Fixes slow SSL handshakes in network-restricted environments. On Windows,
the verification process uses the CertGetCertificateChain API, which
may attempt to refresh the CA list or fetch CRLs/OCSP data from the
network. This can trigger slow network lookups when no CA or CRL is
explicitly specified.
This patch disables these unnecessary network calls by using flags
like CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL to prevent external requests
during certificate chain validation. Additionally, it applies
Microsoft-recommended optimizations to speed up certificate handling
and avoid delays in SSL handshakes.
Also, unless explicitly requested(via ca_cert or crl_file or similar),
do not bother to verify name, CA or CRL for local connections. It saves
time. The failures in verification were previously discarded anyway.
SSL connection on Windows used retry logic initially, to "fix" MDEV-13492
This actual bug is now understood, and was fixed a while ago.
Remove the workaround now.
Some research show that X18 is mentioned as a platform-reserved
register on most non-linux platforms, including MacOS, Windows, and
FreeBSD. So only put it in the clobber list in Linux.
Note that the ma_context.c code does not itself use the X18 register
in any way. On platforms where X18 is reserved, the co-routine code
will preserve it. On platforms where co-routine code can modify X18,
it does not need to be preserved. Putting X18 in the clobber list is
only to avoid GCC itself generating code that requires that X18 is
preserved.
Signed-off-by: Kristian Nielsen <knielsen@knielsen-hq.org>
X18 is a platform-reserved register on Android, not a callee-save
register. So it will not be touched by the spawned/resumed co-routine
and must not be included in the GCC asm clobber list on this platform.
Signed-off-by: Kristian Nielsen <knielsen@knielsen-hq.org>
Fixed different behavior of pvio_is_alive (which was first used
with fix of CONC-589). Both for sockets and named pipe the function
now returns true if the connection is alive, otherwise false.
Increase the default stack size for co-routines to 256 kByte. It was 60
kByte, which was too small for glibc getaddrinfo() when using mdns.
Signed-off-by: Kristian Nielsen <knielsen@knielsen-hq.org>
Also CONC-754.
Depending on compiler options (eg. -fno-dwarf2-cfi-asm), the compiler may
not output .cfi_startproc / .cfi_endproc in generated assember, and this
causes a build error on the .cfi_escape directive put in my_context_spawn()
on systems with DWARF support.
Fix by using the proper preprocessor macro __GCC_HAVE_DWARF2_CFI_ASM to test
for .cfi_escape support, rather than crafted check for various compiler
brands and versions. Though this macro is only available in clang since
version 13.0.0, so unconditionally include the .cfi_escape in earlier clang
versions.
Thanks to Rainer Orth for the suggested fix.
Signed-off-by: Kristian Nielsen <knielsen@knielsen-hq.org>
If automatic reconnect is enabled (MYSQL_OPT_RECONNECT) it is
mandatory to check if the connection/socket is still alive before
sending a command to the server (unless the command is COM_QUIT).
Since Item_result enumerations are also used by MariaDB server, we
moved them back to mariadb_com.h.
Item_result is not used in Connector/C 3.3 and above for replication
api.
Added an option STMT_ATTR_SQL_STATEMENT in API function
mariadb_stmt_attr_get which returns a MARIADB_CONST_STRING
structure which contains SQL statement from last
mysql_stmt_prepare() call.
- Added TLSv1.3 ciphers to cipher map.
- Fixed retrieval of cipher suite: Since gnutls_cipher_suite_get_name
supports only TLSv1.2 (and lower) cipher suites, we have to call
gnutls_ciphersuite_get() (requires GnuTLS 3.7.4 or newer).
Instead of skipping the verification during handshake,
tls_allow_invalid_server_certificate will be unset during
initialization of the connection handle if environment varible
MARIADB_TLS_DISABLE_PEER_VERIFICATION was set.
This will allow drivers and applications which don't have an API
option to enable/disable peer server certificate verification
to start without TLS/SSL.
