Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Feature: connect using TLS

See original GitHub issue

It would be nice if this mysql-driver supported connecting through TLS. This issue (to keep it simple) talks about one-way TLS, not including client-certificates.

Unfortunately, this does not mean it simply works by replacing tcp:// by tls://, as MySQL has its own protocol for that.

Basically, instead of the client immediately replying to the handshake with a HandshakeResponse, it first sends a SSLRequest to the server, then the server calls SSL_connect() which does the TLS handshake, and once a TLS session is up, the client resumes normally with a HandshakeResponse over that upgraded TLS connection.

Useful resources:

This would require some new fields in the ClientConfig:

// Pseudo-code, didn't check the syntax. 

/**
 * Client Config
 */
export interface ClientConfig {
    tls?: {
        // Path to a single file containing the CA certificate chain
        ca?: string;

        // Path to a directory containing the CAs to use, e.g. /etc/ssl/certs/
        caPath?: string;

        // The ssl-mode, one of DISABLED, PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY
        // See https://dev.mysql.com/doc/refman/5.7/en/connection-options.html#option_general_ssl-mode
        mode: string = 'PREFERRED';
    }
    // ... and the existing fields
}

Issue Analytics

State:
Created 2 years ago
Reactions:5
Comments:7 (2 by maintainers)

Top GitHub Comments

11reactions

codeflowscommented, Nov 29, 2021

Here’s my branch with the basic mechanics for getting TLS working.

Examples:

const client = await new Client().connect({
  hostname: "xyz.psdb.cloud",
  tls: {
    enabled: true,
  }
});

// Custom CA for self-signed cert
const client = await new Client().connect({
  hostname: "localhost",
  tls: {
    enabled: true,
    caCertificates: [
      await Deno.readTextFile("./certs/ca.crt")
    ]
  }
});

Things missing:

Proper API design?
Tests
Backwards-compatibility with older versions of deno that don’t have startTls

I currently don’t have time to work on this any further for at least a couple of weeks, but feel free to use my branch as the basis for a proper implementation.

3reactions

nascodecommented, Jul 10, 2022

Just testing @codeflows TLS branch to connect to PlanetScale Mysql DB to a great success! Thanks @codeflows I hope you can create a PR on this.