| Commit message (Collapse) | Author | Age | Files | Lines |
|\ |
|
| |\ |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Fixed typos
- Added --core-on-failure to mysql-test-run
- More DBUG_PRINT in viosocket.c
- Don't forget CLIENT_REMEMBER_OPTIONS for compressed slave protocol
- Removed not used stage variables
|
|\ \ \
| |/ / |
|
| |\ \
| | |/ |
|
| | |\ |
|
| | | |\ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
FOUND
Description:- Failure during the validation of CA
certificate path which is provided as an option for 'ssl-ca'
returns two different errors for YaSSL and OPENSSL.
Analysis:- 'ssl-ca', option used for specifying the ssl ca
certificate path. Failing to validate this certificate with
OPENSSL returns an error, "ERROR 2026 (HY000): SSL
connection error: SSL_CTX_set_default_verify_paths failed".
While YASSL returns "ERROR 2026 (HY000): SSL connection
error: ASN: bad other signature confirmation". Error
returned by the OPENSSL is correct since
"SSL_CTX_load_verify_locations()" returns 0 (in case of
OPENSSL) for the failure and sets error as
"SSL_INITERR_BAD_PATHS". In case of YASSL,
"SSL_CTX_load_verify_locations()" returns an error number
which is less than or equal to 0 in case of error. Error
numbers for YASSL is mentioned in the file,
'extra/yassl/include/openssl/ssl.h'(line no : 292). Also
'ssl-ca' does not accept tilde home directory path
substitution.
Fix:- The condition which checks for the error in the
"SSL_CTX_load_verify_locations()" is changed in order to
accommodate YASSL as well. A logic is written in
"mysql_ssl_set()" in order accept the tilde home directory
path substitution for all ssl options.
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Description: The newest RHEL/CentOS/SL 6.6 openssl package
(1.0.1e-30.el6_6.9; published around 6/4/2015) contains a fix for
LogJam. RedHat's fix for this was to limit the use
of any SSL DH key sizes to a minimum of 768 bits. This breaks any
DHE SSL ciphers for MySQL clients as soon as you install the
openssl update, since in vio/viosslfactories.c, the default
DHPARAM is a 512 bit one. This cannot be changed in
configuration/runtime; and needs a recompile. Because of this the
client connection with --ssl-cipher=DHE-RSA-AES256-SHA is not
able to connect the server.
Analysis: Openssl has changed Diffie-Hellman key from the 512 to
1024 due to some reasons(please see the details at
http://openssl.org/news/secadv_20150611.txt) Because of this the client
with DHE cipher is failing to connect the server. This change took
place from the openssl-1.0.1n onwards.
Fix: Similar bug fix is already pushed to mysql-5.7 under bug#18367167.
Hence we backported the same fix to mysql-5.5 and mysql-5.6.
|
| | | | |
| | | | |
| | | | |
| | | | | |
post push change: fixing valgrind failures
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
post push change: missed the change in mysql-5.5
(Fixing compiler warning/error)
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Description:
Can't build mysql-5.5 latest source with openssl 0.9.8e.
Analysis:
Older OpenSSL versions(prior to openssl 1.0) doesn't have 'SSL_OP_NO_COMPRESSION' defined.
Hence the build is failing with SSL_OP_NO_COMPRESSION undeclared.
Fix:
Added a conditonal compilation for 'SSL_OP_NO_COMPRESSION'.
i.e if 'SSL_OP_NO_COMPRESSION' is defined then have the SSL_set_options call for OpenSSL 1.0 versions.
Have sk_SSL_COMP_zero() call for OpenSSL 0.9.8 version
|
|/ / / /
| | | |
| | | |
| | | | |
for running obsolete versions of Windows
|
|\ \ \ \
| |/ / / |
|
| |\ \ \
| | |/ / |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
pointer to incomplete type ‘DH {aka struct dh_st}
fixes for openssl that was built with -DOPENSSL_NO_DEPRECATED
|
|/ / /
| | |
| | |
| | | |
Accepted patch of Georg: do not setup Differ-Hellman parameters on client.
|
|\ \ \
| |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Conflicts:
client/mysql_upgrade.c
mysql-test/r/func_misc.result
mysql-test/suite/binlog/r/binlog_stm_mix_innodb_myisam.result
mysql-test/suite/innodb/r/innodb-fk.result
mysql-test/t/subselect_sj_mat.test
sql/item.cc
sql/item_func.cc
sql/log.cc
sql/log_event.cc
sql/rpl_utility.cc
sql/slave.cc
sql/sql_class.cc
sql/sql_class.h
sql/sql_select.cc
storage/innobase/dict/dict0crea.c
storage/innobase/dict/dict0dict.c
storage/innobase/handler/ha_innodb.cc
storage/xtradb/dict/dict0crea.c
storage/xtradb/dict/dict0dict.c
storage/xtradb/handler/ha_innodb.cc
vio/viosslfactories.c
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
--ssl-cipher=DHE-RSA-AES256-SHA - handshake failure
Change 512bit DH key to 1024bit to meet FIPS requirements
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
in when using vio->read_timeout (and write_timeout) to set
timeouts of a new vio, as in:
vio_timeout(vio, 0, old_vio.read_timeout)
vio_timeout(vio, 0, old_vio.write_timeout)
remember that timeouts are stored in ms, but vio_timeout()'s
argument is in seconds.
