This is an automated email from the ASF dual-hosted git repository.
yiguolei pushed a commit to branch branch-4.0
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-4.0 by this push:
new 38c6906ed9d branch-4.0: [Fix](mysql) Disable renegotiation during TLS
#57631 (#57749)
38c6906ed9d is described below
commit 38c6906ed9d0966e7f5038c7f3ca27831f65715d
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Thu Nov 6 19:24:29 2025 +0800
branch-4.0: [Fix](mysql) Disable renegotiation during TLS #57631 (#57749)
Cherry-picked from #57631
Co-authored-by: abmdocrt <[email protected]>
---
.../java/org/apache/doris/mysql/MysqlChannel.java | 38 +++++++++++++++-------
1 file changed, 26 insertions(+), 12 deletions(-)
diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlChannel.java
b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlChannel.java
index da3d251ceb5..8dfabfb9b6e 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlChannel.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlChannel.java
@@ -276,6 +276,12 @@ public class MysqlChannel implements BytesChannel {
// unwrap will remove ssl header.
while (true) {
SSLEngineResult result = sslEngine.unwrap(dstBuf, decryptAppData);
+ if (result.getStatus() == SSLEngineResult.Status.OK
+ && result.getHandshakeStatus() !=
SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) {
+ LOG.warn("SSL renegotiation requested by {} is not supported.
handshakeStatus={}",
+ remoteHostPortString, result.getHandshakeStatus());
+ throw new SSLException("SSL renegotiation is not supported.");
+ }
if (handleUnwrapResult(result) && !dstBuf.hasRemaining()) {
break;
}
@@ -339,20 +345,22 @@ public class MysqlChannel implements BytesChannel {
result.limit(result.position() + packetLen);
readLen = readAll(result, false);
if (isSslMode && remainingBuffer.position() == 0 &&
result.hasRemaining()) {
+ int available = result.limit();
+ if (available < PACKET_HEADER_LEN) {
+ LOG.warn("SSL mode: invalid mysql packet header, available
bytes: " + available);
+ throw new IOException("Invalid mysql packet header.");
+ }
byte[] header = result.array();
int mysqlPacketLength = (header[0] & 0xFF) | ((header[1] &
0xFF) << 8) | ((header[2] & 0xFF) << 16);
- if (result.position() >= 4 && mysqlPacketLength > 0 &&
mysqlPacketLength
- <= MAX_PHYSICAL_PACKET_LENGTH) {
- int packetId = header[3] & 0xFF;
- if (packetId != sequenceId) {
- LOG.warn("receive packet sequence id[" + packetId + "]
want to get[" + sequenceId + "]");
- throw new IOException("Bad packet sequence.");
- }
- } else {
- if (LOG.isDebugEnabled()) {
- LOG.debug("SSL mode: skipping sequence check, packet
length: " + mysqlPacketLength
- + ", buffer position: " + result.position());
- }
+ if (mysqlPacketLength > MAX_PHYSICAL_PACKET_LENGTH) {
+ LOG.warn("SSL mode: mysql packet length(" +
mysqlPacketLength + ") is larger than max physical "
+ + "packet length(" + MAX_PHYSICAL_PACKET_LENGTH +
")");
+ throw new IOException("Mysql packet too large.");
+ }
+ int packetId = header[3] & 0xFF;
+ if (packetId != sequenceId) {
+ LOG.warn("receive packet sequence id[" + packetId + "]
want to get[" + sequenceId + "]");
+ throw new IOException("Bad packet sequence.");
}
// remove mysql packet header
result.position(4);
@@ -453,6 +461,12 @@ public class MysqlChannel implements BytesChannel {
encryptNetData.clear();
while (true) {
SSLEngineResult result = sslEngine.wrap(dstBuf, encryptNetData);
+ if (result.getStatus() == SSLEngineResult.Status.OK
+ && result.getHandshakeStatus() !=
SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) {
+ LOG.warn("SSL renegotiation requested by {} is not supported
while writing. handshakeStatus={}",
+ remoteHostPortString, result.getHandshakeStatus());
+ throw new SSLException("SSL renegotiation is not supported.");
+ }
if (handleWrapResult(result) && !dstBuf.hasRemaining()) {
break;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
