Remove server certification verification

Since the server certification option is used by client only, there is no need to have this flag in server and or client capabilities. The server itself validates client certificate depending on the user definition.
2025-08-07 02:42:49 +03:00 · 2023-07-13 09:30:33 +02:00
parent d543bed61b
commit 45feebb99d
8 changed files with 13 additions and 15 deletions
--- a/include/ma_common.h
+++ b/include/ma_common.h
@@ -79,6 +79,7 @@ struct st_mysql_options_extension {
  char *proxy_header;
  size_t proxy_header_len;
  int (*io_wait)(my_socket handle, my_bool is_read, int timeout);
  my_bool tls_verify_server_cert;
 };
 typedef struct st_connection_handler
--- a/include/mariadb_com.h
+++ b/include/mariadb_com.h
@@ -164,6 +164,7 @@ enum enum_server_command
 #define CLIENT_PROGRESS          (1UL << 29) /* client supports progress indicator */
 #define CLIENT_PROGRESS_OBSOLETE  CLIENT_PROGRESS 
 #define CLIENT_SSL_VERIFY_SERVER_CERT (1UL << 30)
 #define CLIENT_SSL_VERIFY_SERVER_CERT_OBSOLETE CLIENT_SSL_VERIFY_SERVER_CERT
 #define CLIENT_REMEMBER_OPTIONS  (1UL << 31)
 /* MariaDB specific capabilities */
--- a/libmariadb/ma_pvio.c
+++ b/libmariadb/ma_pvio.c
@@ -540,7 +540,7 @@ my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio)
     2. verify CN (requires option ssl_verify_check)
     3. verrify finger print
  */
-  if ((pvio->mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) &&
+  if (pvio->mysql->options.extension->tls_verify_server_cert &&
         ma_pvio_tls_verify_server_cert(pvio->ctls))
    return 1;
--- a/libmariadb/mariadb_lib.c
+++ b/libmariadb/mariadb_lib.c
@@ -3041,10 +3041,7 @@ mysql_optionsv(MYSQL *mysql,enum mysql_option option, ...)
    mysql->options.use_ssl= (*(my_bool *)arg1);
    break;
  case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
-    if (*(my_bool *)arg1)
+    mysql->options.extension->tls_verify_server_cert = *(my_bool*)arg1;
      mysql->options.client_flag |= CLIENT_SSL_VERIFY_SERVER_CERT;
    else
      mysql->options.client_flag &= ~CLIENT_SSL_VERIFY_SERVER_CERT;
    break;
  case MYSQL_OPT_SSL_KEY:
    OPT_SET_VALUE_STR(&mysql->options, ssl_key, (char *)arg1);
@@ -3380,7 +3377,7 @@ mysql_get_optionv(MYSQL *mysql, enum mysql_option option, void *arg, ...)
    *((my_bool *)arg)= mysql->options.use_ssl;
    break;
  case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
-    *((my_bool *)arg)= test(mysql->options.client_flag & CLIENT_SSL_VERIFY_SERVER_CERT);
+    *((my_bool*)arg) = mysql->options.extension->tls_verify_server_cert;
    break;
  case MYSQL_OPT_SSL_KEY:
    *((char **)arg)= mysql->options.ssl_key;
--- a/libmariadb/secure/gnutls.c
+++ b/libmariadb/secure/gnutls.c
@@ -1349,7 +1349,7 @@ static int my_verify_callback(gnutls_session_t ssl)
  CLEAR_CLIENT_ERROR(mysql);
-  if ((mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT))
+  if ((mysql->options.extension->tls_verify_server_cert))
  {
    const char *hostname= mysql->host;
@@ -1364,7 +1364,7 @@ static int my_verify_callback(gnutls_session_t ssl)
    gnutls_datum_t out;
    int type;
    /* accept self signed certificates if we don't have to verify server cert */
-    if (!(mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) &&
+    if (!(mysql->options.extension->tls_verify_server_cert) &&
        (status & GNUTLS_CERT_SIGNER_NOT_FOUND))
      return 0;
--- a/libmariadb/secure/openssl.c
+++ b/libmariadb/secure/openssl.c
@@ -501,9 +501,8 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
  /* In case handshake failed or if a root certificate (ca) was specified,
     we need to check the result code of X509 verification. A detailed check
     of the peer certificate (hostname checking will follow later) */
-  if (rc != 1 ||
+  if (rc != 1 || mysql->options.extension->tls_verify_server_cert ||
-      (mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) ||
+      mysql->options.ssl_ca || mysql->options.ssl_capath)
      (mysql->options.ssl_ca || mysql->options.ssl_capath))
  {
    long x509_err= SSL_get_verify_result(ssl);
    if (x509_err != X509_V_OK)
--- a/libmariadb/secure/schannel.c
+++ b/libmariadb/secure/schannel.c
@@ -448,11 +448,11 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
    goto end;
   verify_certs =  mysql->options.ssl_ca || mysql->options.ssl_capath ||
-     (mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT);
+     (mysql->options.extension->tls_verify_server_cert);
  if (verify_certs)
  {
-    if (!ma_schannel_verify_certs(ctls, (mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT)))
+    if (!ma_schannel_verify_certs(ctls, mysql->options.extension->tls_verify_server_cert))
      goto end;
  }
--- a/plugins/auth/my_auth.c
+++ b/plugins/auth/my_auth.c
@@ -223,7 +223,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
  if (mysql->options.ssl_key || mysql->options.ssl_cert ||
      mysql->options.ssl_ca || mysql->options.ssl_capath ||
      mysql->options.ssl_cipher || mysql->options.use_ssl ||
-      (mysql->options.client_flag & CLIENT_SSL_VERIFY_SERVER_CERT))
+      mysql->options.extension->tls_verify_server_cert)
    mysql->options.use_ssl= 1;
  if (mysql->options.use_ssl)
    mysql->client_flag|= CLIENT_SSL;
@@ -249,7 +249,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
     was set to mandatory, we need to return an error */
  if (mysql->options.use_ssl && !(mysql->server_capabilities & CLIENT_SSL))
  {
-    if ((mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) ||
+    if (mysql->options.extension->tls_verify_server_cert ||
        (mysql->options.extension && (mysql->options.extension->tls_fp || 
                                      mysql->options.extension->tls_fp_list)))
    {