CONC-747: Change behaviour of MARIADB_TLS_DISABLE_PEER_VERIFICATION

Instead of skipping the verification during handshake,
tls_allow_invalid_server_certificate will be unset during
initialization of the connection handle if environment varible
MARIADB_TLS_DISABLE_PEER_VERIFICATION was set.

This will allow drivers and applications which don't have an API
option to enable/disable peer server certificate verification
to start without TLS/SSL.

libmariadb/ma_tls.c

@@ -114,8 +114,7 @@ int ma_pvio_tls_verify_server_cert(MARIADB_TLS *ctls, unsigned int flags)
   mysql= ctls->pvio->mysql;
 
   /* Skip peer certificate verification */
-  if ((mysql->options.extension->tls_allow_invalid_server_cert ||
+  if (mysql->options.extension->tls_allow_invalid_server_cert &&
-      getenv("MARIADB_TLS_DISABLE_PEER_VERIFICATION")) &&
       (!mysql->options.extension->tls_fp && !mysql->options.extension->tls_fp_list))
   {
     /* Since OpenSSL implementation sets status during TLS handshake

libmariadb/mariadb_lib.c

@@ -715,7 +715,8 @@ struct st_default_options mariadb_defaults[] =
 };
 
 #ifdef DEFAULT_SSL_VERIFY_SERVER_CERT
-#define FIX_SSL_VERIFY_SERVER_CERT(OPTS)
+#define FIX_SSL_VERIFY_SERVER_CERT(OPTS)\
+(OPTS)->extension->tls_allow_invalid_server_cert= (getenv("MARIADB_TLS_DISABLE_PEER_VERIFICATION") != NULL)
 #else
 #define FIX_SSL_VERIFY_SERVER_CERT(OPTS) (OPTS)->extension->tls_allow_invalid_server_cert=1
 #endif

unittest/libmariadb/tls.c.in

@@ -717,7 +717,6 @@ static int test_env_var(MYSQL *my __attribute__((unused)))
 {
   MYSQL *mysql= mysql_init(NULL);
   int rc= FAIL;
-  unsigned int status;
 
 #ifdef _WIN32
   _putenv_s("MARIADB_TLS_DISABLE_PEER_VERIFICATION", "1");
@@ -733,14 +732,6 @@ static int test_env_var(MYSQL *my __attribute__((unused)))
     goto end;
   }
 
-  mariadb_get_infov(mysql, MARIADB_TLS_VERIFY_STATUS, &status);
-
-  if (status)
-  {
-    diag("expected status=0, since environment variable was set");
-    goto end;
-  }
-
   rc= OK;
 
 end: