DEV Community: Xiang Zhang The latest articles on DEV Community by Xiang Zhang (@zhangyangyu). https://dev.to/zhangyangyu https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F918061%2F172480ad-52e7-46b1-88d6-0a929b837c33.jpeg DEV Community: Xiang Zhang https://dev.to/zhangyangyu en Connect TiDB Serverless From Databricks Xiang Zhang Thu, 22 Jun 2023 04:08:48 +0000 https://dev.to/cloud-ecosystem/connect-tidb-serverless-from-databricks-23lj https://dev.to/cloud-ecosystem/connect-tidb-serverless-from-databricks-23lj <p>TiDB Serverless by default allows access from Internet and <a href="https://docs.pingcap.com/tidbcloud/secure-connections-to-serverless-tier-clusters">requires secure connection</a>. To connect TiDB Serverless clusters from Databricks, you need to turn on SSL connection from the client.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">github_events</span> <span class="o">=</span> <span class="n">spark</span><span class="p">.</span><span class="n">read</span> <span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="s">"jdbc"</span><span class="p">)</span> <span class="p">.</span><span class="n">option</span><span class="p">(</span><span class="s">"url"</span><span class="p">,</span> <span class="s">"jdbc:mysql://gateway01.us-west-2.prod.aws.tidbcloud.com:4000/sample_data"</span><span class="p">)</span> <span class="p">.</span><span class="n">option</span><span class="p">(</span><span class="s">"dbtable"</span><span class="p">,</span> <span class="s">"github_events"</span><span class="p">)</span> <span class="p">.</span><span class="n">option</span><span class="p">(</span><span class="s">"user"</span><span class="p">,</span> <span class="o">&lt;</span><span class="n">username</span><span class="o">&gt;</span><span class="p">)</span> <span class="p">.</span><span class="n">option</span><span class="p">(</span><span class="s">"password"</span><span class="p">,</span> <span class="o">&lt;</span><span class="n">password</span><span class="o">&gt;</span><span class="p">)</span> <span class="p">.</span><span class="n">load</span><span class="p">()</span> </code></pre> </div> <p>This is a simple Python snippet to load the <code>github_events</code> sample table from a TiDB Serverless cluster. It will return a error:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ERROR 1105 (HY000): Connections using insecure transport are prohibited. See https://docs.pingcap.com/tidbcloud/secure-connections-to-serverless-tier-clusters </code></pre> </div> <p>By default the JDBC driver doesn't use SSL to connect. According to <a href="https://docs.databricks.com/external-data/mysql.html">https://docs.databricks.com/external-data/mysql.html</a>, seems the underlying driver is mariadb-connector/j, so just add the corresponding SSL option to our snippet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">github_events</span> <span class="o">=</span> <span class="n">spark</span><span class="p">.</span><span class="n">read</span> <span class="p">.</span><span class="nb">format</span><span class="p">(</span><span class="s">"jdbc"</span><span class="p">)</span> <span class="p">.</span><span class="n">option</span><span class="p">(</span><span class="s">"url"</span><span class="p">,</span> <span class="s">"jdbc:mysql://gateway01.us-west-2.prod.aws.tidbcloud.com:4000/sample_data?useSsl=true"</span><span class="p">)</span> <span class="p">.</span><span class="n">option</span><span class="p">(</span><span class="s">"dbtable"</span><span class="p">,</span> <span class="s">"github_events"</span><span class="p">)</span> <span class="p">.</span><span class="n">option</span><span class="p">(</span><span class="s">"user"</span><span class="p">,</span> <span class="o">&lt;</span><span class="n">username</span><span class="o">&gt;</span><span class="p">)</span> <span class="p">.</span><span class="n">option</span><span class="p">(</span><span class="s">"password"</span><span class="p">,</span> <span class="o">&lt;</span><span class="n">password</span><span class="o">&gt;</span><span class="p">)</span> <span class="p">.</span><span class="n">load</span><span class="p">()</span> </code></pre> </div> <p>Only the <code>useSsl=true</code> option is needed. There is no need to specify any CA file since currently TiDB Serverless uses Let's Encrypt ISRG Root X1 as the signing authority. <a href="https://letsencrypt.org/docs/certificate-compatibility/">Usually, it's bundled into JDKs</a>. </p> <p>TiDB Serverless also supports private link connection. It helps if you need private connections.</p> Connecting Deepnote to TiDB Cloud Serverless Cluster Xiang Zhang Thu, 29 Dec 2022 08:50:02 +0000 https://dev.to/cloud-ecosystem/connecting-deepnote-to-tidb-cloud-serverless-cluster-62d https://dev.to/cloud-ecosystem/connecting-deepnote-to-tidb-cloud-serverless-cluster-62d <p>Deepnote is a new kind of data notebook beyond Jupyter. While investigating how to connect Deepnote to <a href="https://tidbcloud.com/free-trial" rel="noopener noreferrer">TiDB Cloud Serverless Tier</a>(a serverless MySQL-compatible cloud database and TiDB Cloud Serverless Tier enforce TLS connections), I found it's not that easy.</p> <p>There are two ways connecting Deepnote notebooks to MySQL, one is using Deepnote's integrations, one is directly from code.</p> <h2> Using integration </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl8gw8f9ypc0dsmoax1p0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl8gw8f9ypc0dsmoax1p0.png" alt="Image description" width="800" height="666"></a></p> <p>Deepnote provides a built-in MySQL integration, you could use it to connect to MySQL. But unfortunately, when it involves TLS, it just does not work. As you could see in the image, it says <em>"Connections between Deepnote and your data source are encrypted by SSL (TLS)."</em> but there is no place to specify server's cert. Maybe it uses the system bundled CAs to verify? If it does so, TiDB Cloud Serverless Tier uses ISRG X1 root and it could definitely work. But not :-(</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fleoz3bs6z7jr0nlcsvyd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fleoz3bs6z7jr0nlcsvyd.png" alt="Image description" width="800" height="179"></a></p> <h2> Connecting from code </h2> <p>Integration does not work, but nothing prevents us connecting directly from code. To connect to MySQL, first you need a driver. There are three popular Python MySQL drivers: </p> <ol> <li>mysqlclient</li> <li>PyMySQL</li> <li>mysql-connector-python. </li> </ol> <p>PyMySQL would be easy to install since it's pure Python, you just need to<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>!pip install PyMySQL </code></pre> </div> <p>at top of the notebook. But I used to use mysqlclient. It's not that easy to make everything work if you want to use mysqlclient.</p> <p>First, simply<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>!pip install mysqlclient </code></pre> </div> <p>won't work. mysqlclient is a Python wrapper of libmysqlclient, so you need to install libmysqlclient first. According to <a href="https://deepnote.com/docs/custom-environments#default-environment" rel="noopener noreferrer">https://deepnote.com/docs/custom-environments#default-environment</a> , Deepnote use Debian Buster, so the installation would be<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>!apt install -y default-libmysqlclient-dev !pip install mysqlclient </code></pre> </div> <p>Then when using mysqlclient to securely connecting to MySQL, there are also two points to notice:</p> <ol> <li>We are in Debian Buster, the installed libmysqlclient is actually libmariadbclient. libmaradbclient's interface is not same as libmysqlclient. It leads to mysqlclient doesn't accept <code>ssl_mode</code> tls argument like in other platforms.</li> <li>We want to connect securely, definitely we want to verify the server's cert. As I said above, TiDB Cloud Serverless Tier uses ISRG X1 root, which is commonly in system built-in CA bundle. You could specify the CA as </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ssl={ "ca": "/etc/ssl/certs/ca-certificates.crt" } </code></pre> </div> <p>For more info about connecting to TiDB Cloud Serverless Cluster securely, you could refer to <a href="https://docs.pingcap.com/tidbcloud/secure-connections-to-serverless-tier-clusters" rel="noopener noreferrer">https://docs.pingcap.com/tidbcloud/secure-connections-to-serverless-tier-clusters</a> .</p> <p>UPDATE on 2023-03-03: DeepNote has fixed the problem and complete a whole feature for connecting securely <a href="https://deepnote.com/docs/securing-connections" rel="noopener noreferrer">https://deepnote.com/docs/securing-connections</a>.</p> emptystring Use JDBC to connect TiDB Cloud through TLS Xiang Zhang Mon, 05 Sep 2022 02:48:16 +0000 https://dev.to/cloud-ecosystem/use-jdbc-to-connect-tidb-cloud-through-tls-25b0 https://dev.to/cloud-ecosystem/use-jdbc-to-connect-tidb-cloud-through-tls-25b0 <p>At the time of writing, <a href="https://pingcap.com/tidb-cloud/">TiDB Cloud</a> uses the <a href="https://docs.pingcap.com/tidb/dev/enable-tls-between-clients-and-servers#supported-tls-versions">default configurations</a> to deploy clusters(dedicated tier), supporting TLSv1.1, TLSv1.2 and TLSv1.3. When users use MySQL Connector/J to connect TiDB Cloud, they need to take care of which JDK version and JDBC driver version are in use. In this article, JDK 17 is used for test.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--C7vshGlp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fp1hznx2rk51d6gcpibx.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--C7vshGlp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/fp1hznx2rk51d6gcpibx.png" alt="Image description" width="800" height="359"></a></p> <h2> JDBC 8.0.26 </h2> <p>Using the simplest DSN(with only username and password) to connect TiDB Cloud clusters<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nl">jdbc:mysql:</span><span class="c1">//&lt;host&gt;:4000/test?user=root&amp;password=&lt;password&gt;</span> </code></pre> </div> <p>throws error like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nc">Caused</span> <span class="nl">by:</span> <span class="n">javax</span><span class="o">.</span><span class="na">net</span><span class="o">.</span><span class="na">ssl</span><span class="o">.</span><span class="na">SSLHandshakeException</span><span class="o">:</span> <span class="nc">No</span> <span class="n">appropriate</span> <span class="nf">protocol</span> <span class="o">(</span><span class="n">protocol</span> <span class="n">is</span> <span class="n">disabled</span> <span class="n">or</span> <span class="n">cipher</span> <span class="n">suites</span> <span class="n">are</span> <span class="n">inappropriate</span><span class="o">)</span> <span class="n">at</span> <span class="n">java</span><span class="o">.</span><span class="na">base</span><span class="o">/</span><span class="n">sun</span><span class="o">.</span><span class="na">security</span><span class="o">.</span><span class="na">ssl</span><span class="o">.</span><span class="na">HandshakeContext</span><span class="o">.&lt;</span><span class="n">init</span><span class="o">&gt;(</span><span class="nc">HandshakeContext</span><span class="o">.</span><span class="na">java</span><span class="o">:</span><span class="mi">172</span><span class="o">)</span> <span class="n">at</span> <span class="n">java</span><span class="o">.</span><span class="na">base</span><span class="o">/</span><span class="n">sun</span><span class="o">.</span><span class="na">security</span><span class="o">.</span><span class="na">ssl</span><span class="o">.</span><span class="na">ClientHandshakeContext</span><span class="o">.&lt;</span><span class="n">init</span><span class="o">&gt;(</span><span class="nc">ClientHandshakeContext</span><span class="o">.</span><span class="na">java</span><span class="o">:</span><span class="mi">103</span><span class="o">)</span> <span class="n">at</span> <span class="n">java</span><span class="o">.</span><span class="na">base</span><span class="o">/</span><span class="n">sun</span><span class="o">.</span><span class="na">security</span><span class="o">.</span><span class="na">ssl</span><span class="o">.</span><span class="na">TransportContext</span><span class="o">.</span><span class="na">kickstart</span><span class="o">(</span><span class="nc">TransportContext</span><span class="o">.</span><span class="na">java</span><span class="o">:</span><span class="mi">240</span><span class="o">)</span> <span class="n">at</span> <span class="n">java</span><span class="o">.</span><span class="na">base</span><span class="o">/</span><span class="n">sun</span><span class="o">.</span><span class="na">security</span><span class="o">.</span><span class="na">ssl</span><span class="o">.</span><span class="na">SSLSocketImpl</span><span class="o">.</span><span class="na">startHandshake</span><span class="o">(</span><span class="nc">SSLSocketImpl</span><span class="o">.</span><span class="na">java</span><span class="o">:</span><span class="mi">443</span><span class="o">)</span> <span class="n">at</span> <span class="n">java</span><span class="o">.</span><span class="na">base</span><span class="o">/</span><span class="n">sun</span><span class="o">.</span><span class="na">security</span><span class="o">.</span><span class="na">ssl</span><span class="o">.</span><span class="na">SSLSocketImpl</span><span class="o">.</span><span class="na">startHandshake</span><span class="o">(</span><span class="nc">SSLSocketImpl</span><span class="o">.</span><span class="na">java</span><span class="o">:</span><span class="mi">421</span><span class="o">)</span> <span class="n">at</span> <span class="n">com</span><span class="o">.</span><span class="na">mysql</span><span class="o">.</span><span class="na">cj</span><span class="o">.</span><span class="na">protocol</span><span class="o">.</span><span class="na">ExportControlled</span><span class="o">.</span><span class="na">performTlsHandshake</span><span class="o">(</span><span class="nc">ExportControlled</span><span class="o">.</span><span class="na">java</span><span class="o">:</span><span class="mi">320</span><span class="o">)</span> <span class="n">at</span> <span class="n">com</span><span class="o">.</span><span class="na">mysql</span><span class="o">.</span><span class="na">cj</span><span class="o">.</span><span class="na">protocol</span><span class="o">.</span><span class="na">StandardSocketFactory</span><span class="o">.</span><span class="na">performTlsHandshake</span><span class="o">(</span><span class="nc">StandardSocketFactory</span><span class="o">.</span><span class="na">java</span><span class="o">:</span><span class="mi">194</span><span class="o">)</span> <span class="n">at</span> <span class="n">com</span><span class="o">.</span><span class="na">mysql</span><span class="o">.</span><span class="na">cj</span><span class="o">.</span><span class="na">protocol</span><span class="o">.</span><span class="na">a</span><span class="o">.</span><span class="na">NativeSocketConnection</span><span class="o">.</span><span class="na">performTlsHandshake</span><span class="o">(</span><span class="nc">NativeSocketConnection</span><span class="o">.</span><span class="na">java</span><span class="o">:</span><span class="mi">101</span><span class="o">)</span> <span class="n">at</span> <span class="n">com</span><span class="o">.