From c1d64ccc1b227e862f5cbaa991ce5525c59ab2ef Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 18 Apr 2006 17:58:27 +0200 Subject: Bug#17208 SSL: client does not verify server certificate - Add new function 'ssl_verify_server_cert' which is used if we are connecting to the server with SSL. It will compare the hostname in the server's cert against the hostname that we used when connecting to the server. Will reject the connection if hostname does not match. - Add new option "OPT_SSL_VERIFY_SERVER_CERT" to be passed to mysql_options which will turn on checking of servers cert. - Add new argument "ssl-verify-server-cert" to all mysql* clients which will activate the above option. - Generate a new server cert with 1024 bits that has "localhost" as the server name. SSL/server-cert.pem: Generate a new server cert that has "localhost" as CN, so that we can test to verify the hostname we connected against with the hostname in the cert client/client_priv.h: Add OPT_SSL_VERIFY_CERT client/mysql.cc: Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files client/mysqladmin.cc: Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files client/mysqldump.c: Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files client/mysqlimport.c: Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files client/mysqlshow.c: Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files client/mysqltest.c: Always set opt_ssl_verify_server_cert on in mysqltest if we are using SSL include/mysql.h: Add variable ssl_verify_cerver_cert include/sslopt-longopts.h: Add ssl-verify-server-cert options to all clients. include/sslopt-vars.h: Add opt_ssl_varify_server_cert to all clients. sql-common/client.c: Add ssl_vertify_server_cert function which is executed if user has set the option ssl_verify_cerver_cert vio/viosslfactories.c: Ask the SSL library to verify servers cert by setting the SSL_VERIFY_PEER flag --- vio/viosslfactories.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'vio/viosslfactories.c') diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index d6356f1adca..2b3e80a98e4 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -290,20 +290,20 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file, const char *cipher) { struct st_VioSSLFd *ssl_fd; - int verify= SSL_VERIFY_NONE; + int verify= SSL_VERIFY_PEER; if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ca_path, cipher, TLSv1_client_method()))) { return 0; } + /* Init the the VioSSLFd as a "connector" ie. the client side */ /* The verify_callback function is used to control the behaviour - when the SSL_VERIFY_PEER flag is set. Here it is SSL_VERIFY_NONE - and thus callback is set to NULL + when the SSL_VERIFY_PEER flag is set. */ - SSL_CTX_set_verify(ssl_fd->ssl_context, verify, NULL); + SSL_CTX_set_verify(ssl_fd->ssl_context, verify, vio_verify_callback); return ssl_fd; } -- cgit v1.2.1