diff options
| author | Arun Kuruvila <arun.kuruvila@oracle.com> | 2016-03-01 10:17:25 +0530 |
|---|---|---|
| committer | Arun Kuruvila <arun.kuruvila@oracle.com> | 2016-03-01 10:17:25 +0530 |
| commit | c7e68606c02b7f87a48c27eb358d4d07480f40f4 (patch) | |
| tree | edae67bf14337b657398d7007e8ba2eccd846e6a /sql-common | |
| parent | 96f680aa6589138058a820987e5cf8600f024e81 (diff) | |
| download | mariadb-git-c7e68606c02b7f87a48c27eb358d4d07480f40f4.tar.gz | |
Bug#21920657: SSL-CA FAILS SILENTLY IF THE PATH CANNOT BE
FOUND
Description:- Failure during the validation of CA
certificate path which is provided as an option for 'ssl-ca'
returns two different errors for YaSSL and OPENSSL.
Analysis:- 'ssl-ca', option used for specifying the ssl ca
certificate path. Failing to validate this certificate with
OPENSSL returns an error, "ERROR 2026 (HY000): SSL
connection error: SSL_CTX_set_default_verify_paths failed".
While YASSL returns "ERROR 2026 (HY000): SSL connection
error: ASN: bad other signature confirmation". Error
returned by the OPENSSL is correct since
"SSL_CTX_load_verify_locations()" returns 0 (in case of
OPENSSL) for the failure and sets error as
"SSL_INITERR_BAD_PATHS". In case of YASSL,
"SSL_CTX_load_verify_locations()" returns an error number
which is less than or equal to 0 in case of error. Error
numbers for YASSL is mentioned in the file,
'extra/yassl/include/openssl/ssl.h'(line no : 292). Also
'ssl-ca' does not accept tilde home directory path
substitution.
Fix:- The condition which checks for the error in the
"SSL_CTX_load_verify_locations()" is changed in order to
accommodate YASSL as well. A logic is written in
"mysql_ssl_set()" in order accept the tilde home directory
path substitution for all ssl options.
Diffstat (limited to 'sql-common')
| -rw-r--r-- | sql-common/client.c | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/sql-common/client.c b/sql-common/client.c index 0ef70eb7f56..cd9b6a71c53 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1204,6 +1204,21 @@ static int add_init_command(struct st_mysql_options *options, const char *cmd) my_strdup((STR), MYF(MY_WME)) : NULL; \ } while (0) +#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) +static char *set_ssl_option_unpack_path(const char *arg) +{ + char *opt_var= NULL; + if (arg) + { + char *buff= (char *)my_malloc(FN_REFLEN + 1, MYF(MY_WME)); + unpack_filename(buff, (char *)arg); + opt_var= my_strdup(buff, MYF(MY_WME)); + my_free(buff); + } + return opt_var; +} +#endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */ + void mysql_read_default_options(struct st_mysql_options *options, const char *filename,const char *group) { @@ -1798,10 +1813,10 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) , { DBUG_ENTER("mysql_ssl_set"); #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) - mysql->options.ssl_key= strdup_if_not_null(key); - mysql->options.ssl_cert= strdup_if_not_null(cert); - mysql->options.ssl_ca= strdup_if_not_null(ca); - mysql->options.ssl_capath= strdup_if_not_null(capath); + mysql->options.ssl_key= set_ssl_option_unpack_path(key); + mysql->options.ssl_cert= set_ssl_option_unpack_path(cert); + mysql->options.ssl_ca= set_ssl_option_unpack_path(ca); + mysql->options.ssl_capath= set_ssl_option_unpack_path(capath); mysql->options.ssl_cipher= strdup_if_not_null(cipher); #endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */ DBUG_RETURN(0); |