summaryrefslogtreecommitdiff
path: root/sql/mysqld.cc
diff options
context:
space:
mode:
Diffstat (limited to 'sql/mysqld.cc')
-rw-r--r--sql/mysqld.cc309
1 files changed, 109 insertions, 200 deletions
diff --git a/sql/mysqld.cc b/sql/mysqld.cc
index d4a1042c230..a94d18a32cb 100644
--- a/sql/mysqld.cc
+++ b/sql/mysqld.cc
@@ -770,6 +770,7 @@ mysql_mutex_t LOCK_prepared_stmt_count;
mysql_mutex_t LOCK_des_key_file;
#endif
mysql_rwlock_t LOCK_grant, LOCK_sys_init_connect, LOCK_sys_init_slave;
+mysql_rwlock_t LOCK_ssl_refresh;
mysql_prlock_t LOCK_system_variables_hash;
mysql_cond_t COND_thread_count, COND_start_thread;
pthread_t signal_thread;
@@ -1033,7 +1034,8 @@ PSI_rwlock_key key_rwlock_LOCK_grant, key_rwlock_LOCK_logger,
key_rwlock_LOCK_sys_init_connect, key_rwlock_LOCK_sys_init_slave,
key_rwlock_LOCK_system_variables_hash, key_rwlock_query_cache_query_lock,
key_LOCK_SEQUENCE,
- key_rwlock_LOCK_vers_stats, key_rwlock_LOCK_stat_serial;
+ key_rwlock_LOCK_vers_stats, key_rwlock_LOCK_stat_serial,
+ key_rwlock_LOCK_ssl_refresh;
static PSI_rwlock_info all_server_rwlocks[]=
{
@@ -1048,7 +1050,8 @@ static PSI_rwlock_info all_server_rwlocks[]=
{ &key_rwlock_LOCK_system_variables_hash, "LOCK_system_variables_hash", PSI_FLAG_GLOBAL},
{ &key_rwlock_query_cache_query_lock, "Query_cache_query::lock", 0},
{ &key_rwlock_LOCK_vers_stats, "Vers_field_stats::lock", 0},
- { &key_rwlock_LOCK_stat_serial, "TABLE_SHARE::LOCK_stat_serial", 0}
+ { &key_rwlock_LOCK_stat_serial, "TABLE_SHARE::LOCK_stat_serial", 0},
+ { &key_rwlock_LOCK_ssl_refresh, "LOCK_ssl_refresh", PSI_FLAG_GLOBAL }
};
#ifdef HAVE_MMAP
@@ -2276,6 +2279,7 @@ static void clean_up_mutexes()
mysql_mutex_destroy(&LOCK_rpl_status);
#endif /* HAVE_REPLICATION */
mysql_mutex_destroy(&LOCK_active_mi);
+ mysql_rwlock_destroy(&LOCK_ssl_refresh);
mysql_rwlock_destroy(&LOCK_sys_init_connect);
mysql_rwlock_destroy(&LOCK_sys_init_slave);
mysql_mutex_destroy(&LOCK_global_system_variables);
@@ -4675,6 +4679,7 @@ static int init_thread_environment()
#endif /* HAVE_OPENSSL */
mysql_rwlock_init(key_rwlock_LOCK_sys_init_connect, &LOCK_sys_init_connect);
mysql_rwlock_init(key_rwlock_LOCK_sys_init_slave, &LOCK_sys_init_slave);
+ mysql_rwlock_init(key_rwlock_LOCK_ssl_refresh, &LOCK_ssl_refresh);
mysql_rwlock_init(key_rwlock_LOCK_grant, &LOCK_grant);
mysql_cond_init(key_COND_thread_count, &COND_thread_count, NULL);
mysql_cond_init(key_COND_thread_cache, &COND_thread_cache, NULL);
@@ -4768,6 +4773,60 @@ static void openssl_lock(int mode, openssl_lock_t *lock, const char *file,
}
#endif /* HAVE_OPENSSL10 */
+
+struct SSL_ACCEPTOR_STATS
+{
+ long accept;
+ long accept_good;
+ long cache_size;
+ long verify_mode;
+ long verify_depth;
+ long zero;
+ const char *session_cache_mode;
+
+ SSL_ACCEPTOR_STATS():
+ accept(),accept_good(),cache_size(),verify_mode(),verify_depth(),zero(),
+ session_cache_mode("NONE")
+ {
+ }
+
+ void init()
+ {
+ DBUG_ASSERT(ssl_acceptor_fd !=0 && ssl_acceptor_fd->ssl_context != 0);
+ SSL_CTX *ctx= ssl_acceptor_fd->ssl_context;
+ accept= 0;
+ accept_good= 0;
+ verify_mode= SSL_CTX_get_verify_mode(ctx);
+ verify_depth= SSL_CTX_get_verify_depth(ctx);
+ cache_size= SSL_CTX_sess_get_cache_size(ctx);
+ switch (SSL_CTX_get_session_cache_mode(ctx))
+ {
+ case SSL_SESS_CACHE_OFF:
+ session_cache_mode= "OFF"; break;
+ case SSL_SESS_CACHE_CLIENT:
+ session_cache_mode= "CLIENT"; break;
+ case SSL_SESS_CACHE_SERVER:
+ session_cache_mode= "SERVER"; break;
+ case SSL_SESS_CACHE_BOTH:
+ session_cache_mode= "BOTH"; break;
+ case SSL_SESS_CACHE_NO_AUTO_CLEAR:
+ session_cache_mode= "NO_AUTO_CLEAR"; break;
+ case SSL_SESS_CACHE_NO_INTERNAL_LOOKUP:
+ session_cache_mode= "NO_INTERNAL_LOOKUP"; break;
+ default:
+ session_cache_mode= "Unknown"; break;
+ }
+ }
+};
+
+static SSL_ACCEPTOR_STATS ssl_acceptor_stats;
+void ssl_acceptor_stats_update(int sslaccept_ret)
+{
+ statistic_increment(ssl_acceptor_stats.accept, &LOCK_status);
+ if (!sslaccept_ret)
+ statistic_increment(ssl_acceptor_stats.accept_good,&LOCK_status);
+}
+
static void init_ssl()
{
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
@@ -4788,6 +4847,9 @@ static void init_ssl()
opt_use_ssl = 0;
have_ssl= SHOW_OPTION_DISABLED;
}
+ else
+ ssl_acceptor_stats.init();
+
if (global_system_variables.log_warnings > 0)
{
ulong err;
@@ -4806,6 +4868,34 @@ static void init_ssl()
#endif /* HAVE_OPENSSL && ! EMBEDDED_LIBRARY */
}
+/* Reinitialize SSL (FLUSH SSL) */
+int reinit_ssl()
+{
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+ if (!opt_use_ssl)
+ return 0;
+
+ enum enum_ssl_init_error error = SSL_INITERR_NOERROR;
+ st_VioSSLFd *new_fd = new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert,
+ opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher, &error, opt_ssl_crl, opt_ssl_crlpath);
+
+ if (!new_fd)
+ {
+ my_printf_error(ER_UNKNOWN_ERROR, "Failed to refresh SSL, error: %s", MYF(0),
+ sslGetErrString(error));
+#ifndef HAVE_YASSL
+ ERR_clear_error();
+#endif
+ return 1;
+ }
+ mysql_rwlock_wrlock(&LOCK_ssl_refresh);
+ free_vio_ssl_acceptor_fd(ssl_acceptor_fd);
+ ssl_acceptor_fd= new_fd;
+ ssl_acceptor_stats.init();
+ mysql_rwlock_unlock(&LOCK_ssl_refresh);
+ return 0;
+#endif
+}
static void end_ssl()
{
@@ -7428,187 +7518,6 @@ static int show_flush_commands(THD *thd, SHOW_VAR *var, char *buff,
#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
-/* Functions relying on CTX */
-static int show_ssl_ctx_sess_accept(THD *thd, SHOW_VAR *var, char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_accept(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_sess_accept_good(THD *thd, SHOW_VAR *var, char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_accept_good(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_sess_connect_good(THD *thd, SHOW_VAR *var, char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_connect_good(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_sess_accept_renegotiate(THD *thd, SHOW_VAR *var,
- char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_accept_renegotiate(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_sess_connect_renegotiate(THD *thd, SHOW_VAR *var,
