diff options
| author | Georg Richter <georg@mariadb.com> | 2021-07-04 13:49:41 +0200 |
|---|---|---|
| committer | Georg Richter <georg@mariadb.com> | 2021-07-05 08:14:52 +0200 |
| commit | de02d91fed7f7290885dd22e20de4b3f78000b02 (patch) | |
| tree | 0478551017622b74059bd477d8b0dc5ee138b725 /sql/mysqld.cc | |
| parent | 83684fc9a4d81f15fee1888123cc7f7a4e298c4f (diff) | |
| download | mariadb-git-bb-10.6-MDEV-26049.tar.gz | |
MDEV-26049bb-10.6-MDEV-26049
1. In the previous implementation the status variable 'Ssl_cipher_list'
returned the built-in cipher suites for OpenSSL and (which is wrong)
for WolfSSL the current cipher in use. This patch displays all supported
cipher suites for WolfSSL and doesn't require a secure connection anymore.
2. A new status variable 'Ssl_shared_ciphers' was added which returns
the cipher suites supported from both client and server considering TLS
protocol version. This feature is fully supported by OpenSSL only, while
WolfSSL supports this feature via OpenSSL compatibility layer it returns
only the cipher suite used by current connection.
3. Fixed ssl_cipher test:
Also allow testing against OpenSSL by limiting the TLS version to
TLSv1.1 and 1.2.
Diffstat (limited to 'sql/mysqld.cc')
| -rwxr-xr-x[-rw-r--r--] | sql/mysqld.cc | 35 |
1 files changed, 32 insertions, 3 deletions
diff --git a/sql/mysqld.cc b/sql/mysqld.cc index 698bcfff0f7..f0ec88f2a39 100644..100755 --- a/sql/mysqld.cc +++ b/sql/mysqld.cc @@ -6919,17 +6919,42 @@ static int show_ssl_get_cipher(THD *thd, SHOW_VAR *var, char *buff, return 0; } +static int show_ssl_get_shared_ciphers(THD *thd, SHOW_VAR *var, char *buff, + enum enum_var_type scope) +{ + var->type= SHOW_CHAR; + var->value= buff; + + if (thd->vio_ok() && thd->net.vio->ssl_arg) + { + char *end= buff + SHOW_VAR_FUNC_BUFF_SIZE; + memset(buff, 0, end - buff); + if (SSL_get_shared_ciphers((SSL *)thd->net.vio->ssl_arg, buff, (int)(end - buff - 1))) + buff+= strlen(buff); + } + *buff=0; + return 0; +} + static int show_ssl_get_cipher_list(THD *thd, SHOW_VAR *var, char *buff, enum enum_var_type scope) { var->type= SHOW_CHAR; var->value= buff; - if (thd->vio_ok() && thd->net.vio->ssl_arg) + + char *end= buff + SHOW_VAR_FUNC_BUFF_SIZE; + memset(buff, 0, end - buff); +#ifdef HAVE_WOLFSSL + if (wolfSSL_get_ciphers(buff, (int)(end - buff - 1)) == SSL_SUCCESS) + buff+= strlen(buff); +#else { int i; const char *p; - char *end= buff + SHOW_VAR_FUNC_BUFF_SIZE; - for (i=0; (p= SSL_get_cipher_list((SSL*) thd->net.vio->ssl_arg,i)) && + SSL *ssl= thd->net.vio->ssl_arg ? + (SSL *)thd->net.vio->ssl_arg : SSL_new(ssl_acceptor_fd->ssl_context); + + for (i=0; (p= SSL_get_cipher_list(ssl,i)) && buff < end; i++) { buff= strnmov(buff, p, end-buff-1); @@ -6937,7 +6962,10 @@ static int show_ssl_get_cipher_list(THD *thd, SHOW_VAR *var, char *buff, } if (i) buff--; + if (!thd->net.vio->ssl_arg) + SSL_free(ssl); } +#endif *buff=0; return 0; } @@ -7384,6 +7412,7 @@ SHOW_VAR status_vars[]= { {"Ssl_session_cache_size", (char*) &ssl_acceptor_stats.cache_size, SHOW_LONG}, {"Ssl_session_cache_timeouts", (char*) &ssl_acceptor_stats.zero, SHOW_LONG}, {"Ssl_sessions_reused", (char*) &ssl_acceptor_stats.zero, SHOW_LONG}, + {"Ssl_shared_ciphers", (char*) &show_ssl_get_shared_ciphers, SHOW_SIMPLE_FUNC}, {"Ssl_used_session_cache_entries",(char*) &ssl_acceptor_stats.zero, SHOW_LONG}, {"Ssl_verify_depth", (char*) &show_ssl_get_verify_depth, SHOW_SIMPLE_FUNC}, {"Ssl_verify_mode", (char*) &show_ssl_get_verify_mode, SHOW_SIMPLE_FUNC}, |