Fix bug #673: MySQL 4.0.13 no SSL connection with mysql client possible

parent 79780cbd
...@@ -546,7 +546,9 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user, ...@@ -546,7 +546,9 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
We need to check for absence of SSL because without SSL We need to check for absence of SSL because without SSL
we should reject connection. we should reject connection.
*/ */
if (vio_type(vio) == VIO_TYPE_SSL && SSL_get_peer_certificate(vio->ssl_)) if (vio_type(vio) == VIO_TYPE_SSL &&
SSL_get_verify_result(vio->ssl_) == X509_V_OK &&
SSL_get_peer_certificate(vio->ssl_))
user_access=acl_user->access; user_access=acl_user->access;
break; break;
case SSL_TYPE_SPECIFIED: /* Client should have specified attrib */ case SSL_TYPE_SPECIFIED: /* Client should have specified attrib */
...@@ -554,7 +556,8 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user, ...@@ -554,7 +556,8 @@ ulong acl_getroot(THD *thd, const char *host, const char *ip, const char *user,
We need to check for absence of SSL because without SSL We need to check for absence of SSL because without SSL
we should reject connection. we should reject connection.
*/ */
if (vio_type(vio) == VIO_TYPE_SSL) if (vio_type(vio) == VIO_TYPE_SSL &&
SSL_get_verify_result(vio->ssl_) == X509_V_OK)
{ {
if (acl_user->ssl_cipher) if (acl_user->ssl_cipher)
{ {
......
...@@ -287,8 +287,7 @@ int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout) ...@@ -287,8 +287,7 @@ int sslaccept(struct st_VioSSLAcceptorFd* ptr, Vio* vio, long timeout)
SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout); SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
SSL_set_fd(vio->ssl_,vio->sd); SSL_set_fd(vio->ssl_,vio->sd);
SSL_set_accept_state(vio->ssl_); SSL_set_accept_state(vio->ssl_);
if (SSL_do_handshake(vio->ssl_) < 1 || if (SSL_do_handshake(vio->ssl_) < 1)
SSL_get_verify_result(vio->ssl_) != X509_V_OK)
{ {
DBUG_PRINT("error", ("SSL_do_handshake failure")); DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors(); report_errors();
...@@ -361,8 +360,7 @@ int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout) ...@@ -361,8 +360,7 @@ int sslconnect(struct st_VioSSLConnectorFd* ptr, Vio* vio, long timeout)
SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout); SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
SSL_set_fd (vio->ssl_, vio->sd); SSL_set_fd (vio->ssl_, vio->sd);
SSL_set_connect_state(vio->ssl_); SSL_set_connect_state(vio->ssl_);
if (SSL_do_handshake(vio->ssl_) < 1 || if (SSL_do_handshake(vio->ssl_) < 1)
SSL_get_verify_result(vio->ssl_) != X509_V_OK)
{ {
DBUG_PRINT("error", ("SSL_do_handshake failure")); DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors(); report_errors();
......
...@@ -178,6 +178,11 @@ vio_verify_callback(int ok, X509_STORE_CTX *ctx) ...@@ -178,6 +178,11 @@ vio_verify_callback(int ok, X509_STORE_CTX *ctx)
/************************ VioSSLConnectorFd **********************************/ /************************ VioSSLConnectorFd **********************************/
/*
TODO:
Add option --verify to mysql to be able to change verification mode
*/
struct st_VioSSLConnectorFd * struct st_VioSSLConnectorFd *
new_VioSSLConnectorFd(const char* key_file, new_VioSSLConnectorFd(const char* key_file,
const char* cert_file, const char* cert_file,
...@@ -185,7 +190,7 @@ new_VioSSLConnectorFd(const char* key_file, ...@@ -185,7 +190,7 @@ new_VioSSLConnectorFd(const char* key_file,
const char* ca_path, const char* ca_path,
const char* cipher) const char* cipher)
{ {
int verify = SSL_VERIFY_PEER; int verify = SSL_VERIFY_NONE;
struct st_VioSSLConnectorFd* ptr; struct st_VioSSLConnectorFd* ptr;
int result; int result;
DH *dh=NULL; DH *dh=NULL;
...@@ -264,7 +269,10 @@ ctor_failure: ...@@ -264,7 +269,10 @@ ctor_failure:
/************************ VioSSLAcceptorFd **********************************/ /************************ VioSSLAcceptorFd **********************************/
/*
TODO:
Add option --verify to mysqld to be able to change verification mode
*/
struct st_VioSSLAcceptorFd* struct st_VioSSLAcceptorFd*
new_VioSSLAcceptorFd(const char *key_file, new_VioSSLAcceptorFd(const char *key_file,
const char *cert_file, const char *cert_file,
...@@ -273,7 +281,6 @@ new_VioSSLAcceptorFd(const char *key_file, ...@@ -273,7 +281,6 @@ new_VioSSLAcceptorFd(const char *key_file,
const char *cipher) const char *cipher)
{ {
int verify = (SSL_VERIFY_PEER | int verify = (SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
SSL_VERIFY_CLIENT_ONCE); SSL_VERIFY_CLIENT_ONCE);
struct st_VioSSLAcceptorFd* ptr; struct st_VioSSLAcceptorFd* ptr;
int result; int result;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment