I try to establish an connection between Rust and MariaDB over MYSQL_async. I get a connection to the database, but someting is wrong. Instead I get this error message:
Error: Io(Tls(TlsError(Os { code: -2146893018, kind: Uncategorized, message:"The format of the received message was unexpected or incorrect." })))
I think that I have an issue with TLS encryption but I do not find any example which explaines me why. I also tried it with sqlx and get nearly the same error message. I use a standard mariadb database with certificate autentification in two directions. When I use the certificates in MYSQL Workbench or in PHP, I have no issue with connection. What do I have to change on my connection that the format is correct? I do not see anything what I can change?
use mysql_async::{Pool, OptsBuilder, SslOpts, ClientIdentity};
use mysql_async::prelude::*;
use std::path::Path;
use mysql_async;
let ssl_opts = SslOpts::default()
.with_danger_accept_invalid_certs(true)
.with_client_identity(Some(
ClientIdentity::new(Path::new("./src/ssl/client-identity.p12"))
.with_password("password"),
));
let opts = OptsBuilder::default()
.ip_or_hostname("x.x.x.x")
.tcp_port(xxxx)
.user(Some("user"))
.pass(Some("password"))
.db_name(Some("db_x"))
.ssl_opts(ssl_opts);
let pool = Pool::new(opts);
let mut conn = pool.get_conn().await?;
let table_name = "table_name";
let query = format!("SELECT * FROM {}", table_name);
let result: Vec<mysql_async::Row> = conn.query(query).await?;
println!("Number of rows retrieved: {}", result.len());
The windows error message (error code 80090326) isn't really descriptive, it will be raised in case of an TLS alert code 10 or 21. This usually happens if client and server can't negotiate a TLS protocol or a certain cipher suite.
In your case, the server is restricted to use TLS 1.3, while the client doesn't support it.
Rust on Windows uses schannel-rs, which is an API binding between rust and Windows schannel. According to the code TLS1_3 was added, but it will never work, since using TLSv1.3 under schannel requires a different API: Beginning of Windows 10.1809 (Build number 17763) SCH_CREDENTIALS (instead of SCHANNEL_CRED) has to be used using blacklist definitions.