[TLS] Use TiProxy with require issuer

[uringover]

Bug Report

1. Minimal reproduce step (Required)

Get a TiDB cluster V6.5.1
CREATE USER that require issuer to connect
Get TiProxy latest
Get mysql client

Try to connect with user without SSL to TiProxy : OK
Try to connect with user_withSSL to TiProxy : NOK
Try to connect user_withSSL to TiDB:4000 : OK

MySQL [(none)]> show create user user_withSSL;
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER for user_withSSL@%                                                                                                                                                                                                                                   |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| CREATE USER 'user_withSSL'@'%' IDENTIFIED WITH 'mysql_native_password' AS '*pwd' REQUIRE ISSUER '/CN=MyCN' PASSWORD EXPIRE DEFAULT ACCOUNT UNLOCK PASSWORD HISTORY DEFAULT PASSWORD REUSE INTERVAL DEFAULT |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

TiProxy configuration :

# workdir = "./work"
[proxy]
	graceful-close-conn-timeout = 15
	pd-addrs = "ip_pd1:2379,ip_pd2:2379,ip_pd3:2379"

[log]
	level = "debug"

[security]
	min-tls-version = "1.2" # specify minimum TLS version

ssl-verify-server-cert = true
	[security.cluster-tls]
	# access to other components like TiDB or PD, will use this
		ca = "/SSL/tidb-tiproxy_test/ca.crt"
		cert = "/SSL/tidb-tiproxy_test/tiproxy.crt"
		key = "/SSL/tidb-tiproxy_test/tiproxy.key"
	[security.sql-tls]
	# access to TiDB SQL(4000) port will use this
		ssl-verify-server-cert = true
		ca = "/SSL/tidb-tiproxy_test/ca.crt"
		cert = "/SSL/tidb-tiproxy_test/client.crt"
		key = "/SSL/tidb-tiproxy_test/client.key"

TiDB server config :

enable-telemetry = false
token-limit = 10000
[prepared-plan-cache]
enabled = true
[security]
auto-tls = true
cluster-ssl-ca = "/SSD/tls/ca.crt"
cluster-ssl-cert = "/SSD/tls/tidb.crt"
cluster-ssl-key = "/SSD/tls/tidb.pem"
ssl-ca = "/SSL/client/CA-cert.pem"
ssl-cert = "/SSL/client/Server-cert.pem"
ssl-key = "/SSL/client/Server-key.pem"
session-token-signing-cert="/SSL/tiproxy/tiproxy.crt"
session-token-signing-key="/SSL/tiproxy/tiproxy.key"
graceful-wait-before-shutdown=15
[tikv-client]
grpc-connection-count = 20

2. What did you expect to see? (Required)

When I try to connect with my user that requires issuer, I want to be connected successfuly

3. What did you see instead (Required)

Connection is refused
Error from TiProxy logs :

[2024/01/31 16:41:20.564 +01:00] [DEBUG] [main.proxy.conn.be.authenticator] [backend/authenticator.go:198] [backend does not support capabilities from proxy] [connID=2] [client_addr=127.0.0.1:37772] [addr=0.0.0.0:6000] [common=CLIENT_LONG_PASSWORD|CLIENT_FOUND_ROWS|CLIENT_LONG_FLAG|CLIENT_CONNECT_WITH_DB|CLIENT_LOCAL_FILES|CLIENT_PROTOCOL_41|CLIENT_INTERACTIVE|CLIENT_TRANSACTIONS|CLIENT_SECURE_CONNECTION|CLIENT_MULTI_STATEMENTS|CLIENT_MULTI_RESULTS|CLIENT_PLUGIN_AUTH|CLIENT_CONNECT_ATTS|CLIENT_DEPRECATE_EOF] [proxy=CLIENT_COMPRESS|CLIENT_ODBC|CLIENT_RESERVED|CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA|CLIENT_ZSTD_COMPRESSION_ALGORITHM] [backend=CLIENT_SSL]

Error from TiDB logs :

[2024/01/31 16:44:07.202 +01:00] [ERROR] [privileges.go:540] ["global priv check ssl fail"] [authUser=user_withSSL [authHost=x.x.x.x]
[2024/01/31 16:44:07.202 +01:00] [WARN] [conn.go:687] ["open new session or authentication failure"] [conn=1303266525565682207] [error="[privilege:1045]Access denied for user 'user_withSSL'@'x.x.x.x' (using password: YES)"]
[2024/01/31 16:44:07.202 +01:00] [WARN] [server.go:644] ["Server.onConn handshake"] [conn=1303266525565682207] [error="[privilege:1045]Access denied for user 'user_withSSL'@'x.x.x.x' (using password: YES)"] ["remote addr"=x.x.x.x:43778]

4. What is your version? (Required)

TiProxy : 0.2.0
TiDB cluster : V6.5.1

[djshow832]

Thank you for your feedback! It's a known limitation documented in https://docs.pingcap.com/tidb/dev/tiproxy-overview#security
The reason is that the TLS certificate between the client and TiProxy is different from that between TiProxy and TiDB server, and TiDB server verifies the TLS certificate based on the TLS certificate on TiProxy.

We're going to support it after TiProxy is GA.

[uringover]

Hello @djshow832
Thnka you for your answer.
I forgot something in my card..
In the configuration file of TiProxy, there is this part :

	[security.sql-tls]
	# access to TiDB SQL(4000) port will use this
	  #skip-ca = true
	  ssl-verify-server-cert = true
          ca = ""
	  cert = ""
	  key = ""

It looks like TiProxy manage SSL configuration between client and TiDB..?
Am I wrong?

[djshow832]

You can say so.

TiProxy is an L7 proxy and needs to parse packets, so it can't reuse the TLS between the client and TiDB. Instead, the client connects to TiProxy with one cert, and TiProxy connects to TiDB with another cert.

For the TLS configurations, check this doc: https://docs.pingcap.com/tidb/dev/tiproxy-configuration#security