</span><span class="na">mysql</span><span class="o">.</span><span class="na">cj</span><span class="o">.</span><span class="na">protocol</span><span class="o">.</span><span class="na">a</span><span class="o">.</span><span class="na">NativeProtocol</span><span class="o">.</span><span class="na">negotiateSSLConnection</span><span class="o">(</span><span class="nc">NativeProtocol</span><span class="o">.</span><span class="na">java</span><span class="o">:</span><span class="mi">308</span><span class="o">)</span> </code></pre> </div> <p>The reason for the error is that JDBC 8.0.26 will by default use TLSv1 and TLSv1.1 against low version MySQL server. Although TiDB Cloud supports TLSv1.1, but <a href="https://aws.amazon.com/cn/blogs/opensource/tls-1-0-1-1-changes-in-openjdk-and-amazon-corretto/">high version JDK doesn't support TLSv1.1 any more</a>. Let's see the critical code path<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span><span class="o">[]</span> <span class="nf">getAllowedProtocols</span><span class="o">(</span><span class="nc">PropertySet</span> <span class="n">pset</span><span class="o">,</span> <span class="nc">ServerVersion</span> <span class="n">serverVersion</span><span class="o">,</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">socketProtocols</span><span class="o">)</span> <span class="o">{</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">tryProtocols</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span> <span class="c1">// If enabledTLSProtocols configuration option is set, overriding the default TLS version restrictions.</span> <span class="c1">// This allows enabling TLSv1.2 for self-compiled MySQL versions supporting it, as well as the ability</span> <span class="c1">// for users to restrict TLS connections to approved protocols (e.g., prohibiting TLSv1) on the client side.</span> <span class="nc">String</span> <span class="n">enabledTLSProtocols</span> <span class="o">=</span> <span class="n">pset</span><span class="o">.</span><span class="na">getStringProperty</span><span class="o">(</span><span class="nc">PropertyKey</span><span class="o">.</span><span class="na">enabledTLSProtocols</span><span class="o">).</span><span class="na">getValue</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">enabledTLSProtocols</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="n">enabledTLSProtocols</span><span class="o">.</span><span class="na">length</span><span class="o">()</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="o">)</span> <span class="o">{</span> <span class="n">tryProtocols</span> <span class="o">=</span> <span class="n">enabledTLSProtocols</span><span class="o">.</span><span class="na">split</span><span class="o">(</span><span class="s">"\\s*,\\s*"</span><span class="o">);</span> <span class="o">}</span> <span class="c1">// It is problematic to enable TLSv1.2 on the client side when the server is compiled with yaSSL. When client attempts to connect with</span> <span class="c1">// TLSv1.2 yaSSL just closes the socket instead of re-attempting handshake with lower TLS version. So here we allow all protocols only</span> <span class="c1">// for server versions which are known to be compiled with OpenSSL.</span> <span class="k">else</span> <span class="nf">if</span> <span class="o">(</span><span class="n">serverVersion</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// X Protocol doesn't provide server version, but we prefer to use most recent TLS version, though it also means that X Protocol</span> <span class="c1">// connection to old MySQL 5.7 GPL releases will fail by default, user must use enabledTLSProtocols=TLSv1.1 to connect them.</span> <span class="n">tryProtocols</span> <span class="o">=</span> <span class="no">TLS_PROTOCOLS</span><span class="o">;</span> <span class="o">}</span> <span class="k">else</span> <span class="k">if</span> <span class="o">(</span><span class="n">serverVersion</span><span class="o">.</span><span class="na">meetsMinimum</span><span class="o">(</span><span class="k">new</span> <span class="nc">ServerVersion</span><span class="o">(</span><span class="mi">5</span><span class="o">,</span> <span class="mi">7</span><span class="o">,</span> <span class="mi">28</span><span class="o">))</span> <span class="o">||</span> <span class="n">serverVersion</span><span class="o">.</span><span class="na">meetsMinimum</span><span class="o">(</span><span class="k">new</span> <span class="nc">ServerVersion</span><span class="o">(</span><span class="mi">5</span><span class="o">,</span> <span class="mi">6</span><span class="o">,</span> <span class="mi">46</span><span class="o">))</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">serverVersion</span><span class="o">.</span><span class="na">meetsMinimum</span><span class="o">(</span><span class="k">new</span> <span class="nc">ServerVersion</span><span class="o">(</span><span class="mi">5</span><span class="o">,</span> <span class="mi">7</span><span class="o">,</span> <span class="mi">0</span><span class="o">))</span> <span class="o">||</span> <span class="n">serverVersion</span><span class="o">.