This reverts 395641549ac7..536d9e2b9e5b, in particular:
8dffd56936 MDEV-31857 enable MYSQL_OPT_SSL_VERIFY_SERVER_CERT by default
a99570c118 MDEV-31855 SSL cert validation protocol extension
9aa15e72a7 TLS fingerprint
and related commits
Implement proper verification for server certificate chain,
with refactoring of the certificate stuff.
If custom CA and CRL certs are given, load them into in-memory store, and
use CertVerifyCertificateChainPolicy() to verify the certificate chain.
There are minor errors fixed, such as
- now there is a support for private keys encoded as BEGIN/END PRIVATE KEY
in PEM, instead of only BEGIN/END RSA PRIVATE KEY
- memory leak around CryptAcquireContext() is fixed i.e when client loads
private key, it previously did never released it, not even when connection
ended.
The handling of certificates moved into schannel_certs.c from various places
Added support for pem files which contain certificate and private key.
In case the file will contain more than one certificate or key, the first
certificate or key found will be used.
The connection pointer mysql is now no longer part (and doesn't need to be updated) of schannel security context, since it can be obtained directly from tls container.
between the calls.
State can be unread buffer from DecryptMessage (SECBUFFER_EXTRA)
or decrypted data that did not fit into callers buffer
- Fix error handling - SEC_I_RENEGOTIATE is handled as error,
we're not doing it yet. Stop reading at SEC_I_CONTEXT_EXPIRED.
- Fix buffer sizes pased to SSPI ( so that large buffers can be read or written
"SELECT REPEAT('a', 20000)"
- Fix unchecked memcpy into the output buffer (size of the output buffer
was not checked, so it is a potential memory overrun)
- remove global variables
- remove in memory certificate stores that cache all CRL and all CA
- verify certificate against ssl_ca and ssl_crl specified in
connection options (not against all CRL/CA in store)
changed type of length parameter in mysql_stmt_prepare,
mysql_real_query, mysql_stmt_send_long_data (incl. async _start
functions) from unsigned long to size_t.
Fixed warnings
