenticator.go b/pkg/proxy/backend/authenticator.go
@@ -20,6 +20,7 @@ import (
 
 var (
 	ErrCapabilityNegotiation = errors.New("capability negotiation failed")
+	ErrTLSConfigRequired     = errors.New("require TLS config on TiProxy when require-backend-tls=true")
 )
 
 const unknownAuthPlugin = "auth_unknown_plugin"
@@ -300,7 +301,17 @@ func (auth *Authenticator) writeAuthHandshake(
 	}
 
 	var pkt []byte
-	if backendCapability&pnet.ClientSSL != 0 && backendTLSConfig != nil {
+	var enableTLS bool
+	if auth.requireBackendTLS {
+		if backendTLSConfig == nil {
+			return ErrTLSConfigRequired
+		}
+		enableTLS = true
+	} else {
+		// When client TLS is disabled, also disables proxy TLS.
+		enableTLS = pnet.Capability(auth.capability)&pnet.ClientSSL != 0 && backendCapability&pnet.ClientSSL != 0 && backendTLSConfig != nil
+	}
+	if enableTLS {
 		resp.Capability |= mysql.ClientSSL
 		pkt = pnet.MakeHandshakeResponse(resp)
 		// write SSL Packet

diff --git a/pkg/proxy/backend/authenticator_test.go b/pkg/proxy/backend/authenticator_test.go
@@ -228,3 +228,42 @@ func TestCustomAuth(t *testing.T) {
 	checker()
 	clean()
 }
+
+func TestEnableTLS(t *testing.T) {
+	tests := []struct {
+		cfg     cfgOverrider
+		enabled bool
+	}{
+		{
+			cfg: func(cfg *testConfig) {
+				cfg.clientConfig.capability &= ^pnet.ClientSSL
+				cfg.backendConfig.capability |= pnet.ClientSSL
+			},
+			enabled: false,
+		},
+		{
+			cfg: func(cfg *testConfig) {
+				cfg.clientConfig.capability |= pnet.ClientSSL
+				cfg.backendConfig.capability |= pnet.ClientSSL
+			},
+			enabled: true,
+		},
+		{
+			// client enables TLS but backendTLSConfig is nil
+			cfg: func(cfg *testConfig) {
+				cfg.clientConfig.capability |= pnet.ClientSSL
+				cfg.proxyConfig.backendTLSConfig = nil
+				cfg.backendConfig.capability |= pnet.ClientSSL
+			},
+			enabled: false,
+		},
+	}
+	tc := newTCPConnSuite(t)
+	for _, test := range tests {
+		ts, clean := newTestSuite(t, tc, test.cfg)
+		ts.authenticateFirstTime(t, func(t *testing.T, _ *testSuite) {
+			require.Equal(t, test.enabled, ts.mb.capability&pnet.ClientSSL > 0)
+		})
+		clean()
+	}
+}