BUG#25575605: SETTING --SSL-MODE=REQUIRED SENDS CREDENTIALS BEFORE VERIFYING SSL CONNECTION

MYSQL_OPT_SSL_MODE option introduced. It is set in case of --ssl-mode=REQUIRED and permits only SSL connection.

BUG#25575605: SETTING --SSL-MODE=REQUIRED SENDS CREDENTIALS BEFORE VERIFYING SSL CONNECTION
MYSQL_OPT_SSL_MODE option introduced. It is set in case of --ssl-mode=REQUIRED and permits only SSL connection.
2531c8dc · Ramil Kalimullin · ec2a6b60 · 2531c8dc · 2531c8dc · 2531c8dc
Commit 2531c8dc authored Mar 10, 2017 by Ramil Kalimullin
18 changed files
--- a/client/client_priv.h
+++ b/client/client_priv.h
 /*
-   Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -115,13 +115,15 @@ enum options_client
 /**
  Wrapper for mysql_real_connect() that checks if SSL connection is establised.
-  The function calls mysql_real_connect() first, then if given ssl_required==TRUE
+  The function calls mysql_real_connect() first. Then, if the ssl_required
-  argument (i.e. --ssl-mode=REQUIRED option used) checks current SSL chiper to
+  argument is TRUE (i.e., the --ssl-mode=REQUIRED option was specified), it
-  ensure that SSL is used for current connection.
+  checks the current SSL cipher to ensure that SSL is used for the current
-  Otherwise it returns NULL and sets errno to CR_SSL_CONNECTION_ERROR.
+  connection. Otherwise, it returns NULL and sets errno to
+  CR_SSL_CONNECTION_ERROR.
-  All clients (except mysqlbinlog which disregards SSL options) use this function
+  All clients (except mysqlbinlog, which disregards SSL options) use this
-  instead of mysql_real_connect() to handle --ssl-mode=REQUIRED option.
+  function instead of mysql_real_connect() to handle the --ssl-mode=REQUIRED
+  option.
 */
 MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host,
                               const char *user, const char *passwd,
@@ -129,7 +131,21 @@ MYSQL *mysql_connect_ssl_check(MYSQL *mysql_arg, const char *host,
                               const char *unix_socket, ulong client_flag,
                               my_bool ssl_required __attribute__((unused)))
 {
-  MYSQL *mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port,
+  MYSQL *mysql;
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
+  enum mysql_ssl_mode opt_ssl_mode= SSL_MODE_REQUIRED;
+  if (ssl_required &&
+      mysql_options(mysql_arg, MYSQL_OPT_SSL_MODE, (char *) &opt_ssl_mode))
+  {
+    NET *net= &mysql_arg->net;
+    net->last_errno= CR_SSL_CONNECTION_ERROR;
+    strmov(net->last_error, "Client library doesn't support MYSQL_SSL_REQUIRED option");
+    strmov(net->sqlstate, "HY000");
+    return NULL;
+  }
+#endif
+  mysql= mysql_real_connect(mysql_arg, host, user, passwd, db, port,
                            unix_socket, client_flag);
 #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
  if (mysql &&                                   /* connection established. */

--- a/client/mysql.cc
+++ b/client/mysql.cc
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1318,7 +1318,7 @@ sig_handler handle_sigint(int sig)
  kill_mysql= mysql_init(kill_mysql);
  if (!mysql_connect_ssl_check(kill_mysql, current_host, current_user, opt_password,
                               "", opt_mysql_port, opt_mysql_unix_port, 0,
-                               opt_ssl_required))
+                               opt_ssl_mode == SSL_MODE_REQUIRED))
  {
    tee_fprintf(stdout, "Ctrl-C -- sorry, cannot connect to server to kill query, giving up ...\n");
    goto err;
@@ -4461,7 +4461,7 @@ sql_real_connect(char *host,char *database,char *user,char *password,
  if (!mysql_connect_ssl_check(&mysql, host, user, password,
                               database, opt_mysql_port, opt_mysql_unix_port,
                               connect_flag | CLIENT_MULTI_STATEMENTS,
-                               opt_ssl_required))
+                               opt_ssl_mode == SSL_MODE_REQUIRED))
  {
    if (!silent ||
 	(mysql_errno(&mysql) != CR_CONN_HOST_ERROR &&

--- a/client/mysql_upgrade.c
+++ b/client/mysql_upgrade.c
 /*
-   Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -387,9 +387,11 @@ static int run_tool(char *tool_path, DYNAMIC_STRING *ds_res, ...)
  va_end(args);
+#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY)
  /* If given --ssl-mode=REQUIRED propagate it to the tool. */
-  if (opt_ssl_required)
+  if (opt_ssl_mode == SSL_MODE_REQUIRED)
    dynstr_append(&ds_cmdline, "--ssl-mode=REQUIRED");
+#endif
 #ifdef __WIN__
  dynstr_append(&ds_cmdline, "\"");