|
| | |
| | |
| | |
| | |
| | |
| | | |
On EOF vio_read returns 0, it's not an error so the errno
is not reset. If the previous error was EINTR the client
will loop forever. See also man recv.
|
| | |
| | |
| | |
| | | |
And don't ignore SSL_CTX_set_tmp_dh() failures
|
| | |
| | |
| | |
| | |
| | |
| | | |
--ssl-cipher=DHE-RSA-AES256-SHA - handshake failure
Change 512bit DH key to 1024bit to meet FIPS requirements
|
|\ \ \
| |/ / |
|
| |\ \
| | |/ |
|
| | |
| | |
| | |
| | | |
Explicitly disable weaker SSL protocols.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Bug#18187290 ISSUE WITH BUILDING MYSQL USING CMAKE 2.8.12
We want to upgrade to VS2013 on Windows.
In order to do this, we need to upgrade to cmake 2.8.12
This has introduced some incompatibilities for .pdb files,
and "make install" no longer works.
To reproduce:
cmake --build . --target package --config debug
The fix:
Rather than installing .pdb files for static libraries, we use the /Z7 flag
to store symbolic debugging information in the .obj files.
|
| | | |
|
| | |
| | |
| | |
| | | |
LIBRARIES USED
|
| | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
ERROR HANDLING CODE
BACKGROUND:
There can be a potential crash due to buffer overrun in
SSL error handling code due to missing comma in
ssl_error_string[] array in viosslfactories.c.
ANALYSIS:
Found by code Inspection.
FIX:
Added the missing comma in SSL error handling code
in ssl_error_string[] array in viosslfactories.c.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
ERROR HANDLING CODE
BACKGROUND:
There can be a potential crash due to buffer overrun in
SSL error handling code due to missing comma in
ssl_error_string[] array in viosslfactories.c.
ANALYSIS:
Found by code Inspection.
FIX:
Added the missing comma in SSL error handling code
in ssl_error_string[] array in viosslfactories.c.
|
| | | | |
|
| | | | |
|
| | |\ \
| | | |/
| | | |
| | | |
| | | | |
OPENSSL
Description: Merge from 5.1.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
OPENSSL
Description: Specify preference to disable compression
while using OpenSSL library. OpenSSL uses
zlib compression by default which may
lead to some problems.
|
| | |\ \
| | | |/
| | | |
| | | |
| | | | |
CONNECTIONS IF SPE
Merged from mysql-5.1 to mysql-5.5
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
CONNECTIONS IF SPE
Problem description: -ssl-key value is not validated, you can assign any bogus
text to --ssl-key and it is not verified that it exists, and more importantly,
it allows the client to connect to mysqld.
Fix: Added proper validations checks for --ssl-key.
Note:
1) Documentation changes require for 5.1, 5.5, 5.6 and trunk in the sections
listed below and the details are :
http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html#option_general_ssl
and
REQUIRE SSL section of
http://dev.mysql.com/doc/refman/5.6/en/grant.html
2) Client having with option '--ssl', should able to get ssl connection. This
will be implemented as part of separate fix in 5.6 and trunk.
|
| | |\ \
| | | |/ |
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Applied the fix that updates yaSSL to 2.2.1 and fixes parsing this
particular certificate.
Added a test case with the certificate itself.
|
| | |\ \
| | | | |
| | | | |
| | | | |
| | | | | |
This is a weave merge, but without any conflicts.
In 14 source files, the copyright year needed to be updated to 2012.
|
| | | |\ \
| | |/ / /
| | | | _
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
WINDOWS
On shutdown(), Windows can drop traffic still queued for sending even if that
wasn't specifically requested. As a result, fatal errors (those after
signaling which the server will drop the connection) were sometimes only
seen as "connection lost" on the client side, because the server-side
shutdown() erraneously discarded the correct error message before sending
it.
If on Windows, we now use the Windows API to access the (non-broken) equivalent
of shutdown().
Backport from trunk
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
WINDOWS
On shutdown(), Windows can drop traffic still queued for sending even if that
wasn't specifically requested. As a result, fatal errors (those after
signaling which the server will drop the connection) were sometimes only
seen as "connection lost" on the client side, because the server-side
shutdown() erraneously discarded the correct error message before sending
it.
If on Windows, we now use the Windows API to access the (non-broken) equivalent
of shutdown().
Backport from trunk
|
| | | |\ |
|
| | |\ \ \ |
|
| | |\ \ \ \
| | | |/ / /
| | |/| / /
| | | |/ / |
|
| | | |\ \ |
|
| | | | | | |
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
(ssl-verify-server-cert=true vs localhos)
SSL errors on client and now more specific to aid end-user
with debugging. Also restructures error handling for
compliance with SSL docs.
|