This reverts 395641549ac7..536d9e2b9e5b, in particular:
8dffd56936 MDEV-31857 enable MYSQL_OPT_SSL_VERIFY_SERVER_CERT by default
a99570c118 MDEV-31855 SSL cert validation protocol extension
9aa15e72a7 TLS fingerprint
and related commits
These errors stem from generating self-signed certificates, and enabling
SSL + SSL certificate validation in clients.
This was done without considering Windows specifics, such as
- TCP connections by default
- non-password based plugin, auth_gssapi, in every installation
To provide some relief, consider local TCP connections to be secure
transport and skip self-signed errors for them at least.
because the default value of every option is 0
(option and option.extension are bzero-ed to reset),
tls_verify_server_cert was renamed to tls_allow_invalid_server_cert
with the default value of 0, "do not allow".
API didn't change, it's still MYSQL_OPT_SSL_VERIFY_SERVER_CERT
* extend the client auth plugin API with a new callback
* relax the plugin version check to allow load a plugin with the
same major version, even if the minor versions differ
* implement the protocol extension:
- don't abort at once if the certificate is self signed and
no CA was explicitly specified
- allow it if it passes fingerprint check
- allow it if plugin has hash_password_bin callback, password was
non-empty and the control hash matches server's
Since the server certification option is used by client
only, there is no need to have this flag in server and or
client capabilities. The server itself validates client
certificate depending on the user definition.
Added new options MARIADB_CONNECTION_BYTES_READ and
MARIADB_CONNECTION_BYTES_SENT which can be passed to
mariadb_get_infov() api funcion to obtain the bytes sent
or read to/from database server.
POWER and other architectures that define char(as my_bool) to be unsigned (as the C
standard leaves this undefined). This resulted in error branches being
unreachabe as indicated by the below compile warnings.
plugins/pvio/pvio_socket.c:763:42: warning: comparison of constant -1 with expression of type 'my_bool' (aka 'char') is always
false [-Wtautological-constant-out-of-range-compare]
if (pvio_socket_blocking(pvio, 1, 0) == SOCKET_ERROR)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~
plugins/pvio/pvio_socket.c:875:46: warning: comparison of constant -1 with expression of type 'my_bool' (aka 'char') is always
false [-Wtautological-constant-out-of-range-compare]
if (pvio_socket_blocking(pvio, 0, 0) == SOCKET_ERROR)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~
plugins/pvio/pvio_socket.c:907:42: warning: comparison of constant -1 with expression of type 'my_bool' (aka 'char') is always
false [-Wtautological-constant-out-of-range-compare]
if (pvio_socket_blocking(pvio, 1, 0) == SOCKET_ERROR)
ma_hext2int: signed char - prevent compiler errors when char is unsigned.
libmariadb/ma_tls.c:169:31: warning: comparison of constant -1 with expression of type 'char' is always false
[-Wtautological-constant-out-of-range-compare]
if ((d1 = ma_hex2int(*p)) == - 1 ||
~~~~~~~~~~~~~~~~~~~~~ ^ ~~~
libmariadb/ma_tls.c:170:35: warning: comparison of constant -1 with expression of type 'char' is always false
[-Wtautological-constant-out-of-range-compare]
(d2 = ma_hex2int(*(p+1))) == -1 ||
~~~~~~~~~~~~~~~~~~~~~~~~~ ^ ~~
To fix this all the pvio_*_blocking functions have been changed to use
int as a return value.
Other my_bool/char differences fixed:
mariadb_dyncol_val_str: fix prototype to use char - like implemented function.
unittest: bind.is_null is my_bool* so we use a my_bool.
- don't use password in global context
- load keys and certs via callback functions
- don't use gnutls_bye since server is not able to detect dead socket
- fixed valgrind errors in gnutls
- TLS/SSL: renamed HAVE_SSL to HAVE_TLS to avoid trouble in
10.2-integration
- Fixed wrong timeout in non-blocking mode
- Fixed valgrind error in prepared statement
- As requested by Wlad we use connect timeout for read/write unless
the connection was established.
- Added experimental session cache support for OpenSSL. It's currently
disabled
error, or MARIADB_CONNECTION_{UNIX_SOCKET,TCP,NAMEDPIPE,SHAREDMEM}
- Disabled asynchronous API for named pipes and shared memory connecit++ions
- Added package suffix ("alpha")
- removed myodbc_remove_escape api function
- Fixed return value (length) for named pipe read/write operations
fixed type mismatch warnings in client_plugin.c
fixed prototypes and const/non const warnings in windows pvio
removed debug from msi package
added plugin dependencies for msi package
