MDEV-31857 enable MYSQL_OPT_SSL_VERIFY_SERVER_CERT by default

because the default value of every option is 0 (option and option.extension are bzero-ed to reset), tls_verify_server_cert was renamed to tls_allow_invalid_server_cert with the default value of 0, "do not allow". API didn't change, it's still MYSQL_OPT_SSL_VERIFY_SERVER_CERT
2025-08-08 14:02:17 +03:00 · 2023-08-30 14:39:05 +02:00
parent fcef411ecb
commit 8dffd56936
8 changed files with 17 additions and 15 deletions
--- a/include/ma_common.h
+++ b/include/ma_common.h
@@ -86,7 +86,7 @@ struct st_mysql_options_extension {
  unsigned short rpl_port;
  void (*status_callback)(void *ptr, enum enum_mariadb_status_info type, ...);
  void *status_data;
-  my_bool tls_verify_server_cert;
+  my_bool tls_allow_invalid_server_cert;
 };

 typedef struct st_connection_handler
--- a/libmariadb/ma_pvio.c
+++ b/libmariadb/ma_pvio.c
@@ -544,7 +544,7 @@ my_bool ma_pvio_start_ssl(MARIADB_PVIO *pvio)
     2. verify CN (requires option ssl_verify_check)
     3. verrify finger print
  */
-  if (pvio->mysql->options.extension->tls_verify_server_cert &&
+  if (!pvio->mysql->options.extension->tls_allow_invalid_server_cert &&
         !pvio->mysql->net.tls_self_signed_error &&
         ma_pvio_tls_verify_server_cert(pvio->ctls))
    return 1;
--- a/libmariadb/mariadb_lib.c
+++ b/libmariadb/mariadb_lib.c
@@ -3550,7 +3550,7 @@ mysql_optionsv(MYSQL *mysql,enum mysql_option option, ...)
    mysql->options.use_ssl= (*(my_bool *)arg1);
    break;
  case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
-    OPT_SET_EXTENDED_VALUE(&mysql->options, tls_verify_server_cert, *(my_bool *)arg1);
+    OPT_SET_EXTENDED_VALUE(&mysql->options, tls_allow_invalid_server_cert, !*(my_bool *)arg1);
    break;
  case MYSQL_OPT_SSL_KEY:
    OPT_SET_VALUE_STR(&mysql->options, ssl_key, (char *)arg1);
@@ -3916,7 +3916,7 @@ mysql_get_optionv(MYSQL *mysql, enum mysql_option option, void *arg, ...)
    *((my_bool *)arg)= mysql->options.use_ssl;
    break;
  case MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
-    *((my_bool*)arg) = mysql->options.extension ? mysql->options.extension->tls_verify_server_cert : 0;
+    *((my_bool*)arg) = mysql->options.extension ? !mysql->options.extension->tls_allow_invalid_server_cert: 1;
    break;
  case MYSQL_OPT_SSL_KEY:
    *((char **)arg)= mysql->options.ssl_key;
--- a/libmariadb/secure/gnutls.c
+++ b/libmariadb/secure/gnutls.c
@@ -1357,7 +1357,7 @@ static int my_verify_callback(gnutls_session_t ssl)

  CLEAR_CLIENT_ERROR(mysql);

-  if ((mysql->options.extension->tls_verify_server_cert))
+  if (!mysql->options.extension->tls_allow_invalid_server_cert)
  {
    const char *hostname= mysql->host;

@@ -1375,7 +1375,7 @@ static int my_verify_callback(gnutls_session_t ssl)
    if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
    {
      /* accept self signed certificates if we don't have to verify server cert */
-      if (!mysql->options.extension->tls_verify_server_cert)
+      if (mysql->options.extension->tls_allow_invalid_server_cert)
        return 0;