</span><span class="na">meetsMinimum</span><span class="o">(</span><span class="k">new</span> <span class="nc">ServerVersion</span><span class="o">(</span><span class="mi">5</span><span class="o">,</span> <span class="mi">6</span><span class="o">,</span> <span class="mi">0</span><span class="o">))</span> <span class="o">&amp;&amp;</span> <span class="nc">Util</span><span class="o">.</span><span class="na">isEnterpriseEdition</span><span class="o">(</span><span class="n">serverVersion</span><span class="o">.</span><span class="na">toString</span><span class="o">()))</span> <span class="o">{</span> <span class="n">tryProtocols</span> <span class="o">=</span> <span class="no">TLS_PROTOCOLS</span><span class="o">;</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="c1">// allow only TLSv1 and TLSv1.1 for other server versions by default</span> <span class="n">tryProtocols</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">String</span><span class="o">[]</span> <span class="o">{</span> <span class="n">TLSv1_1</span><span class="o">,</span> <span class="nc">TLSv1</span> <span class="o">};</span> <span class="o">}</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">configuredProtocols</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;&gt;(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="n">tryProtocols</span><span class="o">));</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">jvmSupportedProtocols</span> <span class="o">=</span> <span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="n">socketProtocols</span><span class="o">);</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">allowedProtocols</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;&gt;();</span> <span class="k">for</span> <span class="o">(</span><span class="nc">String</span> <span class="n">protocol</span> <span class="o">:</span> <span class="no">TLS_PROTOCOLS</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">jvmSupportedProtocols</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="n">protocol</span><span class="o">)</span> <span class="o">&amp;&amp;</span> <span class="n">configuredProtocols</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="n">protocol</span><span class="o">))</span> <span class="o">{</span> <span class="n">allowedProtocols</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="n">protocol</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="k">return</span> <span class="n">allowedProtocols</span><span class="o">.</span><span class="na">toArray</span><span class="o">(</span><span class="k">new</span> <span class="nc">String</span><span class="o">[</span><span class="mi">0</span><span class="o">]);</span> <span class="o">}</span> </code></pre> </div> <p><code>getAllowedProtocols</code> calculates the possible TLS protocols used in the handshake phase. The version TiDB Cloud returns is <code>5.7.25-TiDB-v6.1.0</code>, so the code finally goes into the <code>else</code> branch, protocols being TLSv1 and TLSv1.1(<code>enabledTLSProtocols</code> parameter in DSN is also treated here).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">private</span> <span class="kd">static</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">ProtocolVersion</span><span class="o">&gt;</span> <span class="nf">getActiveProtocols</span><span class="o">(</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">ProtocolVersion</span><span class="o">&gt;</span> <span class="n">enabledProtocols</span><span class="o">,</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">CipherSuite</span><span class="o">&gt;</span> <span class="n">enabledCipherSuites</span><span class="o">,</span> <span class="nc">AlgorithmConstraints</span> <span class="n">algorithmConstraints</span><span class="o">)</span> <span class="o">{</span> <span class="kt">boolean</span> <span class="n">enabledSSL20Hello</span> <span class="o">=</span> <span class="kc">false</span><span class="o">;</span> <span class="nc">ArrayList</span><span class="o">&lt;</span><span class="nc">ProtocolVersion</span><span class="o">&gt;</span> <span class="n">protocols</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;&gt;(</span><span class="mi">4</span><span class="o">);</span> <span class="k">for</span> <span class="o">(</span><span class="nc">ProtocolVersion</span> <span class="n">protocol</span> <span class="o">:</span> <span class="n">enabledProtocols</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(!</span><span class="n">enabledSSL20Hello</span> <span class="o">&amp;&amp;</span> <span class="n">protocol</span> <span class="o">==</span> <span class="nc">ProtocolVersion</span><span class="o">.</span><span class="na">SSL20Hello</span><span class="o">)</span> <span class="o">{</span> <span class="n">enabledSSL20Hello</span> <span class="o">=</span> <span class="kc">true</span><span class="o">;</span> <span class="k">continue</span><span class="o">;</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(!</span><span class="n">algorithmConstraints</span><span class="o">.</span><span class="na">permits</span><span class="o">(</span> <span class="nc">EnumSet</span><span class="o">.</span><span class="na">of</span><span class="o">(</span><span class="nc">CryptoPrimitive</span><span class="o">.</span><span class="na">KEY_AGREEMENT</span><span class="o">),</span> <span class="n">protocol</span><span class="o">.</span><span class="na">name</span><span class="o">,</span> <span class="kc">null</span><span class="o">))</span> <span class="o">{</span> <span class="c1">// Ignore disabled protocol.</span> <span class="k">continue</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p><code>getActiveProtocols</code> calculates the final protocol and cipher. No matter TLSv1 or TLSv1.1, it will be rejected in <code>algorithmConstraints.permits</code> and then <code>getActiveProtocols</code> returns an empty list.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">permits</span><span class="o">(</span><span class="nc">Set</span><span class="o">&lt;</span><span class="nc">CryptoPrimitive</span><span class="o">&gt;</span> <span class="n">primitives</span><span class="o">,</span> <span class="nc">String</span> <span class="n">algorithm</span><span class="o">,</span> <span class="nc">AlgorithmParameters</span> <span class="n">parameters</span><span class="o">)</span> <span class="o">{</span> <span class="kt">boolean</span> <span class="n">permitted</span> <span class="o">=</span> <span class="kc">true</span><span class="o">;</span> <span class="k">if</span> <span class="o">(</span><span class="n">peerSpecifiedConstraints</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">permitted</span> <span class="o">=</span> <span class="n">peerSpecifiedConstraints</span><span class="o">.</span><span class="na">permits</span><span class="o">(</span> <span class="n">primitives</span><span class="o">,</span> <span class="n">algorithm</span><span class="o">,</span> <span class="n">parameters</span><span class="o">);</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="n">permitted</span> <span class="o">&amp;&amp;</span> <span class="n">userSpecifiedConstraints</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="n">permitted</span> <span class="o">=</span> <span class="n">userSpecifiedConstraints</span><span class="o">.</span><span class="na">permits</span><span class="o">(</span> <span class="n">primitives</span><span class="o">,</span> <span class="n">algorithm</span><span class="o">,</span> <span class="n">parameters</span><span class="o">);</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="n">permitted</span><span class="o">)</span> <span class="o">{</span> <span class="n">permitted</span> <span class="o">=</span> <span class="n">tlsDisabledAlgConstraints</span><span class="o">.</span><span class="na">permits</span><span class="o">(</span> <span class="n">primitives</span><span class="o">,</span> <span class="n">algorithm</span><span class="o">,</span> <span class="n">parameters</span><span class="o">);</span> <span class="o">}</span> <span class="k">if</span> <span class="o">(</span><span class="n">permitted</span> <span class="o">&amp;&amp;</span> <span class="n">enabledX509DisabledAlgConstraints</span><span class="o">)</span> <span class="o">{</span> <span class="n">permitted</span> <span class="o">=</span> <span class="n">x509DisabledAlgConstraints</span><span class="o">.</span><span class="na">permits</span><span class="o">(</span> <span class="n">primitives</span><span class="o">,</span> <span class="n">algorithm</span><span class="o">,</span> <span class="n">parameters</span><span class="o">);</span> <span class="o">}</span> <span class="k">return</span> <span class="n">permitted</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>TLSv1.1 will be rejected at <code>tlsDisabledAlgConstraints.permits(primitives, algorithm, parameters);</code>. <code>tlsDisabledAlgConstraints</code> is checked against <code>jdk.tls.disabledAlgorithms</code> in <code>java.security</code> file. For JDK 11, its value is<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize &lt; 1024, EC keySize &lt; 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves </code></pre> </div> <h2> JDBC 8.0.29 </h2> <p>Compared with 8.0.26, <code>getAllowedProtocols</code> changed in 8.0.29, returns TLSv1.2 and TLSv1.3. So normally you could connect successfully to TiDB Cloud.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">private</span> <span class="kd">static</span> <span class="nc">String</span><span class="o">[]</span> <span class="nf">getAllowedProtocols</span><span class="o">(</span><span class="nc">PropertySet</span> <span class="n">pset</span><span class="o">,</span> <span class="nd">@SuppressWarnings</span><span class="o">(</span><span class="s">"unused"</span><span class="o">)</span> <span class="nc">ServerVersion</span> <span class="n">serverVersion</span><span class="o">,</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">socketProtocols</span><span class="o">)</span> <span class="o">{</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">tryProtocols</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span> <span class="nc">RuntimeProperty</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">tlsVersions</span> <span class="o">=</span> <span class="n">pset</span><span class="o">.