Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
MariaDB
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
nexedi
MariaDB
Commits
0513237f
Commit
0513237f
authored
Dec 03, 2018
by
Georg Richter
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
MDEV-14101: Provide option to specify tls_version for client tools
parent
3728b11f
Changes
23
Show whitespace changes
Inline
Side-by-side
Showing
23 changed files
with
157 additions
and
93 deletions
+157
-93
client/client_priv.h
client/client_priv.h
+1
-0
client/mysql.cc
client/mysql.cc
+1
-0
client/mysqladmin.cc
client/mysqladmin.cc
+1
-0
client/mysqlbinlog.cc
client/mysqlbinlog.cc
+1
-0
client/mysqldump.c
client/mysqldump.c
+1
-0
client/mysqlimport.c
client/mysqlimport.c
+1
-0
client/mysqlshow.c
client/mysqlshow.c
+1
-0
client/mysqltest.cc
client/mysqltest.cc
+1
-0
extra/mariabackup/xtrabackup.cc
extra/mariabackup/xtrabackup.cc
+2
-0
include/sslopt-longopts.h
include/sslopt-longopts.h
+5
-0
include/sslopt-vars.h
include/sslopt-vars.h
+1
-0
include/violite.h
include/violite.h
+11
-4
mysql-test/r/mysqld--help.result
mysql-test/r/mysqld--help.result
+2
-0
mysql-test/r/ssl_cipher.result
mysql-test/r/ssl_cipher.result
+10
-6
mysql-test/t/mysqld--help.test
mysql-test/t/mysqld--help.test
+4
-1
mysql-test/t/openssl_6975.test
mysql-test/t/openssl_6975.test
+12
-12
mysql-test/t/ssl.test
mysql-test/t/ssl.test
+1
-1
mysql-test/t/ssl_cert_verify.test
mysql-test/t/ssl_cert_verify.test
+1
-1
mysql-test/t/ssl_cipher.test
mysql-test/t/ssl_cipher.test
+7
-2
sql/mysqld.cc
sql/mysqld.cc
+4
-59
sql/mysqld.h
sql/mysqld.h
+2
-0
sql/sys_vars.cc
sql/sys_vars.cc
+33
-0
vio/viosslfactories.c
vio/viosslfactories.c
+54
-7
No files found.
client/client_priv.h
View file @
0513237f
...
...
@@ -98,6 +98,7 @@ enum options_client
OPT_REPORT_PROGRESS
,
OPT_SKIP_ANNOTATE_ROWS_EVENTS
,
OPT_SSL_CRL
,
OPT_SSL_CRLPATH
,
OPT_TLS_VERSION
,
OPT_MAX_CLIENT_OPTION
/* should be always the last */
};
...
...
client/mysql.cc
View file @
0513237f
...
...
@@ -1369,6 +1369,7 @@ static bool do_connect(MYSQL *mysql, const char *host, const char *user,
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
mysql
,
MYSQL_OPT_SSL_CRL
,
opt_ssl_crl
);
mysql_options
(
mysql
,
MYSQL_OPT_SSL_CRLPATH
,
opt_ssl_crlpath
);
mysql_options
(
mysql
,
MARIADB_OPT_TLS_VERSION
,
(
void
*
)
opt_tls_version
);
}
mysql_options
(
mysql
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
(
char
*
)
&
opt_ssl_verify_server_cert
);
...
...
client/mysqladmin.cc
View file @
0513237f
...
...
@@ -361,6 +361,7 @@ int main(int argc,char *argv[])
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
&
mysql
,
MYSQL_OPT_SSL_CRL
,
opt_ssl_crl
);
mysql_options
(
&
mysql
,
MYSQL_OPT_SSL_CRLPATH
,
opt_ssl_crlpath
);
mysql_options
(
&
mysql
,
MARIADB_OPT_TLS_VERSION
,
(
void
*
)
opt_tls_version
);
}
mysql_options
(
&
mysql
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
(
char
*
)
&
opt_ssl_verify_server_cert
);
...
...
client/mysqlbinlog.cc
View file @
0513237f
...
...
@@ -2082,6 +2082,7 @@ static Exit_status safe_connect()
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
mysql
,
MYSQL_OPT_SSL_CRL
,
opt_ssl_crl
);
mysql_options
(
mysql
,
MYSQL_OPT_SSL_CRLPATH
,
opt_ssl_crlpath
);
mysql_options
(
mysql
,
MARIADB_OPT_TLS_VERSION
,
(
void
*
)
opt_tls_version
);
}
mysql_options
(
mysql
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
(
char
*
)
&
opt_ssl_verify_server_cert
);
...
...
client/mysqldump.c
View file @
0513237f
...
...
@@ -1686,6 +1686,7 @@ static int connect_to_db(char *host, char *user,char *passwd)
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
&
mysql_connection
,
MYSQL_OPT_SSL_CRL
,
opt_ssl_crl
);
mysql_options
(
&
mysql_connection
,
MYSQL_OPT_SSL_CRLPATH
,
opt_ssl_crlpath
);
mysql_options
(
&
mysql_connection
,
MARIADB_OPT_TLS_VERSION
,
(
void
*
)
opt_tls_version
);
}
mysql_options
(
&
mysql_connection
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
(
char
*
)
&
opt_ssl_verify_server_cert
);
...
...
client/mysqlimport.c
View file @
0513237f
...
...
@@ -452,6 +452,7 @@ static MYSQL *db_connect(char *host, char *database,
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
mysql
,
MYSQL_OPT_SSL_CRL
,
opt_ssl_crl
);
mysql_options
(
mysql
,
MYSQL_OPT_SSL_CRLPATH
,
opt_ssl_crlpath
);
mysql_options
(
mysql
,
MARIADB_OPT_TLS_VERSION
,
(
void
*
)
opt_tls_version
);
}
mysql_options
(
mysql
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
(
char
*
)
&
opt_ssl_verify_server_cert
);
...
