Commit 40df5f68 authored by unknown's avatar unknown

Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23

 - Turn off verification of peer if both ca_path and ca_file is null
   i.e from only passing --ssl-key=<client_key> and --ssl-cert=<client_cert>
   to the mysql utility programs.
   The server will authenticate the client accoring to GRANT tables
   but the client won't authenticate the server 


mysql-test/r/openssl_1.result:
  Update result file
mysql-test/t/openssl_1.test:
  Test that it's possible to connect with --ssl-ca set to /dev/null
vio/viosslfactories.c:
  Turn off verification of peer if both ca_file and ca_path is NULL
parent b9c36948
...@@ -51,3 +51,5 @@ SSL error: Unable to get private key from '' ...@@ -51,3 +51,5 @@ SSL error: Unable to get private key from ''
mysqltest: Could not open connection 'default': 2026 SSL connection error mysqltest: Could not open connection 'default': 2026 SSL connection error
SSL error: Unable to get certificate from '' SSL error: Unable to get certificate from ''
mysqltest: Could not open connection 'default': 2026 SSL connection error mysqltest: Could not open connection 'default': 2026 SSL connection error
Variable_name Value
Ssl_cipher DHE-RSA-AES256-SHA
...@@ -95,4 +95,11 @@ drop table t1; ...@@ -95,4 +95,11 @@ drop table t1;
--error 1 --error 1
--exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1 --exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
#
# Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23
#
# Test that we can open encrypted connection to server without
# verification of servers certificate by setting both ca certificate
# and ca path to NULL
#
--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1
...@@ -301,6 +301,14 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file, ...@@ -301,6 +301,14 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
{ {
struct st_VioSSLFd *ssl_fd; struct st_VioSSLFd *ssl_fd;
int verify= SSL_VERIFY_PEER; int verify= SSL_VERIFY_PEER;
/*
Turn off verification of servers certificate if both
ca_file and ca_path is set to NULL
*/
if (ca_file == 0 && ca_path == 0)
verify= SSL_VERIFY_NONE;
if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
ca_path, cipher, TLSv1_client_method()))) ca_path, cipher, TLSv1_client_method())))
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment