使用 JDBC 连接 TiDB Cloud

网友投稿 617 2023-04-09

TiDB Cloud 使用了 TiDB 默认的配置,支持 TLSv1.1,TLSv1.2,TLSv1.3。当我们在使用 MySQL Connector/J 连接 TiDB Cloud 的时候,能否连接成功取决于 JDK 版本和 JDBC driver 的版本。我们用最新的 JDK 17 来测试。

使用 JDBC 连接 TiDB Cloud

JDBC 8.0.26

使用默认的 connection uri

jdbc:mysql://<host>:4000/test?user=root&password=<password>

连接 TiDB Cloud 会报

Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:172)

at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)

at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:240)

at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:443)

at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)

at com.mysql.cj.protocol.ExportControlled.performTlsHandshake(ExportControlled.java:320)

at com.mysql.cj.protocol.StandardSocketFactory.performTlsHandshake(StandardSocketFactory.java:194)

at com.mysql.cj.protocol.a.NativeSocketConnection.performTlsHandshake(NativeSocketConnection.java:101)

at com.mysql.cj.protocol.a.NativeProtocol.negotiateSSLConnection(NativeProtocol.java:308)

跟踪调用路径发现产生该错误的原因是因为 JDBC driver 对低版本的 MySQL server 只会使用 TLSv1 和 TLSv1.1,虽然 TiDB Cloud 支持 TLSv1.1,但是高版本的 JDK 不支持使用 TLSv1.1,所以失败。我们看下路径上关键的代码。

private static String[] getAllowedProtocols(PropertySet pset, ServerVersion serverVersion, String[] socketProtocols) { String[] tryProtocols = null; // If enabledTLSProtocols configuration option is set, overriding the default TLS version restrictions. // This allows enabling TLSv1.2 for self-compiled MySQL versions supporting it, as well as the ability // for users to restrict TLS connections to approved protocols (e.g., prohibiting TLSv1) on the client side. String enabledTLSProtocols = pset.getStringProperty(PropertyKey.enabledTLSProtocols).getValue(); if (enabledTLSProtocols != null && enabledTLSProtocols.length() > 0) { tryProtocols = enabledTLSProtocols.split("\\s*,\\s*"); } // It is problematic to enable TLSv1.2 on the client side when the server is compiled with yaSSL. When client attempts to connect with // TLSv1.2 yaSSL just closes the socket instead of re-attempting handshake with lower TLS version. So here we allow all protocols only // for server versions which are known to be compiled with OpenSSL. else if (serverVersion == null) { // X Protocol doesnt provide server version, but we prefer to use most recent TLS version, though it also means that X Protocol // connection to old MySQL 5.7 GPL releases will fail by default, user must use enabledTLSProtocols=TLSv1.1 to connect them. tryProtocols = TLS_PROTOCOLS; } else if (serverVersion.meetsMinimum(new ServerVersion(5, 7, 28)) || serverVersion.meetsMinimum(new ServerVersion(5, 6, 46)) && !serverVersion.meetsMinimum(new ServerVersion(5, 7, 0)) || serverVersion.meetsMinimum(new ServerVersion(5, 6, 0)) && Util.isEnterpriseEdition(serverVersion.toString())) { tryProtocols = TLS_PROTOCOLS; } else { // allow only TLSv1 and TLSv1.1 for other server versions by default tryProtocols = new String[] { TLSv1_1, TLSv1 }; } List<String> configuredProtocols = new ArrayList<>(Arrays.asList(tryProtocols)); List<String> jvmSupportedProtocols = Arrays.asList(socketProtocols); List<String> allowedProtocols = new ArrayList<>(); for (String protocol : TLS_PROTOCOLS) { if (jvmSupportedProtocols.contains(protocol) && configuredProtocols.contains(protocol)) { allowedProtocols.add(protocol); } } return allowedProtocols.toArray(new String[0]); }

getAllowedProtocols在 TLS handshake 时计算可能的 TLS protocols,因为 TiDB 返回的版本字符串是5.7.25-TiDB-v6.1.0,所以在版本判断时最终走到了else分支,可选的 TLS protocol 最终只有 TLSv1 和 TLSv1.1。(在 connection uri 上显示加的enabledTLSProtocols也是在这里处理,然后在后面被拒绝掉)

private static List<ProtocolVersion> getActiveProtocols( List<ProtocolVersion> enabledProtocols, List<CipherSuite> enabledCipherSuites, AlgorithmConstraints algorithmConstraints) { boolean enabledSSL20Hello = false; ArrayList<ProtocolVersion> protocols = new ArrayList<>(4); for (ProtocolVersion protocol : enabledProtocols) { if (!enabledSSL20Hello && protocol == ProtocolVersion.SSL20Hello) { enabledSSL20Hello = true; continue; } if (!algorithmConstraints.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), protocol.name, null)) { // Ignore disabled protocol. continue; }

getActiveProtocols用来计算使用的 TLS protocol 和 cipher,但无论是 TLSv1 还是 TLSv1.1,都在algorithmConstraints.permits被拒绝,最终getActiveProtocols返回了一个空列表。

