- Build server build with latest C/C: Instead of copying the C/C directory
into server, we now fetch the actual commit or PR into server repository
- Fix travis environment variables (Windows)
- Skip character set tests if the server doesn't support charset/collation
- Don't use CREATE OR REPLACE SQL syntax to make MySQL happy
- Disable TLS connection test for MaxScale
- Don't set TEST environment variables if they are empty
- moved fingerprint verification to ma_tls.c
- don't verify cert again if fingerprint check
succeeded.
- Disable self signed check in fingerprint tests
(Schannel only).
Peer certificate validation:
Since version 3.4 peer certificate verification is enabled by default.
It can be disabled via `mysql_optionsv`, using option
MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
my_bool verify= 0;
mysql_options(mariadb, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
Self signed certificates
If the client obtained a self signed peer certificate from MariaDB server
the verification will fail, with the following exceptions:
* If the connection between client and server is considered to be secure:, e.g.
* a unix_socket is used for client server communication
* hostname is localhost (Windows operating system), 127.0.0.1 or ::1
* a specified fingerprint matches the fingerprint of the peer certificate (see below)
* a client can verify the certificate using account password, it's possible if
* account has a password
* authentication plugin is "secure without TLS", that is, one of
mysql_native_password, ed25519 or parsec.
Fingerprint verification of the peer certificate
A fingerprint is a cryptographic hash (SHA-256, SHA-384 or SHA-512) of the peer
certificate's binary data. Even if the fingerprint matches, an expired or
revoked certificate will not be accepted.
For security reasons support for MD5 and SHA1 has been removed.
Technical details:
==================
- Peer certificate verification call was removed from ma_tls_connect, instead it
will be called directly after the handshake succeeded (my_auth.c)
- mysql->net.tls_self_signed_error was replaced by mysql->net.tls_verify_status which
contains the result of the peer certfificate verification:
The verification status can be obtained with mariadb_get_infov using new parameter
MARIADB_TLS_VERIFY_STATUS.
unsigned int tls_verify_status;
mariadb_get_infov(mysql, MARIADB_TLS_VERIFY_STATUS, &tls_verify_status);
The result is a combination of the following flags:
MARIADB_TLS_VERIFY_OK 0
MARIADB_TLS_VERIFY_TRUST 1
MARIADB_TLS_VERIFY_HOST 2
MARIADB_TLS_VERIFY_PERIOD 4
MARIADB_TLS_VERIFY_FINGERPRINT 8
MARIADB_TLS_VERIFY_REVOKED 16
MARIADB_TLS_VERIFY_UNKNOWN 32
- GnuTLS peer certificate verification callback was removed and replaced by
gnutls_verify_peers2() api function, so the peer certificate validation
will happen after handshake.
- OpenSSL implementation will no longer use SSL_verify_result to check the
validity of the peer certificate. Instead a callback function will be called
during the handshake, which collects all certificate validation errors.
- If the peer certificate is not trusted, hostname verification will be
skipped.
- Testing
Added new test tls, which implements a python based dummy server, which allows
to set different certificates and TLS options. Please note. that tests are
expected to fail, since the server doesn't support further steps like user
authentication etc. after the handshake. Prerequisite for running the tls test
is Python3.
* don't abuse CONFIGURE_FILE
no need to generate ssl.c during the build
* don't skip tests when the input data is missing
if the certificate is not found it is not OK
* run-time CERT_PATH is not the same as build-time CERT_PATH
load server-cert.sha1 at run-time
* test an invalid fingerprint - it has to fail
* do not delete certificates at the end of the test
* test SSL_VERIFY_SERVER_CERT with a system CA
Allow multiple initialization of the client library (mysql_server_init(
mysql_server_end).
Note: This was already fixed by commit for CONC-277, unfortunately the fix
was overwritten by a bad merge.
for api functions which require string with length parameter (e.g.
mysql_real_connect() or mysql_stmt_prepare() we now use the macro
SL(string) which substitutes string and string length.
- added travis support
- fixed appveyor settings
- fixed some warnings (gcc 4.8)
- removed sleep commands
- disabled failing tests when running against MySQL server,
mostly related to stored procedures and binary protocol
- reverted fix for MDEV_10361
Still open: TLS/SSL appveyor tests, since .msi installation on appveyor doesn't provide certificates.
- don't run fingerprint and passphrase protected tests if the corresponding
files (sha1 and encrypted client key) are not found in CERT_PATH
- don't overwrite SSL errors if handshake failed
- Use gnutls read/write instead of pvio
Client part of MDEV-14101: Add support for tls-version, via
mysql_options(mysql, MARIADB_OPT_TLS_VERSION, value)
Accepted values are "TLSv1.1", "TLSv1.2" and "TLSv1.3".
Fixed testcase openssl_1 for schannel
If a statement with open (read only) cursor is executed there is no buffered
result set (result set rows will be fetched directly from server), so we need to skip reading unbuffered result sets if a cursor is open.
- SSL tests require CERT_PATH. Subdirectory certs was removed. If Connector/C is build outside of the server tree, certification path has to be specified manually (-DCERT_PATH=/path/to/certs).
- All tables and users will removed, if the test passed (otherwise mtr will complain).
- don't use password in global context
- load keys and certs via callback functions
- don't use gnutls_bye since server is not able to detect dead socket
- fixed valgrind errors in gnutls
* make is usable as a CMake sub-project
* put options in a separate namespace
* but use parent project values when specified
* always specify COMPONENT when INSTALLing
* don't use PROJECT_SOURCE_DIR/PROJECT_BINARY_DIR
Also
* fix out-of-source builds (don't generate files
in the CMAKE_SOURCE_DIR, always do it in CMAKE_BINARY_DIR)
* make subsequence cmake runs less verbose, use MESSAGE1
to avoid repeating messages that didn't change
- allow param binding via mysql_stmt_attr_set:
mysql_stmt_attr_set(stmt, STMT_ATTR_PREBIND_PARAMS, ¶m_count);
- If a prepared statement will be reexecuted, we send COM_STMT_CLOSE
together with COM_STMT_PREPARE and COM_STMT_EXECUTE
- TLS/SSL: renamed HAVE_SSL to HAVE_TLS to avoid trouble in
10.2-integration
- Fixed wrong timeout in non-blocking mode
- Fixed valgrind error in prepared statement
