From 99e1294c1e2ddd0bbd81129f1c0902be31a38f48 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Mon, 24 Apr 2017 15:39:47 +0200 Subject: bugfix: federated/replication did not increment bytes_received status variable because mysql->net.thd was reset to NULL in mysql_real_connect() and thd_increment_bytes_received() didn't do anything. Fix: * set mysql->net.thd to current_thd instread. * remove the test for non-null THD from a very often used function thd_increment_bytes_received(). --- sql-common/client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sql-common/client.c') diff --git a/sql-common/client.c b/sql-common/client.c index 86c7dea5a58..42b6667b1bf 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -3408,7 +3408,7 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user, if (mysql->options.extension && mysql->options.extension->async_context) net->vio->async_context= mysql->options.extension->async_context; - if (my_net_init(net, net->vio, 0, MYF(0))) + if (my_net_init(net, net->vio, _current_thd(), MYF(0))) { vio_delete(net->vio); net->vio = 0; -- cgit v1.2.1 From 1b27c254731747756d254f96cd8666dae3f0809b Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Tue, 25 Apr 2017 23:00:58 +0200 Subject: MDEV-10594 SSL hostname verification fails for SubjectAltNames use X509_check_host for OpenSSL 1.0.2+ This adds: * support for subjectAltNames * wildcards * sub-domain matching --- sql-common/client.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'sql-common/client.c') diff --git a/sql-common/client.c b/sql-common/client.c index 42b6667b1bf..332e60947e6 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1768,15 +1768,22 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused))) #if defined(HAVE_OPENSSL) +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(HAVE_YASSL) +#include +#define HAVE_X509_check_host +#endif + static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr) { SSL *ssl; X509 *server_cert= NULL; +#ifndef HAVE_X509_check_host char *cn= NULL; int cn_loc= -1; ASN1_STRING *cn_asn1= NULL; X509_NAME_ENTRY *cn_entry= NULL; X509_NAME *subject= NULL; +#endif int ret_validation= 1; DBUG_ENTER("ssl_verify_server_cert"); @@ -1811,14 +1818,9 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c are what we expect. */ - /* - Some notes for future development - We should check host name in alternative name first and then if needed check in common name. - Currently yssl doesn't support alternative name. - openssl 1.0.2 support X509_check_host method for host name validation, we may need to start using - X509_check_host in the future. - */ - +#ifdef HAVE_X509_check_host + ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; +#else subject= X509_get_subject_name(server_cert); cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); if (cn_loc < 0) @@ -1826,7 +1828,6 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c *errptr= "Failed to get CN location in the certificate subject"; goto error; } - cn_entry= X509_NAME_get_entry(subject, cn_loc); if (cn_entry == NULL) { @@ -1855,7 +1856,7 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c /* Success */ ret_validation= 0; } - +#endif *errptr= "SSL certificate validation failure"; error: -- cgit v1.2.1