--- a/client/mysqladmin.cc
+++ b/client/mysqladmin.cc
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -519,8 +519,8 @@ static my_bool sql_connect(MYSQL *mysql, uint wait)
  for (;;)
  {
    if (mysql_connect_ssl_check(mysql, host, user, opt_password, NullS,
-                                tcp_port, unix_port,
+                                tcp_port, unix_port, CLIENT_REMEMBER_OPTIONS,
-                                CLIENT_REMEMBER_OPTIONS, opt_ssl_required))
+                                opt_ssl_mode == SSL_MODE_REQUIRED))
    {
      mysql->reconnect= 1;
      if (info)

--- a/client/mysqlcheck.c
+++ b/client/mysqlcheck.c
 /*
-   Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -907,7 +907,7 @@ static int dbConnect(char *host, char *user, char *passwd)
  if (!(sock = mysql_connect_ssl_check(&mysql_connection, host, user, passwd,
                                       NULL, opt_mysql_port,
                                       opt_mysql_unix_port, 0,
-                                       opt_ssl_required)))
+                                       opt_ssl_mode == SSL_MODE_REQUIRED)))
  {
    DBerror(&mysql_connection, "when trying to connect");
    return 1;

--- a/client/mysqldump.c
+++ b/client/mysqldump.c
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -1501,7 +1501,7 @@ static int connect_to_db(char *host, char *user,char *passwd)
  if (!(mysql= mysql_connect_ssl_check(&mysql_connection, host, user,
                                       passwd, NULL, opt_mysql_port,
                                       opt_mysql_unix_port, 0,
-                                       opt_ssl_required)))
+                                       opt_ssl_mode == SSL_MODE_REQUIRED)))
  {
    DB_error(&mysql_connection, "when trying to connect");
    DBUG_RETURN(1);

--- a/client/mysqlimport.c
+++ b/client/mysqlimport.c
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -463,7 +463,7 @@ static MYSQL *db_connect(char *host, char *database,
  mysql_options(mysql, MYSQL_SET_CHARSET_NAME, default_charset);
  if (!(mysql_connect_ssl_check(mysql, host, user, passwd, database,
                                opt_mysql_port, opt_mysql_unix_port,
-                                0, opt_ssl_required)))
+                                0, opt_ssl_mode == SSL_MODE_REQUIRED)))
  {
    ignore_errors=0;	  /* NO RETURN FROM db_error */
    db_error(mysql);

--- a/client/mysqlshow.c
+++ b/client/mysqlshow.c
 /*
-   Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -142,7 +142,7 @@ int main(int argc, char **argv)
  if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
 			        (first_argument_uses_wildcards) ? "" :
                                argv[0], opt_mysql_port, opt_mysql_unix_port,
-			        0, opt_ssl_required)))
+			        0, opt_ssl_mode == SSL_MODE_REQUIRED)))
  {
    fprintf(stderr,"%s: %s\n",my_progname,mysql_error(&mysql));
    exit(1);

--- a/client/mysqlslap.c
+++ b/client/mysqlslap.c
 /*
-   Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -357,7 +357,8 @@ int main(int argc, char **argv)
  {
    if (!(mysql_connect_ssl_check(&mysql, host, user, opt_password,
                                  NULL, opt_mysql_port, opt_mysql_unix_port,
-                                  connect_flags, opt_ssl_required)))
+                                  connect_flags,
+                                  opt_ssl_mode == SSL_MODE_REQUIRED)))
    {
      fprintf(stderr,"%s: Error when connecting to server: %s\n",
              my_progname,mysql_error(&mysql));

--- a/client/mysqltest.cc
+++ b/client/mysqltest.cc
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -5283,7 +5283,7 @@ void safe_connect(MYSQL* mysql, const char *name, const char *host,
              host, port, sock, user, name, failed_attempts);
  while(!mysql_connect_ssl_check(mysql, host,user, pass, db, port, sock,
                                 CLIENT_MULTI_STATEMENTS | CLIENT_REMEMBER_OPTIONS,
-                                 opt_ssl_required))
+                                 opt_ssl_mode == SSL_MODE_REQUIRED))
  {
    /*
      Connect failed
@@ -5385,7 +5385,7 @@ int connect_n_handle_errors(struct st_command *command,
  while (!mysql_connect_ssl_check(con, host, user, pass, db, port,
                                  sock ? sock: 0, CLIENT_MULTI_STATEMENTS,
-                                  opt_ssl_required))
+                                  opt_ssl_mode == SSL_MODE_REQUIRED))
  {
    /*
      If we have used up all our connections check whether this