</span><span class="na">getStringProperty</span><span class="o">(</span><span class="nc">PropertyKey</span><span class="o">.</span><span class="na">tlsVersions</span><span class="o">);</span> <span class="k">if</span> <span class="o">(</span><span class="n">tlsVersions</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="n">tlsVersions</span><span class="o">.</span><span class="na">isExplicitlySet</span><span class="o">())</span> <span class="o">{</span> <span class="c1">// If tlsVersions configuration option is set then override the default TLS versions restriction.</span> <span class="k">if</span> <span class="o">(</span><span class="n">tlsVersions</span><span class="o">.</span><span class="na">getValue</span><span class="o">()</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="nc">ExceptionFactory</span><span class="o">.</span><span class="na">createException</span><span class="o">(</span><span class="nc">SSLParamsException</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="s">"Specified list of TLS versions is empty. Accepted values are TLSv1.2 and TLSv1.3."</span><span class="o">);</span> <span class="o">}</span> <span class="n">tryProtocols</span> <span class="o">=</span> <span class="n">getValidProtocols</span><span class="o">(</span><span class="n">tlsVersions</span><span class="o">.</span><span class="na">getValue</span><span class="o">().</span><span class="na">split</span><span class="o">(</span><span class="s">"\\s*,\\s*"</span><span class="o">));</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="n">tryProtocols</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;&gt;(</span><span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="no">VALID_TLS_PROTOCOLS</span><span class="o">));</span> <span class="o">}</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">jvmSupportedProtocols</span> <span class="o">=</span> <span class="nc">Arrays</span><span class="o">.</span><span class="na">asList</span><span class="o">(</span><span class="n">socketProtocols</span><span class="o">);</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">&gt;</span> <span class="n">allowedProtocols</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArrayList</span><span class="o">&lt;&gt;();</span> <span class="k">for</span> <span class="o">(</span><span class="nc">String</span> <span class="n">protocol</span> <span class="o">:</span> <span class="n">tryProtocols</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">jvmSupportedProtocols</span><span class="o">.</span><span class="na">contains</span><span class="o">(</span><span class="n">protocol</span><span class="o">))</span> <span class="o">{</span> <span class="n">allowedProtocols</span><span class="o">.</span><span class="na">add</span><span class="o">(</span><span class="n">protocol</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="k">return</span> <span class="n">allowedProtocols</span><span class="o">.</span><span class="na">toArray</span><span class="o">(</span><span class="k">new</span> <span class="nc">String</span><span class="o">[</span><span class="mi">0</span><span class="o">]);</span> <span class="o">}</span> </code></pre> </div> <h2> JDBC 5.1.49 </h2> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">protected</span> <span class="kd">static</span> <span class="kt">void</span> <span class="nf">transformSocketToSSLSocket</span><span class="o">(</span><span class="nc">MysqlIO</span> <span class="n">mysqlIO</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">SQLException</span> <span class="o">{</span> <span class="nc">SocketFactory</span> <span class="n">sslFact</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StandardSSLSocketFactory</span><span class="o">(</span><span class="n">getSSLSocketFactoryDefaultOrConfigured</span><span class="o">(</span><span class="n">mysqlIO</span><span class="o">),</span> <span class="n">mysqlIO</span><span class="o">.</span><span class="na">socketFactory</span><span class="o">,</span> <span class="n">mysqlIO</span><span class="o">.</span><span class="na">mysqlConnection</span><span class="o">);</span> <span class="k">try</span> <span class="o">{</span> <span class="n">mysqlIO</span><span class="o">.</span><span class="na">mysqlConnection</span> <span class="o">=</span> <span class="n">sslFact</span><span class="o">.</span><span class="na">connect</span><span class="o">(</span><span class="n">mysqlIO</span><span class="o">.</span><span class="na">host</span><span class="o">,</span> <span class="n">mysqlIO</span><span class="o">.</span><span class="na">port</span><span class="o">,</span> <span class="kc">null</span><span class="o">);</span> <span class="nc">String</span><span class="o">[]</span> <span class="n">tryProtocols</span> <span class="o">=</span> <span class="kc">null</span><span class="o">;</span> <span class="c1">// If enabledTLSProtocols configuration option is set then override the default TLS version restrictions. This allows enabling TLSv1.2 for</span> <span class="c1">// self-compiled MySQL versions supporting it, as well as the ability for users to restrict TLS connections to approved protocols (e.g., prohibiting</span> <span class="c1">// TLSv1) on the client side.