Bug#21920657: SSL-CA FAILS SILENTLY IF THE PATH CANNOT BE

FOUND Description:- Failure during the validation of CA certificate path which is provided as an option for 'ssl-ca' returns two different errors for YaSSL and OPENSSL. Analysis:- 'ssl-ca', option used for specifying the ssl ca certificate path. Failing to validate this certificate with OPENSSL returns an error, "ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed". While YASSL returns "ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation". Error returned by the OPENSSL is correct since "SSL_CTX_load_verify_locations()" returns 0 (in case of OPENSSL) for the failure and sets error as "SSL_INITERR_BAD_PATHS". In case of YASSL, "SSL_CTX_load_verify_locations()" returns an error number which is less than or equal to 0 in case of error. Error numbers for YASSL is mentioned in the file, 'extra/yassl/include/openssl/ssl.h'(line no : 292). Also 'ssl-ca' does not accept tilde home directory path substitution. Fix:- The condition which checks for the error in the "SSL_CTX_load_verify_locations()" is changed in order to accommodate YASSL as well. A logic is written in "mysql_ssl_set()" in order accept the tilde home directory path substitution for all ssl options.
2025-08-01 03:47:19 +03:00 · 2016-03-01 10:17:25 +05:30
parent 96f680aa65
commit c7e68606c0
4 changed files with 80 additions and 6 deletions
--- a/sql-common/client.c
+++ b/sql-common/client.c
@ -1204,6 +1204,21 @@ static int add_init_command(struct st_mysql_options *options, const char *cmd)
        my_strdup((STR), MYF(MY_WME)) : NULL;                    \
    } while (0)

+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+static char *set_ssl_option_unpack_path(const char *arg)
+{
+  char *opt_var= NULL;
+  if (arg)
+  {
+    char *buff= (char *)my_malloc(FN_REFLEN + 1, MYF(MY_WME));
+    unpack_filename(buff, (char *)arg);
+    opt_var= my_strdup(buff, MYF(MY_WME));
+    my_free(buff);
+  }
+  return opt_var;
+}
+#endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */
+
 void mysql_read_default_options(struct st_mysql_options *options,
 				const char *filename,const char *group)
 {
@ -1798,10 +1813,10 @@ mysql_ssl_set(MYSQL *mysql __attribute__((unused)) ,
 {
  DBUG_ENTER("mysql_ssl_set");
 #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
-  mysql->options.ssl_key=    strdup_if_not_null(key);
-  mysql->options.ssl_cert=   strdup_if_not_null(cert);
-  mysql->options.ssl_ca=     strdup_if_not_null(ca);
-  mysql->options.ssl_capath= strdup_if_not_null(capath);
+  mysql->options.ssl_key=    set_ssl_option_unpack_path(key);
+  mysql->options.ssl_cert=   set_ssl_option_unpack_path(cert);
+  mysql->options.ssl_ca=     set_ssl_option_unpack_path(ca);
+  mysql->options.ssl_capath= set_ssl_option_unpack_path(capath);
  mysql->options.ssl_cipher= strdup_if_not_null(cipher);
 #endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */
  DBUG_RETURN(0);