--- a/include/mysql.h
+++ b/include/mysql.h
-/* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -167,7 +167,7 @@ enum mysql_option
  MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH,
  MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT,
  MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH,
-  MYSQL_ENABLE_CLEARTEXT_PLUGIN
+  MYSQL_ENABLE_CLEARTEXT_PLUGIN, MYSQL_OPT_SSL_MODE
 };
 /**
@@ -224,6 +224,11 @@ enum mysql_protocol_type
  MYSQL_PROTOCOL_PIPE, MYSQL_PROTOCOL_MEMORY
 };
+enum mysql_ssl_mode
+{
+  SSL_MODE_REQUIRED= 3
+};
 typedef struct character_set
 {
  unsigned int      number;     /* character set number              */

--- a/include/mysql.h.pp
+++ b/include/mysql.h.pp
@@ -263,7 +263,7 @@ enum mysql_option
  MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH,
  MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT,
  MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH,
-  MYSQL_ENABLE_CLEARTEXT_PLUGIN
+  MYSQL_ENABLE_CLEARTEXT_PLUGIN, MYSQL_OPT_SSL_MODE
 };
 struct st_mysql_options_extention;
 struct st_mysql_options {
@@ -307,6 +307,10 @@ enum mysql_protocol_type
  MYSQL_PROTOCOL_DEFAULT, MYSQL_PROTOCOL_TCP, MYSQL_PROTOCOL_SOCKET,
  MYSQL_PROTOCOL_PIPE, MYSQL_PROTOCOL_MEMORY
 };
+enum mysql_ssl_mode
+{
+  SSL_MODE_REQUIRED= 3
+};
 typedef struct character_set
 {
  unsigned int number;

--- a/include/sql_common.h
+++ b/include/sql_common.h
 #ifndef SQL_COMMON_INCLUDED
 #define SQL_COMMON_INCLUDED
-/* Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -32,6 +32,7 @@ struct st_mysql_options_extention {
  char *plugin_dir;
  char *default_auth;
  my_bool enable_cleartext_plugin;
+  unsigned int ssl_mode;
 };
 typedef struct st_mysql_methods

--- a/include/sslopt-case.h
+++ b/include/sslopt-case.h
 #ifndef SSLOPT_CASE_INCLUDED
 #define SSLOPT_CASE_INCLUDED
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -38,7 +38,7 @@
        exit(1);
      }
      else
-        opt_ssl_required= 1;
+        opt_ssl_mode= SSL_MODE_REQUIRED;
      break;
 #endif /* MYSQL_CLIENT */
 #endif

--- a/include/sslopt-vars.h
+++ b/include/sslopt-vars.h
 #ifndef SSLOPT_VARS_INCLUDED
 #define SSLOPT_VARS_INCLUDED
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -31,11 +31,11 @@ SSL_STATIC char *opt_ssl_key    = 0;
 #ifdef MYSQL_CLIENT
 SSL_STATIC my_bool opt_ssl_verify_server_cert= 0;
-SSL_STATIC my_bool opt_ssl_required= 0;
+SSL_STATIC uint opt_ssl_mode= 0;
 #endif /* MYSQL_CLIENT */
 #else /* HAVE_OPENSSL */
-#define opt_ssl_required 0
+#define opt_ssl_mode 0
 #endif /* HAVE_OPENSSL */
 #endif /* SSLOPT_VARS_INCLUDED */
--- a/mysql-test/r/ssl_mode.result
+++ b/mysql-test/r/ssl_mode.result
@@ -37,8 +37,8 @@ DROP TABLE t1;
 # mysql
 Unknown value to --ssl-mode: ''. Use --ssl-mode=REQUIRED
 Unknown value to --ssl-mode: 'DERIUQER'. Use --ssl-mode=REQUIRED
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Client is not configured to use SSL
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Client is not configured to use SSL
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Client is not configured to use SSL
 End of tests
--- a/mysql-test/r/ssl_mode_no_ssl.result
+++ b/mysql-test/r/ssl_mode_no_ssl.result
 # negative client tests
 # mysql
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
-ERROR 2026 (HY000): --ssl-mode=REQUIRED option forbids non SSL connections
+ERROR 2026 (HY000): SSL connection error: Server doesn't support SSL
 # mysqldump
-mysqldump: Got error: 2026: --ssl-mode=REQUIRED option forbids non SSL connections when trying to connect
+mysqldump: Got error: 2026: SSL connection error: Server doesn't support SSL when trying to connect
 # mysqladmin
-mysqladmin: error: '--ssl-mode=REQUIRED option forbids non SSL connections'
+mysqladmin: error: 'SSL connection error: Server doesn't support SSL'
 # mysqlcheck
-mysqlcheck: Got error: 2026: --ssl-mode=REQUIRED option forbids non SSL connections when trying to connect
+mysqlcheck: Got error: 2026: SSL connection error: Server doesn't support SSL when trying to connect
 # mysqlimport
-mysqlimport: Error: 2026 --ssl-mode=REQUIRED option forbids non SSL connections
+mysqlimport: Error: 2026 SSL connection error: Server doesn't support SSL
 # mysqlshow
-mysqlshow: --ssl-mode=REQUIRED option forbids non SSL connections
+mysqlshow: SSL connection error: Server doesn't support SSL
 # mysqlslap
-mysqlslap: Error when connecting to server: --ssl-mode=REQUIRED option forbids non SSL connections
+mysqlslap: Error when connecting to server: SSL connection error: Server doesn't support SSL
 # mysqltest
-mysqltest: Could not open connection 'default': 2026 --ssl-mode=REQUIRED option forbids non SSL connections
+mysqltest: Could not open connection 'default': 2026 SSL connection error: Server doesn't support SSL
 End of tests
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1137,7 +1137,7 @@ static const char *default_options[]=
  "ssl-cipher", "max-allowed-packet", "protocol", "shared-memory-base-name",
  "multi-results", "multi-statements", "multi-queries", "secure-auth",
  "report-data-truncation", "plugin-dir", "default-auth", 
-  "enable-cleartext-plugin",
+  "enable-cleartext-plugin", "ssl-mode",
  NullS
 };
 enum option_id {
@@ -1149,7 +1149,7 @@ enum option_id {
  OPT_ssl_cipher, OPT_max_allowed_packet, OPT_protocol, OPT_shared_memory_base_name, 
  OPT_multi_results, OPT_multi_statements, OPT_multi_queries, OPT_secure_auth, 
  OPT_report_data_truncation, OPT_plugin_dir, OPT_default_auth, 
-  OPT_enable_cleartext_plugin,
+  OPT_enable_cleartext_plugin, OPT_ssl_mode,
  OPT_keep_this_one_last
 };
@@ -1338,12 +1338,26 @@ void mysql_read_default_options(struct st_mysql_options *options,
          my_free(options->ssl_cipher);
          options->ssl_cipher= my_strdup(opt_arg, MYF(MY_WME));
          break;
+        case OPT_ssl_mode:
+          if (opt_arg &&
+              !my_strcasecmp(&my_charset_latin1, opt_arg, "required"))
+          {
+            ENSURE_EXTENSIONS_PRESENT(options);
+            options->extension->ssl_mode= SSL_MODE_REQUIRED;
+          }
+          else
+          {
+            fprintf(stderr, "Unknown option to ssl-mode: %s\n", opt_arg);
+            exit(1);
+          }
+          break;
 #else
 	case OPT_ssl_key:
 	case OPT_ssl_cert:
 	case OPT_ssl_ca:
 	case OPT_ssl_capath:
        case OPT_ssl_cipher:
+        case OPT_ssl_mode:
 	  break;
 #endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */
 	case OPT_character_sets_dir:
@@ -1850,6 +1864,10 @@ mysql_ssl_free(MYSQL *mysql __attribute__((unused)))
  mysql->options.ssl_capath = 0;
  mysql->options.ssl_cipher= 0;
  mysql->options.use_ssl = FALSE;
+  if (mysql->options.extension)
+  {
+    mysql->options.extension->ssl_mode= 0;
+  }
  mysql->connector_fd = 0;
  DBUG_VOID_RETURN;
 }
@@ -2596,6 +2614,31 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
    end= buff+5;
  }
 #ifdef HAVE_OPENSSL
+  /*
+    If SSL connection is required we'll:
+      1. check if the server supports SSL;
+      2. check if the client is properly configured;
+      3. try to use SSL no matter the other options given.
+  */
+  if (mysql->options.extension &&
+      mysql->options.extension->ssl_mode == SSL_MODE_REQUIRED)
+  {
+    if (!(mysql->server_capabilities & CLIENT_SSL))
+    {
+      set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
+                               ER(CR_SSL_CONNECTION_ERROR),
+                               "Server doesn't support SSL");
+      goto error;
+    }
+    if (!mysql->options.use_ssl)
+    {
+      set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
+                               ER(CR_SSL_CONNECTION_ERROR),
+                               "Client is not configured to use SSL");
+      goto error;
+    }
+    mysql->client_flag|= CLIENT_SSL;
+  }
  if (mysql->client_flag & CLIENT_SSL)
  {
    /* Do the SSL layering. */
@@ -4242,6 +4285,13 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg)
    mysql->options.extension->enable_cleartext_plugin= 
      (*(my_bool*) arg) ? TRUE : FALSE;
    break;
+  case MYSQL_OPT_SSL_MODE:
+    if (*(uint *) arg == SSL_MODE_REQUIRED)
+    {
+      ENSURE_EXTENSIONS_PRESENT(&mysql->options);
+      mysql->options.extension->ssl_mode= SSL_MODE_REQUIRED;
+    }
+    break;
  default:
    DBUG_RETURN(1);
  }