@Override public boolean permits(Set<CryptoPrimitive> primitives, String algorithm, AlgorithmParameters parameters) { boolean permitted = true; if (peerSpecifiedConstraints != null) { permitted = peerSpecifiedConstraints.permits( primitives, algorithm, parameters); } if (permitted && userSpecifiedConstraints != null) { permitted = userSpecifiedConstraints.permits( primitives, algorithm, parameters); } if (permitted) { permitted = tlsDisabledAlgConstraints.permits( primitives, algorithm, parameters); } if (permitted && enabledX509DisabledAlgConstraints) { permitted = x509DisabledAlgConstraints.permits( primitives, algorithm, parameters); } return permitted; }

其中 TLSv1.1 会在tlsDisabledAlgConstraints.permits(primitives, algorithm, parameters);这里被拒绝掉,tlsDisabledAlgConstraints就是用来检测java.security文件中的jdk.tls.disabledAlgorithms,对于 JDK 11 它的值是:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \

DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \

include jdk.disabled.namedCurves

JDBC 8.0.29

对照 8.0.26,8.0.29 的getAllowedProtocols逻辑变了,最终返回的结果是 TLSv1.2 和 TLSv1.3,所以可以成功建立连接。

private static String[] getAllowedProtocols(PropertySet pset, @SuppressWarnings("unused") ServerVersion serverVersion, String[] socketProtocols) { List<String> tryProtocols = null; RuntimeProperty<String> tlsVersions = pset.getStringProperty(PropertyKey.tlsVersions); if (tlsVersions != null && tlsVersions.isExplicitlySet()) { // If tlsVersions configuration option is set then override the default TLS versions restriction. if (tlsVersions.getValue() == null) { throw ExceptionFactory.createException(SSLParamsException.class, "Specified list of TLS versions is empty. Accepted values are TLSv1.2 and TLSv1.3."); } tryProtocols = getValidProtocols(tlsVersions.getValue().split("\\s*,\\s*")); } else { tryProtocols = new ArrayList<>(Arrays.asList(VALID_TLS_PROTOCOLS)); } List<String> jvmSupportedProtocols = Arrays.asList(socketProtocols); List<String> allowedProtocols = new ArrayList<>(); for (String protocol : tryProtocols) { if (jvmSupportedProtocols.contains(protocol)) { allowedProtocols.add(protocol); } } return allowedProtocols.toArray(new String[0]); }

JDBC 5.1.49

protected static void transformSocketToSSLSocket(MysqlIO mysqlIO) throws SQLException { SocketFactory sslFact = new StandardSSLSocketFactory(getSSLSocketFactoryDefaultOrConfigured(mysqlIO), mysqlIO.socketFactory, mysqlIO.mysqlConnection); try { mysqlIO.mysqlConnection = sslFact.connect(mysqlIO.host, mysqlIO.port, null); String[] tryProtocols = null; // If enabledTLSProtocols configuration option is set then override the default TLS version restrictions. This allows enabling TLSv1.2 for // self-compiled MySQL versions supporting it, as well as the ability for users to restrict TLS connections to approved protocols (e.g., prohibiting // TLSv1) on the client side. // Note that it is problematic to enable TLSv1.2 on the client side when the server is compiled with yaSSL. When client attempts to connect with // TLSv1.2 yaSSL just closes the socket instead of re-attempting handshake with lower TLS version. String enabledTLSProtocols = mysqlIO.connection.getEnabledTLSProtocols(); if (enabledTLSProtocols != null && enabledTLSProtocols.length() > 0) { tryProtocols = enabledTLSProtocols.split("\\s*,\\s*"); } else if (mysqlIO.versionMeetsMinimum(5, 7, 28) || mysqlIO.versionMeetsMinimum(5, 6, 46) && !mysqlIO.versionMeetsMinimum(5, 7, 0) || mysqlIO.versionMeetsMinimum(5, 6, 0) && Util.isEnterpriseEdition(mysqlIO.getServerVersion())) { // allow all known TLS versions for this subset of server versions by default tryProtocols = TLS_PROTOCOLS; } else { // allow TLSv1 and TLSv1.1 for all server versions by default tryProtocols = new String[] { TLSv1_1, TLSv1 }; }

5.1.49 和 8.0.26 是一个逻辑,走到了else分支,只能使用 TLSv1 和 TLSv1.1。

结果

对于失败的版本,我们可以在 connection uri 上添加enabledTLSProtocols=TLSv1.2,TLSv1.3让 JDBC driver 选择使用 TLSv1.2 或 TLSv1.3。但是enabledTLSProtocols从 8.0.28 开始,变成了tlsVersions,现在enabledTLSProtocols仍然保持为 alias,未来可能有变化。

版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。

上一篇:基于TiCDC同步的主从集群数据校验
下一篇:TiDB 在 Pinterest丨从 HBase 到 TiDB:我们如何实现零停机在线数据迁移
相关文章