infoschema, server: add per connection TLS status

[dveeden]

What problem does this PR solve?

Issue Number: close #64223

Problem Summary:

What changed and how does it work?

Check List

Tests

• Unit test
• Integration test
• Manual test (add detailed scripts or steps below)
• No need to test

  • I checked and no code files have been changed.

Side effects

• Performance regression: Consumes more CPU
• Performance regression: Consumes more Memory
• Breaking backward compatibility

Documentation

• Affects user behaviors
• Contains syntax changes
• Contains variable changes
• Contains experimental features
• Changes MySQL compatibility

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

The `performance_schema.status_by_connection` table was added to show per-connection TLS status.

[ti-chi-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[tiprow]

Hi @dveeden. Thanks for your PR.

PRs from untrusted users cannot be marked as trusted with /ok-to-test in this repo meaning untrusted PR authors can never trigger tests themselves. Collaborators can still trigger tests on the PR using /test all.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dveeden]

Current status:

Start a server with AutoTLS enabled

./bin/tidb-server -config <(echo -en "[security]\nauto-tls=true\n")

Connect with different TLS config

mysql --host 127.0.0.1 --port 4000 -u root test
mysql -h 127.0.0.1 -u root -P 4000 --tls-version TLSv1.2

Result:

mysql-8.0.11-TiDB-v9.0.0-beta.2.pre-152-g7237eb9cbb-dirty> select * from status_by_connection;
+---------------+---------------+---------------------------------------+
| CONNECTION_ID | VARIABLE_NAME | VARIABLE_VALUE                        |
+---------------+---------------+---------------------------------------+
|       2097156 | Tls_cipher    | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
|       2097156 | Tls_version   | TLS 1.2                               |
|       2097154 | Tls_cipher    | TLS_AES_128_GCM_SHA256                |
|       2097154 | Tls_version   | TLS 1.3                               |
+---------------+---------------+---------------------------------------+
4 rows in set (0.001 sec)

Open issues with this:

• Missing tests
• The order is not stable
• This is per server, not cluster wide
• This is not fully the same as MySQL as this is per connection instead of per thread. We don't have PS threads in TiDB, at least not yet.
• This is only for TLS status variables instead of a generic way to get per-session info for all sessions.
• I named these Tls_version, while it probably should be Ssl_version to match session variables and MySQL. (However it actually is TLS, not the older SSL)
• The protocol names and cipher names might not match the ones of MySQL as these are Go specific. (e.g. TLSv1.3 vs TLS 1.3). I think we adjust some of this in the status variable code.

[codecov]

Codecov Report

❌ Patch coverage is 50.00000% with 35 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.1169%. Comparing base (82e2c6f) to head (1939531).
⚠️ Report is 15 commits behind head on master.

Additional details and impacted files

@@               Coverage Diff                @@
##             master     #62563        +/-   ##
================================================
+ Coverage   72.6962%   75.1169%   +2.4206%     
================================================
  Files          1865       1889        +24     
  Lines        506195     516323     +10128     
================================================
+ Hits         367985     387846     +19861     
+ Misses       115838     104742     -11096     
- Partials      22372      23735      +1363     

Flag	Coverage Δ
integration	48.3091% <22.8571%> (?)
unit	72.7327% <47.1428%> (+0.4667%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
dumpling	52.8700% <ø> (ø)
parser	∅ <ø> (∅)
br	63.2599% <45.6140%> (+17.0444%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[tiprow]

@wuhuizuo: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/test check-dev

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dveeden]

/ok-to-test

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2025-11-05 06:53:46.555429201 +0000 UTC m=+253075.998459081: ☑️ agreed by disksing.
• 2025-11-13 00:35:35.331235415 +0000 UTC m=+921584.774265284: ☑️ agreed by tiancaiamao.

[D3Hunter]

infoschema part lgtm

[D3Hunter]

/approve

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: D3Hunter, disksing, tiancaiamao, yibin87

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [D3Hunter,disksing,tiancaiamao]
• pkg/infoschema/OWNERS [D3Hunter]
• pkg/metrics/OWNERS [yibin87]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dveeden]

/retest

[ti-chi-bot]

@dveeden: cannot checkout release8.5: error checking out release8.5: exit status 1. output: error: pathspec 'release8.5' did not match any file(s) known to git

Details

In response to this:

/cherrypick release8.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

[dveeden]

/cherrypick release-8.5

[ti-chi-bot]

@dveeden: new pull request created to branch release-8.5: #67514.
But this PR has conflicts, please resolve them!

Details

In response to this:

/cherrypick release-8.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

[dveeden]

/cherrypick release-7.5

[ti-chi-bot]

@dveeden: new pull request created to branch release-7.5: #67515.
But this PR has conflicts, please resolve them!

Details

In response to this:

/cherrypick release-7.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.

[dveeden]

/cherrypick release-8.1

[ti-chi-bot]

@dveeden: new pull request created to branch release-8.1: #67638.
But this PR has conflicts, please resolve them!

Details

In response to this:

/cherrypick release-8.1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository.