From c1d64ccc1b227e862f5cbaa991ce5525c59ab2ef Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 18 Apr 2006 17:58:27 +0200 Subject: Bug#17208 SSL: client does not verify server certificate - Add new function 'ssl_verify_server_cert' which is used if we are connecting to the server with SSL. It will compare the hostname in the server's cert against the hostname that we used when connecting to the server. Will reject the connection if hostname does not match. - Add new option "OPT_SSL_VERIFY_SERVER_CERT" to be passed to mysql_options which will turn on checking of servers cert. - Add new argument "ssl-verify-server-cert" to all mysql* clients which will activate the above option. - Generate a new server cert with 1024 bits that has "localhost" as the server name. SSL/server-cert.pem: Generate a new server cert that has "localhost" as CN, so that we can test to verify the hostname we connected against with the hostname in the cert client/client_priv.h: Add OPT_SSL_VERIFY_CERT client/mysql.cc: Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files client/mysqladmin.cc: Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files client/mysqldump.c: Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files client/mysqlimport.c: Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files client/mysqlshow.c: Pass the variable "opt_ssl_verify_server_cert" to the mysql_options function. It's processed/included by include/sslopt*.h files client/mysqltest.c: Always set opt_ssl_verify_server_cert on in mysqltest if we are using SSL include/mysql.h: Add variable ssl_verify_cerver_cert include/sslopt-longopts.h: Add ssl-verify-server-cert options to all clients. include/sslopt-vars.h: Add opt_ssl_varify_server_cert to all clients. sql-common/client.c: Add ssl_vertify_server_cert function which is executed if user has set the option ssl_verify_cerver_cert vio/viosslfactories.c: Ask the SSL library to verify servers cert by setting the SSL_VERIFY_PEER flag --- client/client_priv.h | 2 +- client/mysql.cc | 2 ++ client/mysqladmin.cc | 2 ++ client/mysqldump.c | 2 ++ client/mysqlimport.c | 2 ++ client/mysqlshow.c | 2 ++ client/mysqltest.c | 11 ++++++++++- 7 files changed, 21 insertions(+), 2 deletions(-) (limited to 'client') diff --git a/client/client_priv.h b/client/client_priv.h index a9d5364df49..9e011144836 100644 --- a/client/client_priv.h +++ b/client/client_priv.h @@ -51,5 +51,5 @@ enum options_client #endif OPT_TRIGGERS, OPT_IGNORE_TABLE,OPT_INSERT_IGNORE,OPT_SHOW_WARNINGS,OPT_DROP_DATABASE, - OPT_TZ_UTC, OPT_AUTO_CLOSE + OPT_TZ_UTC, OPT_AUTO_CLOSE, OPT_SSL_VERIFY_SERVER_CERT }; diff --git a/client/mysql.cc b/client/mysql.cc index cd4cbf49918..7c1e70cfda2 100644 --- a/client/mysql.cc +++ b/client/mysql.cc @@ -3123,6 +3123,8 @@ sql_real_connect(char *host,char *database,char *user,char *password, if (opt_use_ssl) mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + (char*)&opt_ssl_verify_server_cert); #endif if (opt_protocol) mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); diff --git a/client/mysqladmin.cc b/client/mysqladmin.cc index 5b52d524f8e..57ab4e071fb 100644 --- a/client/mysqladmin.cc +++ b/client/mysqladmin.cc @@ -340,6 +340,8 @@ int main(int argc,char *argv[]) if (opt_use_ssl) mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + (char*)&opt_ssl_verify_server_cert); #endif if (opt_protocol) mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); diff --git a/client/mysqldump.c b/client/mysqldump.c index 78f12593f46..ee6d7b9d12b 100644 --- a/client/mysqldump.c +++ b/client/mysqldump.c @@ -905,6 +905,8 @@ static int dbConnect(char *host, char *user,char *passwd) if (opt_use_ssl) mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + (char*)&opt_ssl_verify_server_cert); #endif if (opt_protocol) mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); diff --git a/client/mysqlimport.c b/client/mysqlimport.c index 8694093f06b..1f9b96f91be 100644 --- a/client/mysqlimport.c +++ b/client/mysqlimport.c @@ -384,6 +384,8 @@ static MYSQL *db_connect(char *host, char *database, char *user, char *passwd) if (opt_use_ssl) mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + (char*)&opt_ssl_verify_server_cert); #endif if (opt_protocol) mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); diff --git a/client/mysqlshow.c b/client/mysqlshow.c index 504f0d9844b..d090495ff81 100644 --- a/client/mysqlshow.c +++ b/client/mysqlshow.c @@ -109,6 +109,8 @@ int main(int argc, char **argv) if (opt_use_ssl) mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + (char*)&opt_ssl_verify_server_cert); #endif if (opt_protocol) mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); diff --git a/client/mysqltest.c b/client/mysqltest.c index e51d83270b5..7257958311f 100644 --- a/client/mysqltest.c +++ b/client/mysqltest.c @@ -108,7 +108,7 @@ enum {OPT_MANAGER_USER=256,OPT_MANAGER_HOST,OPT_MANAGER_PASSWD, OPT_MANAGER_PORT,OPT_MANAGER_WAIT_TIMEOUT, OPT_SKIP_SAFEMALLOC, OPT_SSL_SSL, OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, OPT_SSL_CAPATH, OPT_SSL_CIPHER,OPT_PS_PROTOCOL,OPT_SP_PROTOCOL,OPT_CURSOR_PROTOCOL, - OPT_VIEW_PROTOCOL}; + OPT_VIEW_PROTOCOL, OPT_SSL_VERIFY_SERVER_CERT}; /* ************************************************************************ */ /* @@ -2378,8 +2378,12 @@ int do_connect(struct st_query *q) #ifdef HAVE_OPENSSL if (opt_use_ssl || con_ssl) + { mysql_ssl_set(&next_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&next_con->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + &opt_ssl_verify_server_cert); + } #endif if (con_sock && !free_con_sock && *con_sock && *con_sock != FN_LIBCHAR) con_sock=fn_format(buff, con_sock, TMPDIR, "",0); @@ -4604,9 +4608,14 @@ int main(int argc, char **argv) mysql_options(&cur_con->mysql, MYSQL_SET_CHARSET_NAME, charset_name); #ifdef HAVE_OPENSSL + opt_ssl_verify_server_cert= TRUE; /* Always on in mysqltest */ if (opt_use_ssl) + { mysql_ssl_set(&cur_con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&cur_con->mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + &opt_ssl_verify_server_cert); + } #endif if (!(cur_con->name = my_strdup("default", MYF(MY_WME)))) -- cgit v1.2.1 From 9d1c19c7b02435cd8fb9eba7f4fedd7a6dc4c920 Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 3 May 2006 14:04:54 +0200 Subject: Add support for specifyihng the number of reconnec retries oin the command line --- client/mysqltest.c | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) (limited to 'client') diff --git a/client/mysqltest.c b/client/mysqltest.c index 7257958311f..828845f1dcd 100644 --- a/client/mysqltest.c +++ b/client/mysqltest.c @@ -87,14 +87,6 @@ #endif #define MAX_SERVER_ARGS 64 -/* - Sometimes in a test the client starts before - the server - to solve the problem, we try again - after some sleep if connection fails the first - time -*/ -#define CON_RETRY_SLEEP 2 -#define MAX_CON_TRIES 5 #define SLAVE_POLL_INTERVAL 300000 /* 0.3 of a sec */ #define DEFAULT_DELIMITER ";" @@ -108,7 +100,7 @@ enum {OPT_MANAGER_USER=256,OPT_MANAGER_HOST,OPT_MANAGER_PASSWD, OPT_MANAGER_PORT,OPT_MANAGER_WAIT_TIMEOUT, OPT_SKIP_SAFEMALLOC, OPT_SSL_SSL, OPT_SSL_KEY, OPT_SSL_CERT, OPT_SSL_CA, OPT_SSL_CAPATH, OPT_SSL_CIPHER,OPT_PS_PROTOCOL,OPT_SP_PROTOCOL,OPT_CURSOR_PROTOCOL, - OPT_VIEW_PROTOCOL, OPT_SSL_VERIFY_SERVER_CERT}; + OPT_VIEW_PROTOCOL, OPT_SSL_VERIFY_SERVER_CERT, OPT_MAX_CONNECT_RETRIES}; /* ************************************************************************ */ /* @@ -157,6 +149,7 @@ static int record = 0, opt_sleep=0; static char *db = 0, *pass=0; const char *user = 0, *host = 0, *unix_sock = 0, *opt_basedir="./"; static int port = 0; +static int opt_max_connect_retries; static my_bool opt_big_test= 0, opt_compress= 0, silent= 0, verbose = 0; static my_bool tty_password= 0; static my_bool ps_protocol= 0, ps_protocol_enabled= 0; @@ -2125,9 +2118,16 @@ void init_manager() db, port, sock NOTE - This function will try to connect to the given server MAX_CON_TRIES - times and sleep CON_RETRY_SLEEP seconds between attempts before - finally giving up. This helps in situation when the client starts + + Sometimes in a test the client starts before + the server - to solve the problem, we try again + after some sleep if connection fails the first + time + + This function will try to connect to the given server + "opt_max_connect_retries" times and sleep "connection_retry_sleep" + seconds between attempts before finally giving up. + This helps in situation when the client starts before the server (which happens sometimes). It will ignore any errors during these retries. One should use connect_n_handle_errors() if he expects a connection error and wants @@ -2142,8 +2142,9 @@ int safe_connect(MYSQL* mysql, const char *host, const char *user, { int con_error= 1; my_bool reconnect= 1; + static int connection_retry_sleep= 2; /* Seconds */ int i; - for (i= 0; i < MAX_CON_TRIES; ++i) + for (i= 0; i < opt_max_connect_retries; i++) { if (mysql_real_connect(mysql, host,user, pass, db, port, sock, CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS)) @@ -2151,7 +2152,7 @@ int safe_connect(MYSQL* mysql, const char *host, const char *user, con_error= 0; break; } - sleep(CON_RETRY_SLEEP); + sleep(connection_retry_sleep); } /* TODO: change this to 0 in future versions, but the 'kill' test relies on @@ -2887,6 +2888,10 @@ static struct my_option my_long_options[] = {"compress", 'C', "Use the compressed server/client protocol.", (gptr*) &opt_compress, (gptr*) &opt_compress, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0}, + {"max-connect-retries", OPT_MAX_CONNECT_RETRIES, + "Max number of connection attempts when connecting to server", + (gptr*) &opt_max_connect_retries, (gptr*) &opt_max_connect_retries, 0, + GET_INT, REQUIRED_ARG, 5, 1, 10, 0, 0, 0}, {"cursor-protocol", OPT_CURSOR_PROTOCOL, "Use cursors for prepared statements.", (gptr*) &cursor_protocol, (gptr*) &cursor_protocol, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0}, -- cgit v1.2.1 From 184ae8820e8df8faf91740456b5ef011e3e0a88d Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 3 May 2006 15:53:59 +0200 Subject: Move "max-connect-retries" option to get alpabetichal order --- client/mysqltest.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'client') diff --git a/client/mysqltest.c b/client/mysqltest.c index 828845f1dcd..daaf378028e 100644 --- a/client/mysqltest.c +++ b/client/mysqltest.c @@ -2888,10 +2888,6 @@ static struct my_option my_long_options[] = {"compress", 'C', "Use the compressed server/client protocol.", (gptr*) &opt_compress, (gptr*) &opt_compress, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0}, - {"max-connect-retries", OPT_MAX_CONNECT_RETRIES, - "Max number of connection attempts when connecting to server", - (gptr*) &opt_max_connect_retries, (gptr*) &opt_max_connect_retries, 0, - GET_INT, REQUIRED_ARG, 5, 1, 10, 0, 0, 0}, {"cursor-protocol", OPT_CURSOR_PROTOCOL, "Use cursors for prepared statements.", (gptr*) &cursor_protocol, (gptr*) &cursor_protocol, 0, GET_BOOL, NO_ARG, 0, 0, 0, 0, 0, 0}, @@ -2920,6 +2916,10 @@ static struct my_option my_long_options[] = {"manager-wait-timeout", OPT_MANAGER_WAIT_TIMEOUT, "Undocumented: Used for debugging.", (gptr*) &manager_wait_timeout, (gptr*) &manager_wait_timeout, 0, GET_INT, REQUIRED_ARG, 3, 0, 0, 0, 0, 0}, + {"max-connect-retries", OPT_MAX_CONNECT_RETRIES, + "Max number of connection attempts when connecting to server", + (gptr*) &opt_max_connect_retries, (gptr*) &opt_max_connect_retries, 0, + GET_INT, REQUIRED_ARG, 5, 1, 10, 0, 0, 0}, {"password", 'p', "Password to use when connecting to server.", 0, 0, 0, GET_STR, OPT_ARG, 0, 0, 0, 0, 0, 0}, {"port", 'P', "Port number to use for connection.", (gptr*) &port, -- cgit v1.2.1 From 144c7622c7906ac554b5bbaa60c4e89113dac1e5 Mon Sep 17 00:00:00 2001 From: unknown Date: Fri, 12 May 2006 09:10:04 +0200 Subject: Fix after merge 5.0->5.1 client/mysqlimport.c: Variable name changed mysql_connection -> mysql include/violite.h: Type changed st_VioSSLAcceptorFd-> sl_VioSSLFd vio/viosslfactories.c: Type changed st_VioSSLAcceptorFd-> sl_VioSSLFd --- client/mysqlimport.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'client') diff --git a/client/mysqlimport.c b/client/mysqlimport.c index 809f73d14b6..ccd6932e25b 100644 --- a/client/mysqlimport.c +++ b/client/mysqlimport.c @@ -406,7 +406,7 @@ static MYSQL *db_connect(char *host, char *database, if (opt_use_ssl) mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); - mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, + mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif if (opt_protocol) -- cgit v1.2.1