MariaDB connector update forces SSL

  • Running my library on MariaDB 10 on a QNAP

    Updated from RPI5 13 5/30 nightly to 6/7 and lost access to the library.

    Logs show the updated connector is FORCING ssl/tls requirements.

    Is there a way to bypass ssl to access my library?

    Reverting back to 5/30 nightly works so thinking it's the recent connector update.

  • Can you confirm it forces ssl or forces ssl verification?

    these are the changes

    Comparing v3.3.10...v3.4.0 · mariadb-corporation/mariadb-connector-c
    MariaDB Connector/C is used to connect applications developed in C/C++ to MariaDB and MySQL databases.The client library is LGPL licensed. - Comparing…

    and this one is the force ssl verification.

    Here are the ssl stuff from mariadb and there seems to be some require per user. Without seeing the logs I could not comment further. But is your connection running ssl (and just without the verify?) and it fails with the connector 3.4 (due to the verify) - the comments should be pretty useful in isolating this.

    Securing Connections for Client and Server
    Enabling TLS encryption in transit on both the client and server.
  • Code
    2024-06-07 13:06:32.447 T:2769    error <general>: Unable to open database: MyMusic83 [2026](TLS/SSL error: SSL is required, but the server does not support it)
  • Looks like this works:

  • It looks like the client has changed the “failure logic”

    [MDEV-28634] Client's --ssl-* options (without --ssl-verify-server-cert) are silently ignored if TLS is not possible - Jira
    >> The client will only see an error if they also provide the --ssl-verify-server-cert option:<<

    I believe the correct fix would be to set sslMode=disabled in the connection from Kodi - as in…java-connector/ (will be the same with c connector I believe)
    By default when sslMode is set (not disabled), connector will use "serverSslCert" is set or the default truststore if not. Using default truststore can be disable setting option "fallbackToSystemTrustStore" to false.

  • Looks like this works:

    Thanks for testing vpeter - for the time being (as this needs a Kodi change) this will need to be the workaround.

  • Sorry I had a personal issue.

    when I first upgraded it didn't work. Without troubleshooting I swapped back to 5/30 but still wasn't able to connect.

    Log showed too many attempts.

    Restarted SQL confirmed library working. Swapped to 6/7 and then those logs referenced SSL requirements.

    I updated Kodi on FireTV with apk direct from Kodi and library stopped working.

    So seems the issue stems from base newer base Kodi updates.

  • Sorry to beat a dead horse libreelec works flawless.

    I see the request made on git and have also posted Kodi forums

    Building Kodi (Omega) with mariadb-connector-c 3.4 does not allow connection to non-ssl databases · Issue #25313 · xbmc/xbmc
    Bug report Describe the bug Here is a clear and concise description of what the problem is: With the change in mariadb-corporation/mariadb-connector-c@82983a3…

    Is there anyway to edit a conf to disable the SSL requirement in the interim? I know this might not be the best place to post the question since it's confirmed as a Kodi issue. However figured I'd ask in case it might be a simple line I could toss in or in comment.

    Thanks again for fixing this originally.

  • In LE we have fixed/worked around …. the connector change and the fact that 3.4 can only work with a verified ssl connection.

    The below patch to Kodi “should” fix Kodi to alway “not verify” ssl (thus allowing non sls too). I have not submitted it upstream as I have not “fully tested it”.

  • No, it needs to be compiled with the right options. The fix is in LE12/13 nightlies for a while so just update to the current one?

    Correct it is working in LE13 with nightlies. Was just wondering if the option could be manually set to fix a non LE Kodi for now.

    Thanks for clarifying it needs to be complied and it's not just and option I could edit/change.