</span> <span class="c1">// Note that it is problematic to enable TLSv1.2 on the client side when the server is compiled with yaSSL. When client attempts to connect with</span> <span class="c1">// TLSv1.2 yaSSL just closes the socket instead of re-attempting handshake with lower TLS version.</span> <span class="nc">String</span> <span class="n">enabledTLSProtocols</span> <span class="o">=</span> <span class="n">mysqlIO</span><span class="o">.</span><span class="na">connection</span><span class="o">.</span><span class="na">getEnabledTLSProtocols</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">enabledTLSProtocols</span> <span class="o">!=</span> <span class="kc">null</span> <span class="o">&amp;&amp;</span> <span class="n">enabledTLSProtocols</span><span class="o">.</span><span class="na">length</span><span class="o">()</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="o">)</span> <span class="o">{</span> <span class="n">tryProtocols</span> <span class="o">=</span> <span class="n">enabledTLSProtocols</span><span class="o">.</span><span class="na">split</span><span class="o">(</span><span class="s">"\\s*,\\s*"</span><span class="o">);</span> <span class="o">}</span> <span class="k">else</span> <span class="k">if</span> <span class="o">(</span><span class="n">mysqlIO</span><span class="o">.</span><span class="na">versionMeetsMinimum</span><span class="o">(</span><span class="mi">5</span><span class="o">,</span> <span class="mi">7</span><span class="o">,</span> <span class="mi">28</span><span class="o">)</span> <span class="o">||</span> <span class="n">mysqlIO</span><span class="o">.</span><span class="na">versionMeetsMinimum</span><span class="o">(</span><span class="mi">5</span><span class="o">,</span> <span class="mi">6</span><span class="o">,</span> <span class="mi">46</span><span class="o">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">mysqlIO</span><span class="o">.</span><span class="na">versionMeetsMinimum</span><span class="o">(</span><span class="mi">5</span><span class="o">,</span> <span class="mi">7</span><span class="o">,</span> <span class="mi">0</span><span class="o">)</span> <span class="o">||</span> <span class="n">mysqlIO</span><span class="o">.</span><span class="na">versionMeetsMinimum</span><span class="o">(</span><span class="mi">5</span><span class="o">,</span> <span class="mi">6</span><span class="o">,</span> <span class="mi">0</span><span class="o">)</span> <span class="o">&amp;&amp;</span> <span class="nc">Util</span><span class="o">.</span><span class="na">isEnterpriseEdition</span><span class="o">(</span><span class="n">mysqlIO</span><span class="o">.</span><span class="na">getServerVersion</span><span class="o">()))</span> <span class="o">{</span> <span class="c1">// allow all known TLS versions for this subset of server versions by default</span> <span class="n">tryProtocols</span> <span class="o">=</span> <span class="no">TLS_PROTOCOLS</span><span class="o">;</span> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> <span class="c1">// allow TLSv1 and TLSv1.1 for all server versions by default</span> <span class="n">tryProtocols</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">String</span><span class="o">[]</span> <span class="o">{</span> <span class="n">TLSv1_1</span><span class="o">,</span> <span class="nc">TLSv1</span> <span class="o">};</span> <span class="o">}</span> </code></pre> </div> <p>Although name is different, but 5.1.49 shares the same logic with 8.0.26, goes into the <code>else</code> branch and returns only TLSv1/TLSv1.1.</p> <h2> Conclusion </h2> <p>For failed versions, we could concat <code>enabledTLSProtocols=TLSv1.2,TLSv1.3</code> in the DSN to force JDBC driver choose higher version TLS protocols. To connect consistently, you could always add the parameter. But from 8.0.28, <code>enabledTLSProtocols</code> is changed to <code>tlsVersions</code> and remains an alias. It might be removed in the future.</p> <h2> UPDATE on 2022/09/19: </h2> <p>TiDB Cloud dedicated clusters recently provide their private CA for users to download and verify. They recommend using <code>verify_identity</code> argument in DSN. One thing to note is that the certs of the clusters use SAN, to do identity verification, you need to use at least MySQL Connector/J 8.0.22. <a href="https://dev.mysql.com/doc/relnotes/connector-j/8.0/en/news-8-0-22.html">From this version, SAN is supported.</a></p> <h2> UPDATE on 2024/01/04 </h2> <p>TiDB kernel advertise their MySQL version as <code>8.0.11</code> from <em>v7.4.0</em>. So if you connect to versions later than this, even <em>JDBC 8.0.26</em> could connect easily. TiDB Serverless currently use TiDB kernel v7.1.0, but it advertise its MySQL version as <code>5.7.28</code> to provide more convenience for old version JDBC drivers.</p> jdbc java tidb mysql