diff options
| author | Vladislav Vaintroub <wlad@mariadb.com> | 2018-12-01 23:54:15 +0100 |
|---|---|---|
| committer | Vladislav Vaintroub <wlad@mariadb.com> | 2018-12-02 01:25:04 +0100 |
| commit | af6a8ea0f79d628384a61986482dec7d3ff751dd (patch) | |
| tree | 9fafb068630a0e12a4748963c7953a39549fdd0e | |
| parent | 757530b83ca1cc550127311dc6edb47152ba0c6a (diff) | |
| download | mariadb-git-bb-10.4-wlad-MDEV-16266.tar.gz | |
MDEV-16266 : New command FLUSH SSL ro reload SSL acceptor context.bb-10.4-wlad-MDEV-16266
Reloads certificate, key, CA, CRL.
| -rw-r--r-- | include/mysql_com.h | 1 | ||||
| -rw-r--r-- | mysql-test/main/flush_ssl.result | 19 | ||||
| -rw-r--r-- | mysql-test/main/flush_ssl.test | 24 | ||||
| -rw-r--r-- | mysql-test/main/flush_ssl_debug.result | 9 | ||||
| -rw-r--r-- | mysql-test/main/flush_ssl_debug.test | 15 | ||||
| -rw-r--r-- | mysql-test/suite/perfschema/r/dml_setup_instruments.result | 2 | ||||
| -rw-r--r-- | sql/mysqld.cc | 309 | ||||
| -rw-r--r-- | sql/mysqld.h | 4 | ||||
| -rw-r--r-- | sql/sql_acl.cc | 7 | ||||
| -rw-r--r-- | sql/sql_reload.cc | 5 | ||||
| -rw-r--r-- | sql/sql_yacc.yy | 2 | ||||
| -rw-r--r-- | sql/sql_yacc_ora.yy | 2 |
12 files changed, 197 insertions, 202 deletions
diff --git a/include/mysql_com.h b/include/mysql_com.h index 902c0ff2706..8b0847ab399 100644 --- a/include/mysql_com.h +++ b/include/mysql_com.h @@ -231,6 +231,7 @@ enum enum_indicator_type #define REFRESH_DES_KEY_FILE (1ULL << 18) #define REFRESH_USER_RESOURCES (1ULL << 19) #define REFRESH_FOR_EXPORT (1ULL << 20) /* FLUSH TABLES ... FOR EXPORT */ +#define REFRESH_SSL (1ULL << 21) #define REFRESH_GENERIC (1ULL << 30) #define REFRESH_FAST (1ULL << 31) /* Intern flag */ diff --git a/mysql-test/main/flush_ssl.result b/mysql-test/main/flush_ssl.result new file mode 100644 index 00000000000..03483070a14 --- /dev/null +++ b/mysql-test/main/flush_ssl.result @@ -0,0 +1,19 @@ +connect ssl_con,localhost,root,,,,,SSL; +SELECT VARIABLE_VALUE != '0' FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME='SSL_ACCEPTS'; +VARIABLE_VALUE != '0' +1 +FLUSH SSL; +SELECT VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME='SSL_ACCEPTS'; +VARIABLE_VALUE +0 +CREATE USER u; +connect ssl_con2,localhost,u,,,,,SSL; +SELECT VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME='SSL_ACCEPTS'; +VARIABLE_VALUE +1 +FLUSH SSL; +ERROR 42000: Access denied; you need (at least one of) the RELOAD privilege(s) for this operation +disconnect ssl_con2; +disconnect ssl_con; +connection default; +DROP USER u; diff --git a/mysql-test/main/flush_ssl.test b/mysql-test/main/flush_ssl.test new file mode 100644 index 00000000000..24dbb4719f3 --- /dev/null +++ b/mysql-test/main/flush_ssl.test @@ -0,0 +1,24 @@ +source include/have_ssl_communication.inc; + +connect ssl_con,localhost,root,,,,,SSL; +SELECT VARIABLE_VALUE != '0' FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME='SSL_ACCEPTS'; +FLUSH SSL; + +# Check if SSL_ACCEPTS was flushed (SSL_ACCEPTS = 0) +SELECT VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME='SSL_ACCEPTS'; + +CREATE USER u; +connect ssl_con2,localhost,u,,,,,SSL; + +# Check SSL_ACCEPTS increased to 1 +SELECT VARIABLE_VALUE FROM INFORMATION_SCHEMA.GLOBAL_STATUS WHERE VARIABLE_NAME='SSL_ACCEPTS'; + +# Check that FLUSH SSL does not work for unprivileged user +error ER_SPECIFIC_ACCESS_DENIED_ERROR; +FLUSH SSL; + +disconnect ssl_con2; +disconnect ssl_con; +connection default; +DROP USER u; + diff --git a/mysql-test/main/flush_ssl_debug.result b/mysql-test/main/flush_ssl_debug.result new file mode 100644 index 00000000000..f7ce5f6c863 --- /dev/null +++ b/mysql-test/main/flush_ssl_debug.result @@ -0,0 +1,9 @@ +connect ssl_con,localhost,root,,,,,SSL; +SET debug_dbug='+d,simulate_bad_ssl_cert'; +FLUSH SSL; +ERROR HY000: Failed to refresh SSL, error: Unable to get certificate +SET debug_dbug=''; +connect ssl_con2,localhost,root,,,,,SSL; +disconnect ssl_con2; +disconnect ssl_con; +connection default; diff --git a/mysql-test/main/flush_ssl_debug.test b/mysql-test/main/flush_ssl_debug.test new file mode 100644 index 00000000000..d0fc54f4bda --- /dev/null +++ b/mysql-test/main/flush_ssl_debug.test @@ -0,0 +1,15 @@ +source include/have_ssl_communication.inc; +source include/have_debug.inc; + +connect ssl_con,localhost,root,,,,,SSL; +SET debug_dbug='+d,simulate_bad_ssl_cert'; +error ER_UNKNOWN_ERROR; +FLUSH SSL; +SET debug_dbug=''; +# Check ssl connection still possible after FLUSH_SSL fails +connect ssl_con2,localhost,root,,,,,SSL; + +disconnect ssl_con2; +disconnect ssl_con; +connection default; + diff --git a/mysql-test/suite/perfschema/r/dml_setup_instruments.result b/mysql-test/suite/perfschema/r/dml_setup_instruments.result index ff184806e2e..307c5c5366a 100644 --- a/mysql-test/suite/perfschema/r/dml_setup_instruments.result +++ b/mysql-test/suite/perfschema/r/dml_setup_instruments.result @@ -22,13 +22,13 @@ NAME ENABLED TIMED wait/synch/rwlock/sql/LOCK_dboptions YES YES wait/synch/rwlock/sql/LOCK_grant YES YES wait/synch/rwlock/sql/LOCK_SEQUENCE YES YES +wait/synch/rwlock/sql/LOCK_ssl_refresh YES YES wait/synch/rwlock/sql/LOCK_system_variables_hash YES YES wait/synch/rwlock/sql/LOCK_sys_init_connect YES YES wait/synch/rwlock/sql/LOCK_sys_init_slave YES YES wait/synch/rwlock/sql/LOGGER::LOCK_logger YES YES wait/synch/rwlock/sql/MDL_context::LOCK_waiting_for YES YES wait/synch/rwlock/sql/MDL_lock::rwlock YES YES -wait/synch/rwlock/sql/Query_cache_query::lock YES YES select * from performance_schema.setup_instruments where name like 'Wait/Synch/Cond/sql/%' and name not in ( diff --git a/sql/mysqld.cc b/sql/mysqld.cc index 9ff47dc1ff1..13aad0a0197 100644 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -769,6 +769,7 @@ mysql_mutex_t LOCK_prepared_stmt_count; mysql_mutex_t LOCK_des_key_file; #endif mysql_rwlock_t LOCK_grant, LOCK_sys_init_connect, LOCK_sys_init_slave; +mysql_rwlock_t LOCK_ssl_refresh; mysql_prlock_t LOCK_system_variables_hash; mysql_cond_t COND_thread_count, COND_start_thread; pthread_t signal_thread; @@ -1032,7 +1033,8 @@ PSI_rwlock_key key_rwlock_LOCK_grant, key_rwlock_LOCK_logger, key_rwlock_LOCK_sys_init_connect, key_rwlock_LOCK_sys_init_slave, key_rwlock_LOCK_system_variables_hash, key_rwlock_query_cache_query_lock, key_LOCK_SEQUENCE, - key_rwlock_LOCK_vers_stats, key_rwlock_LOCK_stat_serial; + key_rwlock_LOCK_vers_stats, key_rwlock_LOCK_stat_serial, + key_rwlock_LOCK_ssl_refresh; static PSI_rwlock_info all_server_rwlocks[]= { @@ -1047,7 +1049,8 @@ static PSI_rwlock_info all_server_rwlocks[]= { &key_rwlock_LOCK_system_variables_hash, "LOCK_system_variables_hash", PSI_FLAG_GLOBAL}, { &key_rwlock_query_cache_query_lock, "Query_cache_query::lock", 0}, { &key_rwlock_LOCK_vers_stats, "Vers_field_stats::lock", 0}, - { &key_rwlock_LOCK_stat_serial, "TABLE_SHARE::LOCK_stat_serial", 0} + { &key_rwlock_LOCK_stat_serial, "TABLE_SHARE::LOCK_stat_serial", 0}, + { &key_rwlock_LOCK_ssl_refresh, "LOCK_ssl_refresh", PSI_FLAG_GLOBAL } }; #ifdef HAVE_MMAP @@ -2275,6 +2278,7 @@ static void clean_up_mutexes() mysql_mutex_destroy(&LOCK_rpl_status); #endif /* HAVE_REPLICATION */ mysql_mutex_destroy(&LOCK_active_mi); + mysql_rwlock_destroy(&LOCK_ssl_refresh); mysql_rwlock_destroy(&LOCK_sys_init_connect); mysql_rwlock_destroy(&LOCK_sys_init_slave); mysql_mutex_destroy(&LOCK_global_system_variables); @@ -4673,6 +4677,7 @@ static int init_thread_environment() #endif /* HAVE_OPENSSL */ mysql_rwlock_init(key_rwlock_LOCK_sys_init_connect, &LOCK_sys_init_connect); mysql_rwlock_init(key_rwlock_LOCK_sys_init_slave, &LOCK_sys_init_slave); + mysql_rwlock_init(key_rwlock_LOCK_ssl_refresh, &LOCK_ssl_refresh); mysql_rwlock_init(key_rwlock_LOCK_grant, &LOCK_grant); mysql_cond_init(key_COND_thread_count, &COND_thread_count, NULL); mysql_cond_init(key_COND_thread_cache, &COND_thread_cache, NULL); @@ -4766,6 +4771,56 @@ static void openssl_lock(int mode, openssl_lock_t *lock, const char *file, } #endif /* HAVE_OPENSSL10 */ + +struct SSL_ACCEPTOR_STATS +{ + long accept; + long accept_good; + long cache_size; + long verify_mode; + long verify_depth; + const char *session_cache_mode; + long zero; + SSL_ACCEPTOR_STATS() + { + session_cache_mode = "NONE"; + } + void init() + { + DBUG_ASSERT(ssl_acceptor_fd); + accept = 0; + accept_good = 0; + verify_mode = SSL_CTX_get_verify_mode(ssl_acceptor_fd->ssl_context); + verify_depth = SSL_CTX_get_verify_depth(ssl_acceptor_fd->ssl_context); + cache_size = SSL_CTX_sess_get_cache_size(ssl_acceptor_fd->ssl_context); + switch (SSL_CTX_get_session_cache_mode(ssl_acceptor_fd->ssl_context)) + { + case SSL_SESS_CACHE_OFF: + session_cache_mode = "OFF"; break; + case SSL_SESS_CACHE_CLIENT: + session_cache_mode = "CLIENT"; break; + case SSL_SESS_CACHE_SERVER: + session_cache_mode = "SERVER"; break; + case SSL_SESS_CACHE_BOTH: + session_cache_mode = "BOTH"; break; + case SSL_SESS_CACHE_NO_AUTO_CLEAR: + session_cache_mode = "NO_AUTO_CLEAR"; break; + case SSL_SESS_CACHE_NO_INTERNAL_LOOKUP: + session_cache_mode = "NO_INTERNAL_LOOKUP"; break; + default: + session_cache_mode = "Unknown"; break; + } + } +}; + +static SSL_ACCEPTOR_STATS ssl_acceptor_stats; +void ssl_acceptor_stats_update(int sslaccept_ret) +{ + ssl_acceptor_stats.accept++; + if (!sslaccept_ret) + ssl_acceptor_stats.accept_good++; +} + static void init_ssl() { #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) @@ -4786,6 +4841,9 @@ static void init_ssl() opt_use_ssl = 0; have_ssl= SHOW_OPTION_DISABLED; } + else + ssl_acceptor_stats.init(); + if (global_system_variables.log_warnings > 0) { ulong err; @@ -4804,6 +4862,38 @@ static void init_ssl() #endif /* HAVE_OPENSSL && ! EMBEDDED_LIBRARY */ } +/* Reinitialize SSL (FLUSH SSL) */ +int reinit_ssl() +{ +#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) + if (!opt_use_ssl) + return 0; +#ifndef DBUG_OFF + char *old_ssl_cert; +#endif + + DBUG_EXECUTE_IF("simulate_bad_ssl_cert", old_ssl_cert= opt_ssl_cert; opt_ssl_cert=const_cast<char *>("");); + + enum enum_ssl_init_error error = SSL_INITERR_NOERROR; + st_VioSSLFd *new_fd = new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert, + opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher, &error, opt_ssl_crl, opt_ssl_crlpath); + + DBUG_EXECUTE_IF("simulate_bad_ssl_cert", opt_ssl_cert= old_ssl_cert;); + + if (!new_fd) + { + my_printf_error(ER_UNKNOWN_ERROR, "Failed to refresh SSL, error: %s", MYF(0), + sslGetErrString(error)); + return 1; + } + mysql_rwlock_wrlock(&LOCK_ssl_refresh); + free_vio_ssl_acceptor_fd(ssl_acceptor_fd); + ssl_acceptor_fd= new_fd; + ssl_acceptor_stats.init(); + mysql_rwlock_unlock(&LOCK_ssl_refresh); + return 0; +#endif +} static void end_ssl() { @@ -7425,187 +7515,6 @@ static int show_flush_commands(THD *thd, SHOW_VAR *var, char *buff, #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) -/* Functions relying on CTX */ -static int show_ssl_ctx_sess_accept(THD *thd, SHOW_VAR *var, char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_accept(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_sess_accept_good(THD *thd, SHOW_VAR *var, char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_accept_good(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_sess_connect_good(THD *thd, SHOW_VAR *var, char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_connect_good(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_sess_accept_renegotiate(THD *thd, SHOW_VAR *var, - char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_accept_renegotiate(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_sess_connect_renegotiate(THD *thd, SHOW_VAR *var, - char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_connect_renegotiate(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_sess_cb_hits(THD *thd, SHOW_VAR *var, char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_cb_hits(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_sess_hits(THD *thd, SHOW_VAR *var, char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_hits(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_sess_cache_full(THD *thd, SHOW_VAR *var, char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_cache_full(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_sess_misses(THD *thd, SHOW_VAR *var, char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_misses(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_sess_timeouts(THD *thd, SHOW_VAR *var, char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_timeouts(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_sess_number(THD *thd, SHOW_VAR *var, char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_number(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_sess_connect(THD *thd, SHOW_VAR *var, char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_connect(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_sess_get_cache_size(THD *thd, SHOW_VAR *var, - char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_sess_get_cache_size(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_get_verify_mode(THD *thd, SHOW_VAR *var, char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_get_verify_mode(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_get_verify_depth(THD *thd, SHOW_VAR *var, char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_LONG; - var->value= buff; - *((long *)buff)= (!ssl_acceptor_fd ? 0 : - SSL_CTX_get_verify_depth(ssl_acceptor_fd->ssl_context)); - return 0; -} - -static int show_ssl_ctx_get_session_cache_mode(THD *thd, SHOW_VAR *var, - char *buff, - enum enum_var_type scope) -{ - var->type= SHOW_CHAR; - if (!ssl_acceptor_fd) - var->value= const_cast<char*>("NONE"); - else - switch (SSL_CTX_get_session_cache_mode(ssl_acceptor_fd->ssl_context)) - { - case SSL_SESS_CACHE_OFF: - var->value= const_cast<char*>("OFF"); break; - case SSL_SESS_CACHE_CLIENT: - var->value= const_cast<char*>("CLIENT"); break; - case SSL_SESS_CACHE_SERVER: - var->value= const_cast<char*>("SERVER"); break; - case SSL_SESS_CACHE_BOTH: - var->value= const_cast<char*>("BOTH"); break; - case SSL_SESS_CACHE_NO_AUTO_CLEAR: - var->value= const_cast<char*>("NO_AUTO_CLEAR"); break; - case SSL_SESS_CACHE_NO_INTERNAL_LOOKUP: - var->value= const_cast<char*>("NO_INTERNAL_LOOKUP"); break; - default: - var->value= const_cast<char*>("Unknown"); break; - } - return 0; -} /* Functions relying on SSL @@ -8110,28 +8019,28 @@ SHOW_VAR status_vars[]= { {"Sort_scan", (char*) offsetof(STATUS_VAR, filesort_scan_count_), SHOW_LONG_STATUS}, #ifdef HAVE_OPENSSL #ifndef EMBEDDED_LIBRARY - {"Ssl_accept_renegotiates", (char*) &show_ssl_ctx_sess_accept_renegotiate, SHOW_SIMPLE_FUNC}, - {"Ssl_accepts", (char*) &show_ssl_ctx_sess_accept, SHOW_SIMPLE_FUNC}, - {"Ssl_callback_cache_hits", (char*) &show_ssl_ctx_sess_cb_hits, SHOW_SIMPLE_FUNC}, + {"Ssl_accept_renegotiates", (char*) &ssl_acceptor_stats.zero, SHOW_LONG}, + {"Ssl_accepts", (char*) &ssl_acceptor_stats.accept, SHOW_LONG}, + {"Ssl_callback_cache_hits", (char*) &ssl_acceptor_stats.zero, SHOW_LONG}, {"Ssl_cipher", (char*) &show_ssl_get_cipher, SHOW_SIMPLE_FUNC}, {"Ssl_cipher_list", (char*) &show_ssl_get_cipher_list, SHOW_SIMPLE_FUNC}, - {"Ssl_client_connects", (char*) &show_ssl_ctx_sess_connect, SHOW_SIMPLE_FUNC}, - {"Ssl_connect_renegotiates", (char*) &show_ssl_ctx_sess_connect_renegotiate, SHOW_SIMPLE_FUNC}, - {"Ssl_ctx_verify_depth", (char*) &show_ssl_ctx_get_verify_depth, SHOW_SIMPLE_FUNC}, - {"Ssl_ctx_verify_mode", (char*) &show_ssl_ctx_get_verify_mode, SHOW_SIMPLE_FUNC}, + {"Ssl_client_connects", (char*) &ssl_acceptor_stats.zero, SHOW_LONG}, + {"Ssl_connect_renegotiates", (char*) &ssl_acceptor_stats.zero, SHOW_LONG}, + {"Ssl_ctx_verify_depth", (char*) &ssl_acceptor_stats.verify_depth, SHOW_LONG}, + {"Ssl_ctx_verify_mode", (char*) &ssl_acceptor_stats.verify_mode, SHOW_LONG}, {"Ssl_default_timeout", (char*) &show_ssl_get_default_timeout, SHOW_SIMPLE_FUNC}, - {"Ssl_finished_accepts", (char*) &show_ssl_ctx_sess_accept_good, SHOW_SIMPLE_FUNC}, - {"Ssl_finished_connects", (char*) &show_ssl_ctx_sess_connect_good, SHOW_SIMPLE_FUNC}, + {"Ssl_finished_accepts", (char*) &ssl_acceptor_stats.accept_good, SHOW_LONG}, + {"Ssl_finished_connects", (char*) &ssl_acceptor_stats.zero, SHOW_LONG}, {"Ssl_server_not_after", (char*) &show_ssl_get_server_not_after, SHOW_SIMPLE_FUNC}, {"Ssl_server_not_before", (char*) &show_ssl_get_server_not_before, SHOW_SIMPLE_FUNC}, - {"Ssl_session_cache_hits", (char*) &show_ssl_ctx_sess_hits, SHOW_SIMPLE_FUNC}, - {"Ssl_session_cache_misses", (char*) &show_ssl_ctx_sess_misses, SHOW_SIMPLE_FUNC}, - {"Ssl_session_cache_mode", (char*) &show_ssl_ctx_get_session_cache_mode, SHOW_SIMPLE_FUNC}, - {"Ssl_session_cache_overflows", (char*) &show_ssl_ctx_sess_cache_full, SHOW_SIMPLE_FUNC}, - {"Ssl_session_cache_size", (char*) &show_ssl_ctx_sess_get_cache_size, SHOW_SIMPLE_FUNC}, - {"Ssl_session_cache_timeouts", (char*) &show_ssl_ctx_sess_timeouts, SHOW_SIMPLE_FUNC}, - {"Ssl_sessions_reused", (char*) &show_ssl_session_reused, SHOW_SIMPLE_FUNC}, - {"Ssl_used_session_cache_entries",(char*) &show_ssl_ctx_sess_number, SHOW_SIMPLE_FUNC}, + {"Ssl_session_cache_hits", (char*) &ssl_acceptor_stats.zero, SHOW_LONG}, + {"Ssl_session_cache_misses", (char*) &ssl_acceptor_stats.zero, SHOW_LONG}, + {"Ssl_session_cache_mode", (char*) &ssl_acceptor_stats.session_cache_mode, SHOW_CHAR_PTR}, + {"Ssl_session_cache_overflows", (char*) &ssl_acceptor_stats.zero, SHOW_LONG}, + {"Ssl_session_cache_size", (char*) &ssl_acceptor_stats.cache_size, SHOW_LONG}, + {"Ssl_session_cache_timeouts", (char*) &ssl_acceptor_stats.zero, SHOW_LONG}, + {"Ssl_sessions_reused", (char*) &ssl_acceptor_stats.zero, SHOW_LONG}, + {"Ssl_used_session_cache_entries",(char*) &ssl_acceptor_stats.zero, SHOW_LONG}, {"Ssl_verify_depth", (char*) &show_ssl_get_verify_depth, SHOW_SIMPLE_FUNC}, {"Ssl_verify_mode", (char*) &show_ssl_get_verify_mode, SHOW_SIMPLE_FUNC}, {"Ssl_version", (char*) &show_ssl_get_version, SHOW_SIMPLE_FUNC}, diff --git a/sql/mysqld.h b/sql/mysqld.h index 75f35a6df24..7746b36e3a8 100644 --- a/sql/mysqld.h +++ b/sql/mysqld.h @@ -96,6 +96,9 @@ extern void init_net_server_extension(THD *thd); extern void handle_accepted_socket(MYSQL_SOCKET new_sock, MYSQL_SOCKET sock); extern void create_new_thread(CONNECT *connect); +extern void ssl_acceptor_stats_update(int sslaccept_ret); +extern int reinit_ssl(); + extern "C" MYSQL_PLUGIN_IMPORT CHARSET_INFO *system_charset_info; extern MYSQL_PLUGIN_IMPORT CHARSET_INFO *files_charset_info ; extern MYSQL_PLUGIN_IMPORT CHARSET_INFO *national_charset_info; @@ -632,6 +635,7 @@ extern mysql_mutex_t LOCK_des_key_file; extern mysql_mutex_t LOCK_server_started; extern mysql_cond_t COND_server_started; extern mysql_rwlock_t LOCK_grant, LOCK_sys_init_connect, LOCK_sys_init_slave; +extern mysql_rwlock_t LOCK_ssl_refresh; extern mysql_prlock_t LOCK_system_variables_hash; extern mysql_cond_t COND_thread_count, COND_start_thread; extern mysql_cond_t COND_manager; diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 052c5ada3a2..94c03ff4ff9 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -12426,7 +12426,12 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio, return packet_error; DBUG_PRINT("info", ("IO layer change in progress...")); - if (sslaccept(ssl_acceptor_fd, net->vio, net->read_timeout, &errptr)) + mysql_rwlock_rdlock(&LOCK_ssl_refresh); + int ssl_ret = sslaccept(ssl_acceptor_fd, net->vio, net->read_timeout, &errptr); + mysql_rwlock_unlock(&LOCK_ssl_refresh); + ssl_acceptor_stats_update(ssl_ret); + + if(ssl_ret) { DBUG_PRINT("error", ("Failed to accept new SSL connection")); return packet_error; diff --git a/sql/sql_reload.cc b/sql/sql_reload.cc index abdf9d76d15..278e451b76d 100644 --- a/sql/sql_reload.cc +++ b/sql/sql_reload.cc @@ -420,6 +420,11 @@ bool reload_acl_and_cache(THD *thd, unsigned long long options, #endif if (options & REFRESH_USER_RESOURCES) reset_mqh((LEX_USER *) NULL, 0); /* purecov: inspected */ + if (options & REFRESH_SSL) + { + if (reinit_ssl()) + result= 1; + } if (options & REFRESH_GENERIC) { List_iterator_fast<LEX_CSTRING> li(thd->lex->view_list); diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy index 1d9fde183cd..9d616a66c1c 100644 --- a/sql/sql_yacc.yy +++ b/sql/sql_yacc.yy @@ -14484,6 +14484,8 @@ flush_option: { Lex->type|= REFRESH_DES_KEY_FILE; } | RESOURCES { Lex->type|= REFRESH_USER_RESOURCES; } + | SSL_SYM + { Lex->type|= REFRESH_SSL;} | IDENT_sys remember_tok_start { Lex->type|= REFRESH_GENERIC; diff --git a/sql/sql_yacc_ora.yy b/sql/sql_yacc_ora.yy index 843309ad1a9..81993080a9d 100644 --- a/sql/sql_yacc_ora.yy +++ b/sql/sql_yacc_ora.yy @@ -14539,6 +14539,8 @@ flush_option: { Lex->type|= REFRESH_DES_KEY_FILE; } | RESOURCES { Lex->type|= REFRESH_USER_RESOURCES; } + | SSL_SYM + { Lex->type|= REFRESH_SSL;} | IDENT_sys remember_tok_start { Lex->type|= REFRESH_GENERIC; |