diff options
| author | Julius Goryavsky <julius.goryavsky@mariadb.com> | 2021-12-13 02:15:57 +0100 |
|---|---|---|
| committer | Julius Goryavsky <julius.goryavsky@mariadb.com> | 2021-12-14 03:25:19 +0100 |
| commit | 8bb55633699612279744c055e22eeca8d4058273 (patch) | |
| tree | 6fbc23af2d92a8128c3bf0c57f083242475ca2f8 /vio | |
| parent | 6b066ec33285c089ce770c2d1eb50bc49787ee92 (diff) | |
| download | mariadb-git-8bb55633699612279744c055e22eeca8d4058273.tar.gz | |
MDEV-27181: Galera SST scripts should use ssl_capath for CA directorybb-10.2-MDEV-27181-galera
1. Galera SST scripts should use ssl_capath (not ssl_ca) for CA
directory. The current implementation tries to automatically
detect the path using the trailing slash in the ssl_ca variable
value, but this approach is not compatible with the server
configuration. Now, by analogy with the server, SST scripts
also use a separate ssl_capath variable. In addition, a similar
tcapath variable has been added for the old-style configuration
(in the "sst" section).
2. Openssl utility detection made more reliable.
3. Removed extra spaces in automatically generated command lines -
to simplify debugging of the SST scripts.
4. In general, the code for detecting the presence or absence of
auxiliary utilities has been improved - it is made more reliable
in some configurations (and for shells other than bash).
Diffstat (limited to 'vio')
| -rw-r--r-- | vio/viosslfactories.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c index 8ab7565a666..08f0905e044 100644 --- a/vio/viosslfactories.c +++ b/vio/viosslfactories.c @@ -178,6 +178,12 @@ new_VioSSLFd(const char *key_file, const char *cert_file, struct st_VioSSLFd *ssl_fd; long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; DBUG_ENTER("new_VioSSLFd"); + + if (ca_file && ! ca_file[0]) ca_file = NULL; + if (ca_path && ! ca_path[0]) ca_path = NULL; + if (crl_file && ! crl_file[0]) crl_file = NULL; + if (crl_path && ! crl_path[0]) crl_path = NULL; + DBUG_PRINT("enter", ("key_file: '%s' cert_file: '%s' ca_file: '%s' ca_path: '%s' " "cipher: '%s' crl_file: '%s' crl_path: '%s' ", @@ -308,6 +314,11 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file, struct st_VioSSLFd *ssl_fd; int verify= SSL_VERIFY_PEER; + if (ca_file && ! ca_file[0]) ca_file = NULL; + if (ca_path && ! ca_path[0]) ca_path = NULL; + if (crl_file && ! crl_file[0]) crl_file = NULL; + if (crl_path && ! crl_path[0]) crl_path = NULL; + /* Turn off verification of servers certificate if both ca_file and ca_path is set to NULL @@ -339,6 +350,12 @@ new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, { struct st_VioSSLFd *ssl_fd; int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + + if (ca_file && ! ca_file[0]) ca_file = NULL; + if (ca_path && ! ca_path[0]) ca_path = NULL; + if (crl_file && ! crl_file[0]) crl_file = NULL; + if (crl_path && ! crl_path[0]) crl_path = NULL; + if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, ca_path, cipher, FALSE, error, crl_file, crl_path))) |