SSL_{read,write}'s return values == 0 signify the operation was
unsuccessful, but here it's being treated as success. Other calls of
these functions already properly checks the return value.
Signed-off-by: Josh Hunt <johunt@akamai.com>
This reverts 395641549ac7..536d9e2b9e5b, in particular:
8dffd56936 MDEV-31857 enable MYSQL_OPT_SSL_VERIFY_SERVER_CERT by default
a99570c118 MDEV-31855 SSL cert validation protocol extension
9aa15e72a7 TLS fingerprint
and related commits
because the default value of every option is 0
(option and option.extension are bzero-ed to reset),
tls_verify_server_cert was renamed to tls_allow_invalid_server_cert
with the default value of 0, "do not allow".
API didn't change, it's still MYSQL_OPT_SSL_VERIFY_SERVER_CERT
* extend the client auth plugin API with a new callback
* relax the plugin version check to allow load a plugin with the
same major version, even if the minor versions differ
* implement the protocol extension:
- don't abort at once if the certificate is self signed and
no CA was explicitly specified
- allow it if it passes fingerprint check
- allow it if plugin has hash_password_bin callback, password was
non-empty and the control hash matches server's
Since the server certification option is used by client
only, there is no need to have this flag in server and or
client capabilities. The server itself validates client
certificate depending on the user definition.
according to `man SSL_get_error`
The SSL_ERROR_SYSCALL with errno value of 0 indicates unexpected EOF
from the peer. This will be properly reported as SSL_ERROR_SSL with
reason code SSL_R_UNEXPECTED_EOF_WHILE_READING in the OpenSSL 3.0
release because it is truly a TLS protocol error to terminate the
connection without a SSL_shutdown().
let's use a conventional CR_SERVER_LOST in this case instead of
"TLS/SSL error: Success(0)"
Based on its interpretation of RFC 6125 section 6.4.2[^1], OpenSSL's
implementation[^2] of `X509_check_host` treats the `namelen` parameter
in a peculiar way:
- If `namelen` is non-zero, use it;
- Otherwise, use `strlen(name)` instead
There are now many forks of OpenSSL. Implementer of the forks may
interpret RFC 6125 section 6.4.2 a little differently. They may always
expect `strlen(name)` and NOT `0`. We have come across that with
AWS-LC[^3]. AWS-LC has agreed to make an adjustment so it is consistent
with OpenSSL in this matter. But other forks may not.
To make MariaDB connector C more robust, I think it's better that we
always pass `strlen(name)` instead of `0`. Unless there are compelling
reasons not doing so.
All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.
[^1]: https://www.rfc-editor.org/rfc/rfc6125.html#section-6.4.2
[^2]: https://www.openssl.org/docs/man3.0/man3/X509_check_host.html
[^3]: https://github.com/awslabs/aws-lc
Since alerts may happen after handshake (for example with described
test in CONC-587 using TLSv1.3 protocol or by renegotiation) the
tls error message needs to be retrieved if error is a protocol error
(SSL_ERROR_SSL) and/or if errno was not set.
Removed callback function for crypto threads, since the callback function
cannot be cleared. For OpenSSL <= 1.0.2 the default implementation will be used:
address of errno (Posix) or GetCurrentThreadId (Windows).
Added a new option MARIADB_OPT_SKIP_READ_RESPONSE which skips automatic
reading of server response after sending a command to the server.
Server packets have to be retrieved by calling the corresponding methods,
e.g:
Send command Read method
mysql_real_query/mysql_send_query db_read_query_result
mysql_stmt_prepare db_read_prepare_response
mysql_stmt_execute,
mariadb_stmt_execute_direct db_read_execute_response
Since we still need to support OpenSSL 1.0.2 everything is now loaded
in context instead of ssl.
If handshake failed, we now call SSL_get_verify_result for getting a more
defailed error message in case certificate alerts were raised (e.g. revocation)
The fix fails with ssl_crl server test, since certificates are loaded
in global context. If there is a valid certificate in global context,
certificate revocation test on server will fail.
This reverts commit db385afbbe.
If ssl_verify_server_cert or MYSQL_OPT_SSL_VERIFY_SERVER_CERT option was set
without setting a local ca file, the server certificate will be checked using
the system ca store.
This might lead to an error, in case the server certificate was self signed.
In this case, the preferred way is to specify a local CA.
Since new TLSv1.3 cipher suites differ from older cipher suites they can't me mixed and need
to be set by a different API call, we disable the settings for TLSv1.3 cipher suites.
Added support for OpenSSL 1.1.1
Tested with OpenSSL 1.1.1 beta 5. For testing TLS v13 the server needs to be patched with patch attached to MDEV-15996.
- added travis support
- fixed appveyor settings
- fixed some warnings (gcc 4.8)
- removed sleep commands
- disabled failing tests when running against MySQL server,
mostly related to stored procedures and binary protocol
- reverted fix for MDEV_10361
Still open: TLS/SSL appveyor tests, since .msi installation on appveyor doesn't provide certificates.
Client part of MDEV-14101: Add support for tls-version, via
mysql_options(mysql, MARIADB_OPT_TLS_VERSION, value)
Accepted values are "TLSv1.1", "TLSv1.2" and "TLSv1.3".
Fixed testcase openssl_1 for schannel
