MDEV-31857 enable --ssl-verify-server-cert by default

client/mysqltest.cc

@@ -9289,6 +9289,7 @@ int util_query(MYSQL* org_mysql, const char* query){
       /* enable local infile, in non-binary builds often disabled by default */
       mysql_options(mysql, MYSQL_OPT_LOCAL_INFILE, 0);
       mysql_options(mysql, MYSQL_OPT_NONBLOCK, 0);
+      SET_SSL_OPTS(mysql);
       safe_connect(mysql, "util", org_mysql->host, org_mysql->user,
           org_mysql->passwd, org_mysql->db, org_mysql->port,
           org_mysql->unix_socket);

include/sslopt-longopts.h

@@ -60,7 +60,7 @@
   {"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT,
    "Verify server's certificate to prevent man-in-the-middle attacks",
    &opt_ssl_verify_server_cert, &opt_ssl_verify_server_cert,
-   0, GET_BOOL, OPT_ARG, 0, 0, 0, 0, 0, 0},
+   0, GET_BOOL, OPT_ARG, 1, 0, 0, 0, 0, 0},
 #endif
 #endif /* HAVE_OPENSSL */
 #endif /* SSLOPT_LONGOPTS_INCLUDED */

include/sslopt-vars.h

@@ -34,7 +34,7 @@ SSL_STATIC char *opt_tls_version = 0;
 #ifdef MYSQL_CLIENT
 SSL_STATIC char *opt_ssl_fp      = 0;
 SSL_STATIC char *opt_ssl_fplist  = 0;
-SSL_STATIC my_bool opt_ssl_verify_server_cert= 0;
+SSL_STATIC my_bool opt_ssl_verify_server_cert= 1;
 
 #define SET_SSL_OPTS(M)                                                 \
   do {                                                                  \

libmariadb @ 8dffd569

-Subproject commit fcef411ecb4a2c013e7aac655a96669474110225
+Subproject commit 8dffd56936df3d03eeccf47904773860a0cdeb57

mysql-test/include/default_client.cnf

@@ -2,6 +2,8 @@
 # We use default-character-set=latin1 to avoid character set auto-detection
 # when running tests - not to depend on the current machine localization.
 #
+[client]
+loose-disable-ssl-verify-server-cert
 
 [mysql]
 default-character-set=latin1

mysql-test/mariadb-test-run.pl

@@ -5022,6 +5022,7 @@ sub mysqld_stop {
   mtr_add_arg($args, "--host=%s", $mysqld->value('#host'));
   mtr_add_arg($args, "--connect_timeout=20");
   mtr_add_arg($args, "--protocol=tcp");
+  mtr_add_arg($args, "--disable-ssl-verify-server-cert");
 
   mtr_add_arg($args, "shutdown");
 

mysql-test/suite/federated/federated_bug_25714.result

@@ -7,10 +7,13 @@ CREATE DATABASE federated;
 connection master;
 SET @OLD_MASTER_CONCURRENT_INSERT= @@GLOBAL.CONCURRENT_INSERT;
 SET @@GLOBAL.CONCURRENT_INSERT= 0;
+create user fed@127.0.0.1 identified by 'def';
+grant all privileges on federated.* to fed@127.0.0.1;
 connection slave;
 SET @OLD_SLAVE_CONCURRENT_INSERT= @@GLOBAL.CONCURRENT_INSERT;
 SET @@GLOBAL.CONCURRENT_INSERT= 0;
-DROP TABLE IF EXISTS federated.bug_13118_table;
+create user fed@127.0.0.1 identified by 'def';
+grant all privileges on federated.* to fed@127.0.0.1;
 CREATE TABLE federated.t1 (
 `id` int auto_increment primary key, 
 `value` int
@@ -19,7 +22,6 @@ INSERT INTO federated.t1 SET value=1;
 INSERT INTO federated.t1 SET value=2;
 INSERT INTO federated.t1 SET value=2;
 connection master;
-DROP TABLE IF EXISTS federated.t1;
 CREATE TABLE federated.t1 (
 `id` int auto_increment primary key, 
 `value` int
@@ -51,9 +53,11 @@ id	value
 7	54
 8	55
 DROP TABLE federated.t1;
+drop user fed@127.0.0.1;
 SET @@GLOBAL.CONCURRENT_INSERT= @OLD_MASTER_CONCURRENT_INSERT;
 connection slave;
 DROP TABLE federated.t1;
+drop user fed@127.0.0.1;
 SET @@GLOBAL.CONCURRENT_INSERT= @OLD_SLAVE_CONCURRENT_INSERT;
 connection master;
 DROP TABLE IF EXISTS federated.t1;

mysql-test/suite/federated/federated_bug_25714.test

@@ -13,12 +13,20 @@ connection master;
 SET @OLD_MASTER_CONCURRENT_INSERT= @@GLOBAL.CONCURRENT_INSERT;
 SET @@GLOBAL.CONCURRENT_INSERT= 0;
 
