Prior to the last migration that was carried out on your account, the servers hosting your data were using MySQL5.7.
The latest line of machines you are using is either RHEL8 or AlmaLinux 8 + MySQL8.0.
Before the migration, some customers with applications running old PHP versions (e.g 5.6 and lower) ran into some issues.
User accounts already created in existing instances were not altered as a part of the upgrade or migration.
Existing user accounts continue to use the same authentication plugin that they used without any issues.
But this has some ramifications for accounts running older PHP versions.
You see, MySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords:
- sha256_password
- caching_sha2_password
For MySQL 5.6, the sha256_password authentication plugin is supported.
The plugin uses multiple rounds of SHA256 hash on a salted password to make sure that the hash transformation is more secure.
However, it requires either encrypted connections or support for an RSA key pair.
So, while password security is stronger, secure connections and multiple rounds of hash transformations require more time in the authentication process.
In MySQL 5.7, the default authentication plugin is mysql_native_password.
Limiting caching_sha2_password support in MySQL 5.7 to the client-side plugin in the client library has these implications compared to MySQL 8.0.
For example,
- the caching_sha2_password server-side plugin is not implemented in MySQL 5.7.
- MySQL 5.7 servers do not support creating accounts that authenticate with caching_sha2_password.
- MySQL 5.7 servers do not implement system and status variables specific to caching_sha2_password server-side support: caching_sha2_password_auto_generate_rsa_keys, caching_sha2_password_private_key_path, caching_sha2_password_public_key_path, Caching_sha2_password_rsa_public_key.
In MySQL 8.0 (which all fresh installs use), caching_sha2_password is the default authentication plugin rather than mysql_native_password.
caching_sha2_password uses in-memory cache caching on the server-side for better performance and has additional features for wider applicability.
Older versions of libmysqlclient do not support this plugin.
It is not available for PHP 7.3 and lower.
When the database user is created with caching_sha2_password, the authentication with PHP versions 5.6, 7.0, 7.1, 7.2, 7.3 doesn't work properly.
So while:
- client tools that use libmysqlclient older than one available with MySQL 8.0.3 can connect to MySQL 8.0.4 server using users that use other authentication plugins such as mysql_native_password or sha256_password, such client cannot connect to MySQL 8.0.4 server using users which require caching_sha2_password support.
- MySQL 5.7 client library & client programs support the caching_sha2_password client-side authentication plugin despite the differences in the default authentication plugin.
- it is possible to configure MySQL 8.0 to run in mysql_native_password to allow backward compatibility (a server-wide configuration that will affect every account on each machine)
And understandably, not something that our Infrastructure Team was keen on doing.
Our Solution
We opted for a middle path where we have built up a fleet of machines in our Iowas data center to cater to applications using pre PHP7.4 versions.
These machines are capable of hosting (at the time of this writing):
- PHP 4.4.9 (not really recommended to be used for any production website but available if you must)
- PHP 5.1
- PHP 5.2
- PHP 5.3
- PHP 5.4
- PHP 5.5
- PHP 5.6
- PHP 7.0
- PHP 7.1
- PHP 7.2
- PHP 7.3
- PHP 7.4
- PHP 8.0
- PHP 8.1
And as always, patches these PHP versions against known vulnerabilities.
If you have the need for the service, check out our HardenedPHP hosting packages https://dashboard.webhostingmagic.com/store/secure-php-hosting/ to ensure maximum security and flexibility.
If you have an application on your current account that would benefit from using the old PHP versions, you may want to create a new account at Iowa and migrate that specific website to this region.
This will ensure that it works as it should without script re-writes or forced upgrades.
It is important to note that if you are using the HardenedPHP hosting packages, any sub-domain or add-on on the account uses the main account PHP version.
For our VPS and dedicated server customers, we recommend the use of caching_sha2_password because of the enhanced security that it offers.
We hope that this would keep the website online without compromising your website security while you work to upgrade it to use newer PHP versions.
