From 9541bd0e903c2fe38f2c4ae96c3630b2d23afebe Mon Sep 17 00:00:00 2001
From: Georg Richter <georg@mariadb.com>
Date: Mon, 2 Dec 2024 17:05:58 +0100
Subject: [PATCH] CONC-747: Change behaviour of
 MARIADB_TLS_DISABLE_PEER_VERIFICATION

Instead of skipping the verification during handshake,
tls_allow_invalid_server_certificate will be unset during
initialization of the connection handle if environment varible
MARIADB_TLS_DISABLE_PEER_VERIFICATION was set.

This will allow drivers and applications which don't have an API
option to enable/disable peer server certificate verification
to start without TLS/SSL.
---
 libmariadb/ma_tls.c          | 3 +--
 libmariadb/mariadb_lib.c     | 3 ++-
 unittest/libmariadb/tls.c.in | 9 ---------
 3 files changed, 3 insertions(+), 12 deletions(-)

diff --git a/libmariadb/ma_tls.c b/libmariadb/ma_tls.c
index 9b4f060d..b2de93e5 100644
--- a/libmariadb/ma_tls.c
+++ b/libmariadb/ma_tls.c
@@ -114,8 +114,7 @@ int ma_pvio_tls_verify_server_cert(MARIADB_TLS *ctls, unsigned int flags)
   mysql= ctls->pvio->mysql;
 
   /* Skip peer certificate verification */
-  if ((mysql->options.extension->tls_allow_invalid_server_cert ||
-      getenv("MARIADB_TLS_DISABLE_PEER_VERIFICATION")) &&
+  if (mysql->options.extension->tls_allow_invalid_server_cert &&
       (!mysql->options.extension->tls_fp && !mysql->options.extension->tls_fp_list))
   {
     /* Since OpenSSL implementation sets status during TLS handshake
diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c
index 16f6ee8b..977da096 100644
--- a/libmariadb/mariadb_lib.c
+++ b/libmariadb/mariadb_lib.c
@@ -715,7 +715,8 @@ struct st_default_options mariadb_defaults[] =
 };
 
 #ifdef DEFAULT_SSL_VERIFY_SERVER_CERT
-#define FIX_SSL_VERIFY_SERVER_CERT(OPTS)
+#define FIX_SSL_VERIFY_SERVER_CERT(OPTS)\
+(OPTS)->extension->tls_allow_invalid_server_cert= (getenv("MARIADB_TLS_DISABLE_PEER_VERIFICATION") != NULL)
 #else
 #define FIX_SSL_VERIFY_SERVER_CERT(OPTS) (OPTS)->extension->tls_allow_invalid_server_cert=1
 #endif
diff --git a/unittest/libmariadb/tls.c.in b/unittest/libmariadb/tls.c.in
index 92ac0a62..c97c258c 100644
--- a/unittest/libmariadb/tls.c.in
+++ b/unittest/libmariadb/tls.c.in
@@ -717,7 +717,6 @@ static int test_env_var(MYSQL *my __attribute__((unused)))
 {
   MYSQL *mysql= mysql_init(NULL);
   int rc= FAIL;
-  unsigned int status;
 
 #ifdef _WIN32
   _putenv_s("MARIADB_TLS_DISABLE_PEER_VERIFICATION", "1");
@@ -733,14 +732,6 @@ static int test_env_var(MYSQL *my __attribute__((unused)))
     goto end;
   }
 
-  mariadb_get_infov(mysql, MARIADB_TLS_VERIFY_STATUS, &status);
-
-  if (status)
-  {
-    diag("expected status=0, since environment variable was set");
-    goto end;
-  }
-
   rc= OK;
 
 end: