• Julius Goryavsky's avatar
    MDEV-26360: Using hostnames breaks certificate validation · 77b11965
    Julius Goryavsky authored
    Fixed flaws with overly strict or, conversely,
    overly soft verification of certificates in some
    scenarios:
    
    1. Removed the check that the 'commonname' (CN) in the
       certificate matches the 'localhost' value on the side
       of the joiner node, which was performed earlier, even
       if the address was received by the script only as an
       argument (out of the exchange via the Galera protocol) -
       since for the joining node this argument always contains
       its own local address, not the address of the remote host,
       so it is always treated as 'localhost', which is not
       necessarily true (outside of mtr testing);
    2. Removed checking the domain name or IP-address of the
       peer node in the encrypt=2 mode;
    3. Fixed checking of compliance of certificates when
       rsync SST is used;
    4. Added the ability to specify CA not only as a file,
       but also as a path to the directory where the certificates
       are stored. To do this, the user just needs to specify the
       path to this directory as the value ssl-ca or tca parameter,
       ending with the '/' character.
    77b11965
wsrep_sst_xtrabackup-v2.sh 44.2 KB