From f5369faf5bbfb56b5e945836eb3f7c7ee88b4079 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Thu, 29 Mar 2018 15:25:08 +0200 Subject: don't disable SSL when connecting via libmysqld --- sql-common/client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sql-common/client.c') diff --git a/sql-common/client.c b/sql-common/client.c index 7d92f71d69f..fc591e21616 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -2532,10 +2532,10 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, if (mysql->client_flag & CLIENT_MULTI_STATEMENTS) mysql->client_flag|= CLIENT_MULTI_RESULTS; -#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) +#ifdef HAVE_OPENSSL if (mysql->options.use_ssl) mysql->client_flag|= CLIENT_SSL; -#endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY*/ +#endif /* HAVE_OPENSSL */ if (mpvio->db) mysql->client_flag|= CLIENT_CONNECT_WITH_DB; -- cgit v1.2.1 From ed33296246091780439bdbcb087027d2a8bf8eeb Mon Sep 17 00:00:00 2001 From: Michael Gmelin Date: Fri, 19 Jan 2018 00:24:39 +0100 Subject: Fix LibreSSL X509 (SSL) certificate hostname checking. (Currently) LibreSSL doesn't calculate the string length of the hostname that's passed to X509_check_host automatically in case namelen/chklen is 0. This causes server certificate validation to fail when building MariaDB with LibreSSL. The proposed fix makes MariaDB determine the string length passed to X509_check_host. As there are no ill side-effects (OpenSSL's X509_check_host also simply calls strlen if namelen == 0, see also X509_check_host(3)), this wasn't wrapped in any #ifdef like constructs. Please see here for a proposed patch to modify LibreSSL's behavior: https://github.com/libressl-portable/openbsd/pull/87 --- sql-common/client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'sql-common/client.c') diff --git a/sql-common/client.c b/sql-common/client.c index da18a0fdea1..e2d4a0949df 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1821,7 +1821,8 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c */ #ifdef HAVE_X509_check_host - ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; + ret_validation= X509_check_host(server_cert, server_hostname, + strlen(server_hostname), 0, 0) != 1; #else subject= X509_get_subject_name(server_cert); cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1); -- cgit v1.2.1