diff options
| author | unknown <msvensson@neptunus.(none)> | 2006-04-18 17:58:27 +0200 |
|---|---|---|
| committer | unknown <msvensson@neptunus.(none)> | 2006-04-18 17:58:27 +0200 |
| commit | c1d64ccc1b227e862f5cbaa991ce5525c59ab2ef (patch) | |
| tree | 64442542d9a9aa7ed4cfe1f7d0a101de3e8418b1 /include | |
| parent | c3babee88a1384a8fa4eee64a3eab610ef728661 (diff) | |
| download | mariadb-git-c1d64ccc1b227e862f5cbaa991ce5525c59ab2ef.tar.gz | |
Bug#17208 SSL: client does not verify server certificate
- Add new function 'ssl_verify_server_cert' which is used if we are
connecting to the server with SSL. It will compare the hostname in
the server's cert against the hostname that we used when connecting
to the server. Will reject the connection if hostname does not match.
- Add new option "OPT_SSL_VERIFY_SERVER_CERT" to be passed to mysql_options
which will turn on checking of servers cert.
- Add new argument "ssl-verify-server-cert" to all mysql* clients which
will activate the above option.
- Generate a new server cert with 1024 bits that has "localhost" as the server name.
SSL/server-cert.pem:
Generate a new server cert that has "localhost" as CN, so that we can test to verify the hostname we connected against with the hostname in the cert
client/client_priv.h:
Add OPT_SSL_VERIFY_CERT
client/mysql.cc:
Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files
client/mysqladmin.cc:
Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files
client/mysqldump.c:
Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files
client/mysqlimport.c:
Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files
client/mysqlshow.c:
Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files
client/mysqltest.c:
Always set opt_ssl_verify_server_cert on in mysqltest if we are using SSL
include/mysql.h:
Add variable ssl_verify_cerver_cert
include/sslopt-longopts.h:
Add ssl-verify-server-cert options to all clients.
include/sslopt-vars.h:
Add opt_ssl_varify_server_cert to all clients.
sql-common/client.c:
Add ssl_vertify_server_cert function which is executed if user has set the option ssl_verify_cerver_cert
vio/viosslfactories.c:
Ask the SSL library to verify servers cert by setting the SSL_VERIFY_PEER flag
Diffstat (limited to 'include')
| -rw-r--r-- | include/mysql.h | 4 | ||||
| -rw-r--r-- | include/sslopt-longopts.h | 7 | ||||
| -rw-r--r-- | include/sslopt-vars.h | 3 |
3 files changed, 12 insertions, 2 deletions
diff --git a/include/mysql.h b/include/mysql.h index 925a4525378..7149224dcdd 100644 --- a/include/mysql.h +++ b/include/mysql.h @@ -149,7 +149,8 @@ enum mysql_option MYSQL_OPT_WRITE_TIMEOUT, MYSQL_OPT_USE_RESULT, MYSQL_OPT_USE_REMOTE_CONNECTION, MYSQL_OPT_USE_EMBEDDED_CONNECTION, MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH, - MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT + MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT, + MYSQL_OPT_SSL_VERIFY_SERVER_CERT }; struct st_mysql_options { @@ -164,6 +165,7 @@ struct st_mysql_options { char *ssl_ca; /* PEM CA file */ char *ssl_capath; /* PEM directory of CA-s? */ char *ssl_cipher; /* cipher to use */ + my_bool ssl_verify_server_cert; /* if to verify server cert */ char *shared_memory_base_name; unsigned long max_allowed_packet; my_bool use_ssl; /* if to use SSL or not */ diff --git a/include/sslopt-longopts.h b/include/sslopt-longopts.h index dc3b0922327..f444a7eb7ce 100644 --- a/include/sslopt-longopts.h +++ b/include/sslopt-longopts.h @@ -37,5 +37,10 @@ {"ssl-cipher", OPT_SSL_CIPHER, "SSL cipher to use (implies --ssl).", (gptr*) &opt_ssl_cipher, (gptr*) &opt_ssl_cipher, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, - +#ifdef MYSQL_CLIENT + {"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT, + "Verify servers \"Common Name\" in it's cert against hostname used when connecting. This option is disabled by default.", + (gptr*) &opt_ssl_verify_server_cert, (gptr*) &opt_ssl_verify_server_cert, + 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0}, +#endif #endif /* HAVE_OPENSSL */ diff --git a/include/sslopt-vars.h b/include/sslopt-vars.h index 164cf541381..8e5f3434396 100644 --- a/include/sslopt-vars.h +++ b/include/sslopt-vars.h @@ -21,4 +21,7 @@ static char *opt_ssl_cert = 0; static char *opt_ssl_ca = 0; static char *opt_ssl_capath = 0; static char *opt_ssl_cipher = 0; +#ifdef MYSQL_CLIENT +static my_bool opt_ssl_verify_server_cert= 0; +#endif #endif |