summaryrefslogtreecommitdiff
path: root/vio
diff options
context:
space:
mode:
authorJulius Goryavsky <julius.goryavsky@mariadb.com>2021-12-13 02:15:57 +0100
committerJulius Goryavsky <julius.goryavsky@mariadb.com>2021-12-14 03:32:35 +0100
commit7bc629a5ce9e1edf2c27ddfba2a55c4341d55b4f (patch)
tree10b3e62431d6fd6182ff2947722d73a7a351d415 /vio
parent375ae890c76228c1f827bdc8f7684e81d5414466 (diff)
downloadmariadb-git-7bc629a5ce9e1edf2c27ddfba2a55c4341d55b4f.tar.gz
MDEV-27181: Galera SST scripts should use ssl_capath for CA directorybb-10.3-MDEV-27181-galera
1. Galera SST scripts should use ssl_capath (not ssl_ca) for CA directory. The current implementation tries to automatically detect the path using the trailing slash in the ssl_ca variable value, but this approach is not compatible with the server configuration. Now, by analogy with the server, SST scripts also use a separate ssl_capath variable. In addition, a similar tcapath variable has been added for the old-style configuration (in the "sst" section). 2. Openssl utility detection made more reliable. 3. Removed extra spaces in automatically generated command lines - to simplify debugging of the SST scripts. 4. In general, the code for detecting the presence or absence of auxiliary utilities has been improved - it is made more reliable in some configurations (and for shells other than bash).
Diffstat (limited to 'vio')
-rw-r--r--vio/viosslfactories.c17
1 files changed, 17 insertions, 0 deletions
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
index 8ab7565a666..08f0905e044 100644
--- a/vio/viosslfactories.c
+++ b/vio/viosslfactories.c
@@ -178,6 +178,12 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
struct st_VioSSLFd *ssl_fd;
long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
DBUG_ENTER("new_VioSSLFd");
+
+ if (ca_file && ! ca_file[0]) ca_file = NULL;
+ if (ca_path && ! ca_path[0]) ca_path = NULL;
+ if (crl_file && ! crl_file[0]) crl_file = NULL;
+ if (crl_path && ! crl_path[0]) crl_path = NULL;
+
DBUG_PRINT("enter",
("key_file: '%s' cert_file: '%s' ca_file: '%s' ca_path: '%s' "
"cipher: '%s' crl_file: '%s' crl_path: '%s' ",
@@ -308,6 +314,11 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
struct st_VioSSLFd *ssl_fd;
int verify= SSL_VERIFY_PEER;
+ if (ca_file && ! ca_file[0]) ca_file = NULL;
+ if (ca_path && ! ca_path[0]) ca_path = NULL;
+ if (crl_file && ! crl_file[0]) crl_file = NULL;
+ if (crl_path && ! crl_path[0]) crl_path = NULL;
+
/*
Turn off verification of servers certificate if both
ca_file and ca_path is set to NULL
@@ -339,6 +350,12 @@ new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
{
struct st_VioSSLFd *ssl_fd;
int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+
+ if (ca_file && ! ca_file[0]) ca_file = NULL;
+ if (ca_path && ! ca_path[0]) ca_path = NULL;
+ if (crl_file && ! crl_file[0]) crl_file = NULL;
+ if (crl_path && ! crl_path[0]) crl_path = NULL;
+
if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
ca_path, cipher, FALSE, error,
crl_file, crl_path)))