Can you confirm it forces ssl or forces ssl verification?
these are the changes
and this one is the force ssl verification.
Here are the ssl stuff from mariadb and there seems to be some require per user. Without seeing the logs I could not comment further. But is your connection running ssl (and just without the verify?) and it fails with the connector 3.4 (due to the verify) - the comments should be pretty useful in isolating this.
2024-06-07 13:06:32.447 T:2769 error <general>: Unable to open database: MyMusic83 [2026](TLS/SSL error: SSL is required, but the server does not support it)Looks like this works:
diff --git a/packages/databases/mariadb-connector-c/package.mk b/packages/databases/mariadb-connector-c/package.mk
index f77ec39aa7..0a213c77fb 100644
--- a/packages/databases/mariadb-connector-c/package.mk
+++ b/packages/databases/mariadb-connector-c/package.mk
@@ -16,6 +16,7 @@ PKG_CMAKE_OPTS_TARGET="-DWITH_EXTERNAL_ZLIB=ON
-DCLIENT_PLUGIN_MYSQL_CLEAR_PASSWORD=STATIC
-DCLIENT_PLUGIN_MYSQL_OLD_PASSWORD=STATIC
-DCLIENT_PLUGIN_REMOTE_IO=OFF
+ -DDEFAULT_SSL_VERIFY_SERVER_CERT=OFF
"
post_makeinstall_target() {It looks like the client has changed the “failure logic”
[MDEV-28634] Client's --ssl-* options (without --ssl-verify-server-cert) are silently ignored if TLS is not possible - Jira
>> The client will only see an error if they also provide the --ssl-verify-server-cert option:<<
I believe the correct fix would be to set sslMode=disabled in the connection from Kodi - as in https://mariadb.com/kb/en/using-tl…java-connector/ (will be the same with c connector I believe)
By default when sslMode is set (not disabled), connector will use "serverSslCert" is set or the default truststore if not. Using default truststore can be disable setting option "fallbackToSystemTrustStore" to false.
Looks like this works:
Diffdiff --git a/packages/databases/mariadb-connector-c/package.mk b/packages/databases/mariadb-connector-c/package.mk index f77ec39aa7..0a213c77fb 100644 --- a/packages/databases/mariadb-connector-c/package.mk +++ b/packages/databases/mariadb-connector-c/package.mk @@ -16,6 +16,7 @@ PKG_CMAKE_OPTS_TARGET="-DWITH_EXTERNAL_ZLIB=ON -DCLIENT_PLUGIN_MYSQL_CLEAR_PASSWORD=STATIC -DCLIENT_PLUGIN_MYSQL_OLD_PASSWORD=STATIC -DCLIENT_PLUGIN_REMOTE_IO=OFF + -DDEFAULT_SSL_VERIFY_SERVER_CERT=OFF " post_makeinstall_target() {
Thanks for testing vpeter - for the time being (as this needs a Kodi change) this will need to be the workaround.
The required variable in Kodi would be MYSQL_OPT_SSL_MODE=DISABLED as the current default is PREFERRED https://dev.mysql.com/doc/c-api/5.7/en/mysql-options.html that needs to be called before https://dev.mysql.com/doc/c-api/5.7/…al-connect.html
update to the PR https://github.com/xbmc/xbmc/pull/2566 would be needed in xbmc/dbwrappers/mysqldataset.cpp
Looks like this variable is for server only? Because I don't see reference in mariadb-connector-c.
NB: Without the workaround in https://github.com/LibreELEC/LibreELEC.tv/pull/8970 Kodi makes a large number of connections to the MariaDB server (making repeated connections trying to connect) and this may cause MariaDB to stop responding. Even if you update to an LE image with the workaround included, MariaDB may need to be restarted before it will accept connections again.
confirm the issue
even with self singed certs it then complains about using self signed
so cant use any version since the update
So, to confirm, the issue is resolved for you with the LE12 nightly? - the Android issue needs to be posted in the Kodi forum.
I can confirm working again with generic nightly-20240613-18becd8
and raspi 5 nightly-20240614
Sorry to beat a dead horse libreelec works flawless.
I see the request made on git and have also posted Kodi forums
Is there anyway to edit a conf to disable the SSL requirement in the interim? I know this might not be the best place to post the question since it's confirmed as a Kodi issue. However figured I'd ask in case it might be a simple line I could toss in or in comment.
Thanks again for fixing this originally.
Is there anyway to edit a conf to disable the SSL requirement in the interim?
No, it needs to be compiled with the right options. The fix is in LE12/13 nightlies for a while so just update to the current one?
Display MoreSorry to beat a dead horse libreelec works flawless.
I see the request made on git and have also posted Kodi forumshttps://github.com/xbmc/xbmc/issues/25313
Is there anyway to edit a conf to disable the SSL requirement in the interim? I know this might not be the best place to post the question since it's confirmed as a Kodi issue. However figured I'd ask in case it might be a simple line I could toss in or in comment.
Thanks again for fixing this originally.
In LE we have fixed/worked around …. the connector change and the fact that 3.4 can only work with a verified ssl connection.
The below patch to Kodi “should” fix Kodi to alway “not verify” ssl (thus allowing non sls too). I have not submitted it upstream as I have not “fully tested it”.
From 28b0785f4e08ea5bc102e42d7af55108256ce778 Mon Sep 17 00:00:00 2001
From: Rudi Heitbaum <[email protected]>
Date: Mon, 10 Jun 2024 06:12:49 +0000
Subject: [PATCH] mysql: force SSL off
---
xbmc/dbwrappers/mysqldataset.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/xbmc/dbwrappers/mysqldataset.cpp b/xbmc/dbwrappers/mysqldataset.cpp
index e277eefd8f..99f2deb160 100644
--- a/xbmc/dbwrappers/mysqldataset.cpp
+++ b/xbmc/dbwrappers/mysqldataset.cpp
@@ -181,6 +181,11 @@ int MysqlDatabase::connect(bool create_new)
if (!CWakeOnAccess::GetInstance().WakeUpHost(host, "MySQL : " + db))
return DB_CONNECTION_NONE;
+ my_bool verify=0;
+ mysql_options(conn, MYSQL_OPT_SSL_ENFORCE, (void *)&verify);
+ my_bool enforce_tls=0;
+ mysql_options(conn, MYSQL_OPT_SSL_ENFORCE, (void *)&enforce_tls);
+
// establish connection with just user credentials
if (mysql_real_connect(conn, host.c_str(), login.c_str(), passwd.c_str(), NULL,
atoi(port.c_str()), NULL, compression ? CLIENT_COMPRESS : 0) != NULL)
--
2.43.0