Another Fix for Bug #68344 MySQLi does not provide way to disable peer certificate validation

Added the possibility to explicitly state that the peer certificate should not be checked.
Back to the default - checking the certificate.
Exported MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT
Usage : mysqli_real_connect( , , , , , MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT)

If mysqli_ssl_set() is not called, but only MYSQLI_CLIENT_SSL is passed, without the (don't) very flag,
then no verification takes place.

1 files changed, 8 insertions, 1 deletions

diff --git a/ext/mysqlnd/mysqlnd_structs.h b/ext/mysqlnd/mysqlnd_structs.h
index 170c977c2b..f5d0b47a6f 100644
--- a/ext/mysqlnd/mysqlnd_structs.h
+++ b/ext/mysqlnd/mysqlnd_structs.h
@@ -207,7 +207,13 @@ typedef struct st_mysqlnd_net_options
 	char		*ssl_capath;
 	char		*ssl_cipher;
 	char		*ssl_passphrase;
-	zend_bool	ssl_verify_peer;
+	enum mysqlnd_ssl_peer {
+		MYSQLND_SSL_PEER_DEFAULT = 0,
+		MYSQLND_SSL_PEER_VERIFY = 1,
+		MYSQLND_SSL_PEER_DONT_VERIFY = 2,
+
+#define MYSQLND_SSL_PEER_DEFAULT_ACTION  MYSQLND_SSL_PEER_VERIFY
+	} ssl_verify_peer;
 	uint64_t	flags;
 
 	char *		sha256_server_public_key;
@@ -219,6 +225,7 @@ typedef struct st_mysqlnd_net_options
 } MYSQLND_NET_OPTIONS;
 
 
+
 typedef struct st_mysqlnd_connection MYSQLND;
 typedef struct st_mysqlnd_connection_data MYSQLND_CONN_DATA;
 typedef struct st_mysqlnd_net	MYSQLND_NET;