      /* postpone the error for self signed certificates if CA isn't set */
--- a/libmariadb/secure/openssl.c
+++ b/libmariadb/secure/openssl.c
@@ -506,7 +506,7 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
  /* In case handshake failed or if a root certificate (ca) was specified,
     we need to check the result code of X509 verification. A detailed check
     of the peer certificate (hostname checking will follow later) */
-  if (rc != 1 || mysql->options.extension->tls_verify_server_cert ||
+  if (rc != 1 || !mysql->options.extension->tls_allow_invalid_server_cert ||
      mysql->options.ssl_ca || mysql->options.ssl_capath)
  {
    long x509_err= SSL_get_verify_result(ssl);
--- a/libmariadb/secure/schannel.c
+++ b/libmariadb/secure/schannel.c
@@ -451,11 +451,11 @@ my_bool ma_tls_connect(MARIADB_TLS *ctls)
    goto end;

   verify_certs =  mysql->options.ssl_ca || mysql->options.ssl_capath ||
-     (mysql->options.extension->tls_verify_server_cert);
+     !mysql->options.extension->tls_allow_invalid_server_cert;

  if (verify_certs)
  {
-    if (!ma_schannel_verify_certs(ctls, mysql->options.extension->tls_verify_server_cert))
+    if (!ma_schannel_verify_certs(ctls, !mysql->options.extension->tls_allow_invalid_server_cert))
      goto end;
  }

--- a/plugins/auth/my_auth.c
+++ b/plugins/auth/my_auth.c
@@ -253,7 +253,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
  if (mysql->options.ssl_key || mysql->options.ssl_cert ||
      mysql->options.ssl_ca || mysql->options.ssl_capath ||
      mysql->options.ssl_cipher || mysql->options.use_ssl ||
-      mysql->options.extension->tls_verify_server_cert)
+      !mysql->options.extension->tls_allow_invalid_server_cert)
    mysql->options.use_ssl= 1;
  if (mysql->options.use_ssl)
    mysql->client_flag|= CLIENT_SSL;
@@ -273,16 +273,16 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
       mysql->net.pvio->type == PVIO_TYPE_SHAREDMEM))
  {
    mysql->server_capabilities &= ~(CLIENT_SSL);
-    mysql->options.extension->tls_verify_server_cert= 0;
+    mysql->options.extension->tls_allow_invalid_server_cert= 1;
  }

  /* if server doesn't support SSL and verification of server certificate
     was set to mandatory, we need to return an error */
  if (mysql->options.use_ssl && !(mysql->server_capabilities & CLIENT_SSL))
  {
-    if (mysql->options.extension->tls_verify_server_cert ||
-        (mysql->options.extension && (mysql->options.extension->tls_fp || 
-                                      mysql->options.extension->tls_fp_list)))
+    if (!mysql->options.extension->tls_allow_invalid_server_cert ||
+        mysql->options.extension->tls_fp ||
+        mysql->options.extension->tls_fp_list)
    {
      my_set_error(mysql, CR_SSL_CONNECTION_ERROR, SQLSTATE_UNKNOWN,
                          ER(CR_SSL_CONNECTION_ERROR), 
@@ -783,7 +783,7 @@ retry:
    return 0;

  assert(mysql->options.use_ssl);
-  assert(mysql->options.extension->tls_verify_server_cert);
+  assert(!mysql->options.extension->tls_allow_invalid_server_cert);
  assert(!mysql->options.ssl_ca);
  assert(!mysql->options.ssl_capath);
  assert(!mysql->options.extension->tls_fp);
--- a/unittest/libmariadb/connection.c
+++ b/unittest/libmariadb/connection.c
@@ -686,6 +686,7 @@ int test_connection_timeout2(MYSQL *unused __attribute__((unused)))
  unsigned int timeout= 5;
  time_t start, elapsed;
  MYSQL *mysql;
+  my_bool no= 0;

  SKIP_SKYSQL;
  SKIP_MAXSCALE;
@@ -694,6 +695,7 @@ int test_connection_timeout2(MYSQL *unused __attribute__((unused)))
  mysql= mysql_init(NULL);
  mysql_options(mysql, MYSQL_OPT_CONNECT_TIMEOUT, (unsigned int *)&timeout);
  mysql_options(mysql, MYSQL_INIT_COMMAND, "set @a:=SLEEP(7)");
+  mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &no);
  start= time(NULL);
  if (my_test_connect(mysql, hostname, username, password, schema, port, socketname, CLIENT_REMEMBER_OPTIONS))
  {