MySQL Connector/C++ Release Notes
Connector/C++ now supports authentication to MySQL Server using devices
such as smart cards, security keys, and biometric readers. This
authentication method is based on the Fast Identity Online
(FIDO) standard. To ensure client applications using the legacy
JBDC API are notified when a user is expected to interact with
the FIDO device, Connector/C++ implements the new
setCallback()
method in the
MySQL_Driver
class that accepts a single
callback argument named Fido_Callback
.
class Fido_Callback { public: Fido_Callback(std::function<void(SQLString)>); /** * Override this message to receive Fido Action Requests */ virtual void FidoActionRequested(sql::SQLString msg); };
Any connection created by the driver can use the callback, if
needed. However, if an application does not set the callback
explicitly, libmysqlclient
determines the
behavior by default, which involves printing a message to
standard output.
On Windows, the client application must run as administrator.
The is a requirement of the fido2.dll
library, which is used by the
authentication_fido
plugin.
A client application has two options for obtaining a callback from the connector:
By passing a function or lambda to
Fido_Callback
.
driver->setCallBack(Fido_Callback([](SQLString msg) {...}));
By implementing the virtual method
FidoActionRequested
.
class MyWindow : public Fido_Callback { void FidoActionRequested(sql::SQLString msg) override; }; MyWindow window; driver->setCallBack(window);
Setting a new callback always removes the previous callback. To
disable the active callback and restore the default behavior,
pass nullptr
as a function callback. Example:
driver->setCallBack(Fido_Callback(nullptr));
For more information about FIDO authentication, see FIDO Pluggable Authentication. (WL #14878)
For platforms on which OpenSSL libraries are bundled, the linked OpenSSL library for Connector/C++ has been updated to version 1.1.1n. Issues fixed in the new OpenSSL version are described at https://www.openssl.org/news/cl111.txt and https://www.openssl.org/news/vulnerabilities.html. (Bug #33987637)
The Connector/C++ X DevAPI Reference documentation, available at
https://dev.mysql.com/doc/index-connectors.html, updated its usage
instructions for the
Collection.modify().unset()
operation. The
argument to unset()
is a string to be
interpreted as a document path expression (similar to
"$.foo.'bar'"
), rather than a literal field
name. If the argument contains special characters (spaces,
'.
', '$
', and so on), then
it is necessary to enclose the field name in quotation marks.
For example:
Collection.modify(~~
).unset(""field name with spaces
"")
(Bug #33795881)
Connector/C++ supports new aliases for existing TLS/SSL connection
options to deliver better alignment among X DevAPI, X DevAPI for C,
and the legacy JDBC-based API. This alignment effort ensures
that option naming, functionality, and behavior are implemented
consistently while also retaining compatibility with the
existing options. For example, Connector/C++ now ensures that setting
TLS/SSL connection options, along with
ssl-mode=DISABLED
, does not return an error
if a client application provides incompatible options, or if the
same option is repeated in a connection string or with
properties.
Changes that apply to X DevAPI and X DevAPI for C are:
tls-version
is added as an alias to the
existing tls-versions
connection option.
ssl-capath
, ssl-crl
,
and ssl-crlpath
options are now
implemented with the same functionality as the legacy JDBC
API.
If the same option is repeated, the last option value prevails.
The new aliases for the legacy JDBC API are:
ssl-mode
(for the existing
OPT_SSLMODE
option): Preferred security
state of a connection to server.
ssl-ca
(for the existing
sslCA
option): File that contains a list
of trusted SSL Certificate Authorities.
ssl-capath
(for the existing
sslCAPath
option): Directory that
contains trusted SSL Certificate Authority certificate
files.
ssl-cert
(for the existing
sslCert
option): File that contains X.509
certificate.
ssl-cipher
(for the existing
sslCipher
option): Permissible ciphers
for connection encryption.
ssl-key
(for the existing
sslKey
option): File that contains X.509
key.
ssl-crl
(for the existing
sslCRL
option): File that contains
certificate revocation lists.
ssl-crlpath
(for the existing
sslCRLPath
option): Directory that
contains certificate revocation-list files.
tls-version
(for the existing
OPT_TLS_VERSION
option): Permissible TLS
protocols for encrypted connections.
When using the legacy JDBC API, the effect of setting an option twice is determined by the client library. In addition, TLS/SSL options are not supported in URI-like strings when using the legacy JDBC API. (WL #14846)
Bit-value types in aggregate functions could return unexpected values for an application that uses the legacy JDBC API. (Bug #33748725)
The Connector/C++ classic driver was unable to find authentication
plugins unless the OPT_PLUGIN_DIR
connection
option was set explicitly. The driver now uses its shared
library to determine the plugin location as a relative path.
(Bug #33721056)
On Windows, when an application using the legacy JDBC API attempted to authenticate a user with a plugin that was unable to find a required library, the process halted rather than emitting an error message. (Bug #33701997)