database/mariadb-connector-c
1
0
Fork 0
mirror of https://github.com/mariadb-corporation/mariadb-connector-c.git synced 2025-08-08 14:02:17 +03:00
Code Activity

TLS/OpenSSL fix:

Browse Source 
If ssl_verify_server_cert or MYSQL_OPT_SSL_VERIFY_SERVER_CERT option was set
without setting a local ca file, the server certificate will be checked using
the system ca store.
This might lead to an error, in case the server certificate was self signed.
In this case, the preferred way is to specify a local CA.
This commit is contained in:
Georg Richter
2020-01-20 17:30:17 +01:00
parent 42be9e67d8
commit ffbdaaac2b
2 changed files with 36 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
libmariadb/secure/openssl.c
View File

@@ -530,8 +530,9 @@ static int ma_tls_set_certs(MYSQL *mysql, SSL *ssl)
X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
} }
} }
SSL_CTX_set_verify(ctx, (mysql->options.ssl_ca || mysql->options.ssl_capath)? SSL_CTX_set_verify(ctx, (mysql->options.ssl_ca || mysql->options.ssl_capath) ||
SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL); (mysql->client_flag & CLIENT_SSL_VERIFY_SERVER_CERT) ?
SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
return 0; return 0;
error: error:

33
unittest/libmariadb/ssl.c.in
View File

@@ -1329,8 +1329,41 @@ static int test_conc386(MYSQL *mysql)
return OK; return OK;
} }
#ifdef HAVE_OPENSSL
static int test_ssl_verify(MYSQL *my __attribute__((unused)))
{
MYSQL *mysql;
my_bool verify= 1, enforce= 1;
if (check_skip_ssl())
return SKIP;
/* verify, using system ca should fail with self signed certificate */
mysql= mysql_init(NULL);
mysql_options(mysql, MYSQL_OPT_SSL_ENFORCE, &enforce);
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
FAIL_IF(mysql_real_connect(mysql, hostname, username, password, schema,
port, socketname, 0), "Error expected");
diag("error expected: %s\n", mysql_error(mysql));
mysql_close(mysql);
/* verify against local ca, this should pass */
mysql= mysql_init(NULL);
mysql_ssl_set(mysql,0, 0, sslca, 0, 0);
mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
FAIL_IF(!mysql_real_connect(mysql, hostname, username, password, schema,
port, socketname, 0), mysql_error(mysql));
mysql_close(mysql);
return OK;
}
#endif
struct my_tests_st my_tests[] = { struct my_tests_st my_tests[] = {
{"test_ssl", test_ssl, TEST_CONNECTION_NEW, 0, NULL, NULL}, {"test_ssl", test_ssl, TEST_CONNECTION_NEW, 0, NULL, NULL},
#ifdef HAVE_OPENSSL
{"test_ssl_verify", test_ssl_verify, TEST_CONNECTION_NEW, 0, NULL, NULL},
#endif
{"test_mdev14101", test_mdev14101, TEST_CONNECTION_NEW, 0, NULL, NULL}, {"test_mdev14101", test_mdev14101, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_mdev14027", test_mdev14027, TEST_CONNECTION_NEW, 0, NULL, NULL}, {"test_mdev14027", test_mdev14027, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_conc286", test_conc286, TEST_CONNECTION_NEW, 0, NULL, NULL}, {"test_conc286", test_conc286, TEST_CONNECTION_NEW, 0, NULL, NULL},