+#
+# use a user with the password, so that the test client $MYSQL_BUG25714
+# would be able to connect when ssl and certificate validation are
+# enabled by default (MDEV-31857, MDEV-31855)
+#
+create user fed@127.0.0.1 identified by 'def';
+grant all privileges on federated.* to fed@127.0.0.1;
+
 connection slave;
 SET @OLD_SLAVE_CONCURRENT_INSERT= @@GLOBAL.CONCURRENT_INSERT;
 SET @@GLOBAL.CONCURRENT_INSERT= 0;
---disable_warnings
-DROP TABLE IF EXISTS federated.bug_13118_table;
---enable_warnings
+
+create user fed@127.0.0.1 identified by 'def';
+grant all privileges on federated.* to fed@127.0.0.1;
 
 CREATE TABLE federated.t1 (
     `id` int auto_increment primary key, 
@@ -29,9 +37,6 @@ INSERT INTO federated.t1 SET value=2;
 INSERT INTO federated.t1 SET value=2;
 
 connection master;
---disable_warnings
-DROP TABLE IF EXISTS federated.t1;
---enable_warnings
 
 --replace_result $SLAVE_MYPORT SLAVE_PORT
 eval CREATE TABLE federated.t1 (
@@ -52,11 +57,11 @@ SELECT LAST_INSERT_ID();
 SELECT * from federated.t1;
 
 DROP TABLE federated.t1;
+drop user fed@127.0.0.1;
 SET @@GLOBAL.CONCURRENT_INSERT= @OLD_MASTER_CONCURRENT_INSERT;
 connection slave;
 DROP TABLE federated.t1;
+drop user fed@127.0.0.1;
 SET @@GLOBAL.CONCURRENT_INSERT= @OLD_SLAVE_CONCURRENT_INSERT;
 
-
-
 source suite/federated/include/federated_cleanup.inc;

mysql-test/suite/mariabackup/incremental_compressed.test

@@ -12,11 +12,11 @@ let $incremental_dir=$MYSQLTEST_VARDIR/tmp/backup_inc1;
 
 CREATE TABLE t (pk INT PRIMARY KEY) ENGINE=InnoDB ROW_FORMAT=COMPRESSED;
 
---exec $XTRABACKUP --backup --target-dir=$basedir --protocol=tcp --port=$MASTER_MYPORT --user=root
+--exec $XTRABACKUP --defaults-file=$MYSQLTEST_VARDIR/my.cnf --backup --target-dir=$basedir --protocol=tcp --port=$MASTER_MYPORT --user=root
 
 ALTER TABLE t PARTITION BY KEY(pk);
 
---exec $XTRABACKUP --backup --target-dir=$incremental_dir --incremental-basedir=$basedir --protocol=tcp --port=$MASTER_MYPORT --user=root > $incremental_dir.log 2>&1
+--exec $XTRABACKUP --defaults-file=$MYSQLTEST_VARDIR/my.cnf --backup --target-dir=$incremental_dir --incremental-basedir=$basedir --protocol=tcp --port=$MASTER_MYPORT --user=root > $incremental_dir.log 2>&1
 --exec $XTRABACKUP --prepare --target-dir=$basedir --user=root > $MYSQL_TMP_DIR/backup_prepare_0.log 2>&1
 --exec $XTRABACKUP --prepare --target-dir=$basedir --incremental-dir=$incremental_dir --user=root >  $MYSQL_TMP_DIR/backup_prepare_1.log
 --cat_file $MYSQL_TMP_DIR/backup_prepare_1.log

tests/bug25714.c

@@ -25,8 +25,8 @@ int main (int argc, char **argv)
   MYSQL conn;
   int OK __attribute__((unused));
 
-  const char* query4= "INSERT INTO federated.t1 SET Value=54";
-  const char* query5= "INSERT INTO federated.t1 SET Value=55";
+  const char* query4= "INSERT INTO t1 SET Value=54";
+  const char* query5= "INSERT INTO t1 SET Value=55";
 
   MY_INIT(argv[0]);
 
@@ -41,9 +41,9 @@ int main (int argc, char **argv)
   if (!mysql_real_connect(
                           &conn,
                           "127.0.0.1",
-                          "root",
-                          "",
-                          "test",
+                          "fed",
+                          "def",
+                          "federated",
                           atoi(argv[1]),
                           NULL,
                           CLIENT_FOUND_ROWS))

tests/mysql_client_fw.c

@@ -252,6 +252,8 @@ static void print_st_error(MYSQL_STMT *stmt, const char *msg)
 static MYSQL *mysql_client_init(MYSQL* con)
 {
   MYSQL* res = mysql_init(con);
+  my_bool no= 0;
+  mysql_options(res, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &no);
   if (res && non_blocking_api_enabled)
     mysql_options(res, MYSQL_OPT_NONBLOCK, 0);
   if (opt_plugin_dir && *opt_plugin_dir)
@@ -1227,6 +1229,8 @@ static struct my_option client_test_long_options[] =
   {"socket", 'S', "Socket file to use for connection",
    &opt_unix_socket, &opt_unix_socket, 0, GET_STR,
    REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
+  {"ssl-verify-server-cert", 0, "for compatibility only, the value is ignored",
+    0, 0, 0, GET_BOOL, OPT_ARG, 0, 0, 0, 0, 0, 0},
   {"testcase", 'c',
    "May disable some code when runs as mysql-test-run testcase.",
    0, 0, 0, GET_NO_ARG, NO_ARG, 0, 0, 0, 0, 0, 0},