- char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_connect_renegotiate(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_sess_cb_hits(THD *thd, SHOW_VAR *var, char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_cb_hits(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_sess_hits(THD *thd, SHOW_VAR *var, char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_hits(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_sess_cache_full(THD *thd, SHOW_VAR *var, char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_cache_full(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_sess_misses(THD *thd, SHOW_VAR *var, char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_misses(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_sess_timeouts(THD *thd, SHOW_VAR *var, char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_timeouts(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_sess_number(THD *thd, SHOW_VAR *var, char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_number(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_sess_connect(THD *thd, SHOW_VAR *var, char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_connect(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_sess_get_cache_size(THD *thd, SHOW_VAR *var,
- char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_sess_get_cache_size(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_get_verify_mode(THD *thd, SHOW_VAR *var, char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_get_verify_mode(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_get_verify_depth(THD *thd, SHOW_VAR *var, char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_LONG;
- var->value= buff;
- *((long *)buff)= (!ssl_acceptor_fd ? 0 :
- SSL_CTX_get_verify_depth(ssl_acceptor_fd->ssl_context));
- return 0;
-}
-
-static int show_ssl_ctx_get_session_cache_mode(THD *thd, SHOW_VAR *var,
- char *buff,
- enum enum_var_type scope)
-{
- var->type= SHOW_CHAR;
- if (!ssl_acceptor_fd)
- var->value= const_cast<char*>("NONE");
- else
- switch (SSL_CTX_get_session_cache_mode(ssl_acceptor_fd->ssl_context))
- {
- case SSL_SESS_CACHE_OFF:
- var->value= const_cast<char*>("OFF"); break;
- case SSL_SESS_CACHE_CLIENT:
- var->value= const_cast<char*>("CLIENT"); break;
- case SSL_SESS_CACHE_SERVER:
- var->value= const_cast<char*>("SERVER"); break;
- case SSL_SESS_CACHE_BOTH:
- var->value= const_cast<char*>("BOTH"); break;
- case SSL_SESS_CACHE_NO_AUTO_CLEAR:
- var->value= const_cast<char*>("NO_AUTO_CLEAR"); break;
- case SSL_SESS_CACHE_NO_INTERNAL_LOOKUP:
- var->value= const_cast<char*>("NO_INTERNAL_LOOKUP"); break;
- default:
- var->value= const_cast<char*>("Unknown"); break;
- }
- return 0;
-}
/*
Functions relying on SSL
@@ -8113,28 +8022,28 @@ SHOW_VAR status_vars[]= {
{"Sort_scan", (char*) offsetof(STATUS_VAR, filesort_scan_count_), SHOW_LONG_STATUS},
#ifdef HAVE_OPENSSL
#ifndef EMBEDDED_LIBRARY
- {"Ssl_accept_renegotiates", (char*) &show_ssl_ctx_sess_accept_renegotiate, SHOW_SIMPLE_FUNC},
- {"Ssl_accepts", (char*) &show_ssl_ctx_sess_accept, SHOW_SIMPLE_FUNC},
- {"Ssl_callback_cache_hits", (char*) &show_ssl_ctx_sess_cb_hits, SHOW_SIMPLE_FUNC},
+ {"Ssl_accept_renegotiates", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
+ {"Ssl_accepts", (char*) &ssl_acceptor_stats.accept, SHOW_LONG},
+ {"Ssl_callback_cache_hits", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_cipher", (char*) &show_ssl_get_cipher, SHOW_SIMPLE_FUNC},
{"Ssl_cipher_list", (char*) &show_ssl_get_cipher_list, SHOW_SIMPLE_FUNC},
- {"Ssl_client_connects", (char*) &show_ssl_ctx_sess_connect, SHOW_SIMPLE_FUNC},
- {"Ssl_connect_renegotiates", (char*) &show_ssl_ctx_sess_connect_renegotiate, SHOW_SIMPLE_FUNC},
- {"Ssl_ctx_verify_depth", (char*) &show_ssl_ctx_get_verify_depth, SHOW_SIMPLE_FUNC},
- {"Ssl_ctx_verify_mode", (char*) &show_ssl_ctx_get_verify_mode, SHOW_SIMPLE_FUNC},
+ {"Ssl_client_connects", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
+ {"Ssl_connect_renegotiates", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
+ {"Ssl_ctx_verify_depth", (char*) &ssl_acceptor_stats.verify_depth, SHOW_LONG},
+ {"Ssl_ctx_verify_mode", (char*) &ssl_acceptor_stats.verify_mode, SHOW_LONG},
{"Ssl_default_timeout", (char*) &show_ssl_get_default_timeout, SHOW_SIMPLE_FUNC},
- {"Ssl_finished_accepts", (char*) &show_ssl_ctx_sess_accept_good, SHOW_SIMPLE_FUNC},
- {"Ssl_finished_connects", (char*) &show_ssl_ctx_sess_connect_good, SHOW_SIMPLE_FUNC},
+ {"Ssl_finished_accepts", (char*) &ssl_acceptor_stats.accept_good, SHOW_LONG},
+ {"Ssl_finished_connects", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_server_not_after", (char*) &show_ssl_get_server_not_after, SHOW_SIMPLE_FUNC},
{"Ssl_server_not_before", (char*) &show_ssl_get_server_not_before, SHOW_SIMPLE_FUNC},
- {"Ssl_session_cache_hits", (char*) &show_ssl_ctx_sess_hits, SHOW_SIMPLE_FUNC},
- {"Ssl_session_cache_misses", (char*) &show_ssl_ctx_sess_misses, SHOW_SIMPLE_FUNC},
- {"Ssl_session_cache_mode", (char*) &show_ssl_ctx_get_session_cache_mode, SHOW_SIMPLE_FUNC},
- {"Ssl_session_cache_overflows", (char*) &show_ssl_ctx_sess_cache_full, SHOW_SIMPLE_FUNC},
- {"Ssl_session_cache_size", (char*) &show_ssl_ctx_sess_get_cache_size, SHOW_SIMPLE_FUNC},
- {"Ssl_session_cache_timeouts", (char*) &show_ssl_ctx_sess_timeouts, SHOW_SIMPLE_FUNC},
- {"Ssl_sessions_reused", (char*) &show_ssl_session_reused, SHOW_SIMPLE_FUNC},
- {"Ssl_used_session_cache_entries",(char*) &show_ssl_ctx_sess_number, SHOW_SIMPLE_FUNC},
+ {"Ssl_session_cache_hits", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
+ {"Ssl_session_cache_misses", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
+ {"Ssl_session_cache_mode", (char*) &ssl_acceptor_stats.session_cache_mode, SHOW_CHAR_PTR},
+ {"Ssl_session_cache_overflows", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
+ {"Ssl_session_cache_size", (char*) &ssl_acceptor_stats.cache_size, SHOW_LONG},
+ {"Ssl_session_cache_timeouts", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
+ {"Ssl_sessions_reused", (char*) &ssl_acceptor_stats.zero, SHOW_LONG},
+ {"Ssl_used_session_cache_entries",(char*) &ssl_acceptor_stats.zero, SHOW_LONG},
{"Ssl_verify_depth", (char*) &show_ssl_get_verify_depth, SHOW_SIMPLE_FUNC},
{"Ssl_verify_mode", (char*) &show_ssl_get_verify_mode, SHOW_SIMPLE_FUNC},
{"Ssl_version", (char*) &show_ssl_get_version, SHOW_SIMPLE_FUNC},
View Lorry Controller Status