git.ipfire.org Git - thirdparty/haproxy.git/commit

MEDIUM: tcpcheck: add post-80 option for mysql-check to support MySQL 8.x

This patch adds a new 'post-80' option that sets the
CLIENT_PLUGIN_AUTH (0x00080000) capability flag
and explicitly specifies mysql_native_password as
the authentication plugin in the handshake response.

This patch also addes documentation content for post-80 option
support in MySQL 8.x version. Which handles new default auth
plugin caching_sha2_password.

MySQL 8.0 changed the default authentication plugin from
mysql_native_password to caching_sha2_password.
The current mysql-check implementation only supports pre-41
and post-41 client auth protocols, which lack the CLIENT_PLUGIN_AUTH
capability flag. When HAProxy sends a post-41 authentication
packet to a MySQL 8.x server, the server responds with error 1251:
"Client does not support authentication protocol requested by server".

The new client capabilities for post-80 are:
- CLIENT_PROTOCOL_41 (0x00000200)
- CLIENT_SECURE_CONNECTION (0x00008000)
- CLIENT_PLUGIN_AUTH (0x00080000)

Usage example:
backend mysql_servers
option mysql-check user haproxy post-80
server db1 192.168.1.10:3306 check

The health check user must be created with mysql_native_password:
CREATE USER 'haproxy'@'%' IDENTIFIED WITH mysql_native_password BY '';

This addresses https://github.com/haproxy/haproxy/issues/2934.

author	Hyeonggeun Oh <hyeonggeun.oh@plaintexting.com>
	Mon, 2 Feb 2026 13:31:33 +0000 (22:31 +0900)
committer	Christopher Faulet <cfaulet@haproxy.com>
	Tue, 3 Feb 2026 06:36:53 +0000 (07:36 +0100)
commit	2527d9dcd198a5ead99b6c4eaf7dd3856d7adf20
tree	e553d87c2859c280f9d43cb8d1bdd7e1980ac555	tree \| snapshot
parent	f26562bcb7807bf981fba42dfaf65754a801f338	commit \| diff

doc/configuration.txt		diff \| blob \| blame \| history
src/tcpcheck.c		diff \| blob \| blame \| history