Enforce an SSL connection from the client when SSL is enabled on the …

…server
StarRocks · Feb 21, 2025 · 62d1017 · 62d1017
1 parent 6370e1b
commit 62d1017
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 0 deletions.
diff --git a/fe/fe-core/src/main/java/com/starrocks/common/Config.java b/fe/fe-core/src/main/java/com/starrocks/common/Config.java
@@ -3040,6 +3040,12 @@ public class Config extends ConfigBase {
     @ConfField
     public static String ssl_truststore_password = "";
 
+    /**
+     * Allow only encrypted connections from clients
+     **/
+    @ConfField
+    public static boolean require_secure_transport = false;
+
     /**
      * ignore check db status when show proc '/catalog/catalog_name'
      */

diff --git a/fe/fe-core/src/main/java/com/starrocks/common/ErrorCode.java b/fe/fe-core/src/main/java/com/starrocks/common/ErrorCode.java
@@ -106,6 +106,7 @@ public enum ErrorCode {
     ERR_NO_SUCH_QUERY(1365, new byte[] {'4', '2', '0', '0', '0'}, "Unknown query id: %s"),
 
     ERR_CANNOT_USER(1396, new byte[] {'H', 'Y', '0', '0', '0'}, "Operation %s failed for %s"),
+    ERR_SECURE_TRANSPORT_REQUIRED(1403, new byte[] {'0', '8', '0', '0', '4'}, "Server rejected the insecure connection"),
     ERR_NON_INSERTABLE_TABLE(1471, new byte[] {'H', 'Y', '0', '0', '0'},
             "The target table %s of the %s is not insertable-into"),
     ERR_DROP_PARTITION_NON_EXISTENT(1507, new byte[] {'H', 'Y', '0', '0', '0'},

diff --git a/fe/fe-core/src/main/java/com/starrocks/mysql/MysqlProto.java b/fe/fe-core/src/main/java/com/starrocks/mysql/MysqlProto.java
@@ -139,6 +139,13 @@ public static NegotiateResult negotiate(ConnectContext context) throws IOExcepti
             return new NegotiateResult(null, NegotiateState.READ_FIRST_AUTH_PKG_FAILED);
         }
 
+        if (Config.require_secure_transport && !authPacket.isSSLConnRequest()) {
+            LOG.debug("server refused insecure client connection");
+            ErrorReport.report(ErrorCode.ERR_SECURE_TRANSPORT_REQUIRED);
+            sendResponsePacket(context);
+            return new NegotiateResult(null, NegotiateState.SERVER_REJECTED_INSECURE_CONNECTION);
+        }
+
         if (authPacket.isSSLConnRequest()) {
             // change to ssl session
             LOG.info("start to enable ssl connection");

diff --git a/fe/fe-core/src/main/java/com/starrocks/mysql/NegotiateState.java b/fe/fe-core/src/main/java/com/starrocks/mysql/NegotiateState.java
@@ -20,6 +20,7 @@ public enum NegotiateState {
     READ_AUTH_SWITCH_PKG_FAILED("read auth switch package failed"),
     ENABLE_SSL_FAILED("enable ssl failed"),
     READ_SSL_AUTH_PKG_FAILED("read ssl auth package failed"),
+    SERVER_REJECTED_INSECURE_CONNECTION("server rejected the insecure connection"),
     NOT_SUPPORTED_AUTH_MODE("not supported auth mode"),
     KERBEROS_HANDSHAKE_FAILED("kerberos handshake failed"),
     KERBEROS_PLUGIN_NOT_LOADED("kerberos plugin not loaded"),