- Build server build with latest C/C: Instead of copying the C/C directory
into server, we now fetch the actual commit or PR into server repository
- Fix travis environment variables (Windows)
- Skip character set tests if the server doesn't support charset/collation
- Don't use CREATE OR REPLACE SQL syntax to make MySQL happy
- Disable TLS connection test for MaxScale
- Don't set TEST environment variables if they are empty
Peer certificate validation:
Since version 3.4 peer certificate verification is enabled by default.
It can be disabled via `mysql_optionsv`, using option
MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
my_bool verify= 0;
mysql_options(mariadb, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
Self signed certificates
If the client obtained a self signed peer certificate from MariaDB server
the verification will fail, with the following exceptions:
* If the connection between client and server is considered to be secure:, e.g.
* a unix_socket is used for client server communication
* hostname is localhost (Windows operating system), 127.0.0.1 or ::1
* a specified fingerprint matches the fingerprint of the peer certificate (see below)
* a client can verify the certificate using account password, it's possible if
* account has a password
* authentication plugin is "secure without TLS", that is, one of
mysql_native_password, ed25519 or parsec.
Fingerprint verification of the peer certificate
A fingerprint is a cryptographic hash (SHA-256, SHA-384 or SHA-512) of the peer
certificate's binary data. Even if the fingerprint matches, an expired or
revoked certificate will not be accepted.
For security reasons support for MD5 and SHA1 has been removed.
Technical details:
==================
- Peer certificate verification call was removed from ma_tls_connect, instead it
will be called directly after the handshake succeeded (my_auth.c)
- mysql->net.tls_self_signed_error was replaced by mysql->net.tls_verify_status which
contains the result of the peer certfificate verification:
The verification status can be obtained with mariadb_get_infov using new parameter
MARIADB_TLS_VERIFY_STATUS.
unsigned int tls_verify_status;
mariadb_get_infov(mysql, MARIADB_TLS_VERIFY_STATUS, &tls_verify_status);
The result is a combination of the following flags:
MARIADB_TLS_VERIFY_OK 0
MARIADB_TLS_VERIFY_TRUST 1
MARIADB_TLS_VERIFY_HOST 2
MARIADB_TLS_VERIFY_PERIOD 4
MARIADB_TLS_VERIFY_FINGERPRINT 8
MARIADB_TLS_VERIFY_REVOKED 16
MARIADB_TLS_VERIFY_UNKNOWN 32
- GnuTLS peer certificate verification callback was removed and replaced by
gnutls_verify_peers2() api function, so the peer certificate validation
will happen after handshake.
- OpenSSL implementation will no longer use SSL_verify_result to check the
validity of the peer certificate. Instead a callback function will be called
during the handshake, which collects all certificate validation errors.
- If the peer certificate is not trusted, hostname verification will be
skipped.
- Testing
Added new test tls, which implements a python based dummy server, which allows
to set different certificates and TLS options. Please note. that tests are
expected to fail, since the server doesn't support further steps like user
authentication etc. after the handshake. Prerequisite for running the tls test
is Python3.
mysql_old_password is disabled by default (setting DISABLED YES),
but can be used if the plugin was added to the list of restricted
authentication plugins (via mysql_optionsv using option
MARIADB_OPT_RESTRICTED_AUTH).
- ER() macro now checks if the error code is known, if not it will return
"Unknown or undefined error code" (instead of crashing)
- SET_CLIENT_STMT_ERROR now maps to stmt_set_error and accepts variadic
arguments
Tests will be skipped unless the following environment variables
were specified:
- MYSQLTEST_VARDIR (will be automatically set when running inside
mtr)
- MARIADB_CC_TEST
travis: use connector-test-machine test script that permit to run the following tests :
* MariaDB all supported version
* Maxscale
* MySQL
* SkySQL
If CONNECTOR_TEST_SECRET_KEY is not provided (PR) only MariaDB and MySQL community will be test
Pull request testing correction
appveyor correction using archive if not latest server release
This patch is made as a part of MDEV-8334 to fix failing test in unit and
main test suite so that utf8mb3 characterset is recognized. Failing tests:
main.mysql_client_test
main.mysql_client_test_comp
unit.conc_basic-t
unit.conc_charset
unit.conc_connection
Make sure sql_mode is cleared when starting a new connection.
The problem:
When a test is skipped and there was an error in the last sql statement
sent on the default connection, the mysql_default connection is
recreated, but without sql_mode set to ''.
This leads to sql_mode having NO_ENGINE_SUBSTITUTION set.
test_conc49 tries to create an InnoDB table, but if the previous test
(in this particular case test_connect_attrs) is skipped and it errored
(in this case because it tried selecting from a performance schema
table that did not exist), it will recreate the mysql_default
connection via test_connect before running test_conc49.
Fix by making sure test_connect clears the sql_mode, just like
reset_connection, which is normally called between successful test
runs.
Plugin configuration happens now in CMakeLists.txt files in corresponding plugin directories.
plugins.cmake now contains REGISTER_PLUGIN_FUNCTION which accepts the following parameters:
- TARGET: the name of the plugin (dynamic plugins will be named ${TARGET}.so (or .dll)
- SOURCES: source files
- LIBRARIES: additional libraries for linking
- INCLUDES: include directories
- CONFIGURATIONS: possible plugin configurations: valid arguments are DYNAMIC, STATIC, OFF
- DEFAULT: default configuration (see CONFIGURATIONS)
- COMPILE_OPTIONS: compiler flags
The default plugin configuration can be specified via cmake parameter -DCLIENT_PLUGIN_${TARGET}=[DYNAMIC|STATIC|OFF]
for api functions which require string with length parameter (e.g.
mysql_real_connect() or mysql_stmt_prepare() we now use the macro
SL(string) which substitutes string and string length.
- added travis support
- fixed appveyor settings
- fixed some warnings (gcc 4.8)
- removed sleep commands
- disabled failing tests when running against MySQL server,
mostly related to stored procedures and binary protocol
- reverted fix for MDEV_10361
Still open: TLS/SSL appveyor tests, since .msi installation on appveyor doesn't provide certificates.
- SSL tests require CERT_PATH. Subdirectory certs was removed. If Connector/C is build outside of the server tree, certification path has to be specified manually (-DCERT_PATH=/path/to/certs).
- All tables and users will removed, if the test passed (otherwise mtr will complain).