...
client/mysqlshow.c
View file @
0513237f
...
...
@@ -125,6 +125,7 @@ int main(int argc, char **argv)
opt_ssl_capath
,
opt_ssl_cipher
);
mysql_options
(
&
mysql
,
MYSQL_OPT_SSL_CRL
,
opt_ssl_crl
);
mysql_options
(
&
mysql
,
MYSQL_OPT_SSL_CRLPATH
,
opt_ssl_crlpath
);
mysql_options
(
&
mysql
,
MARIADB_OPT_TLS_VERSION
,
(
void
*
)
opt_tls_version
);
}
mysql_options
(
&
mysql
,
MYSQL_OPT_SSL_VERIFY_SERVER_CERT
,
(
char
*
)
&
opt_ssl_verify_server_cert
);
...
...
client/mysqltest.cc
View file @
0513237f
...
...
@@ -6102,6 +6102,7 @@ void do_connect(struct st_command *command)
opt_ssl_capath
,
ssl_cipher
?
ssl_cipher
:
opt_ssl_cipher
);
mysql_options
(
con_slot
->
mysql
,
MYSQL_OPT_SSL_CRL
,
opt_ssl_crl
);
mysql_options
(
con_slot
->
mysql
,
MYSQL_OPT_SSL_CRLPATH
,
opt_ssl_crlpath
);
mysql_options
(
con_slot
->
mysql
,
MARIADB_OPT_TLS_VERSION
,
(
void
*
)
opt_tls_version
);
#if MYSQL_VERSION_ID >= 50000
/* Turn on ssl_verify_server_cert only if host is "localhost" */
opt_ssl_verify_server_cert
=
!
strcmp
(
ds_host
.
str
,
"localhost"
);
...
...
extra/mariabackup/xtrabackup.cc
View file @
0513237f
...
...
@@ -199,6 +199,7 @@ static char* log_ignored_opt;
extern
my_bool
opt_use_ssl
;
extern
const
char
*
opt_tls_version
;
my_bool
opt_ssl_verify_server_cert
;
/* === metadata of backup === */
...
...
@@ -838,6 +839,7 @@ enum options_xtrabackup
OPT_BACKUP_ROCKSDB
};
struct
my_option
xb_client_options
[]
=
{
{
"verbose"
,
'V'
,
"display verbose output"
,
...
...
include/sslopt-longopts.h
View file @
0513237f
...
...
@@ -46,6 +46,11 @@
"Certificate revocation list path (implies --ssl)."
,
&
opt_ssl_crlpath
,
&
opt_ssl_crlpath
,
0
,
GET_STR
,
REQUIRED_ARG
,
0
,
0
,
0
,
0
,
0
,
0
},
{
"tls-version"
,
OPT_TLS_VERSION
,
"TLS protocol version for secure connection."
,
&
opt_tls_version
,
&
opt_tls_version
,
0
,
GET_STR
,
REQUIRED_ARG
,
0
,
0
,
0
,
0
,
0
,
0
},
#ifdef MYSQL_CLIENT
{
"ssl-verify-server-cert"
,
OPT_SSL_VERIFY_SERVER_CERT
,
"Verify server's
\"
Common Name
\"
in its cert against hostname used "
...
...
include/sslopt-vars.h
View file @
0513237f
...
...
@@ -30,6 +30,7 @@ SSL_STATIC char *opt_ssl_cipher = 0;
SSL_STATIC
char
*
opt_ssl_key
=
0
;
SSL_STATIC
char
*
opt_ssl_crl
=
0
;
SSL_STATIC
char
*
opt_ssl_crlpath
=
0
;
SSL_STATIC
char
*
opt_tls_version
=
0
;
#ifdef MYSQL_CLIENT
SSL_STATIC
my_bool
opt_ssl_verify_server_cert
=
0
;
#endif
...
...
include/violite.h
View file @
0513237f
...
...
@@ -51,6 +51,11 @@ enum enum_vio_io_event
VIO_IO_EVENT_CONNECT
};
#define VIO_TLSv1_0 1
#define VIO_TLSv1_1 2
#define VIO_TLSv1_2 4
#define VIO_TLSv1_3 8
#define VIO_LOCALHOST 1U
/* a localhost connection */
#define VIO_BUFFERED_READ 2U
/* use buffered read */
#define VIO_READ_BUFFER_SIZE 16384U
/* size of read buffer */
...
...
@@ -143,7 +148,8 @@ enum enum_ssl_init_error
{
SSL_INITERR_NOERROR
=
0
,
SSL_INITERR_CERT
,
SSL_INITERR_KEY
,
SSL_INITERR_NOMATCH
,
SSL_INITERR_BAD_PATHS
,
SSL_INITERR_CIPHERS
,
SSL_INITERR_MEMFAIL
,
SSL_INITERR_DH
,
SSL_INITERR_LASTERR
SSL_INITERR_MEMFAIL
,
SSL_INITERR_DH
,
SSL_INITERR_PROTOCOL
,
SSL_INITERR_LASTERR
};
const
char
*
sslGetErrString
(
enum
enum_ssl_init_error
err
);
...
...
@@ -164,7 +170,8 @@ struct st_VioSSLFd
*
new_VioSSLAcceptorFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
cipher
,
enum
enum_ssl_init_error
*
error
,
const
char
*
crl_file
,
const
char
*
crl_path
);
const
char
*
crl_file
,
const
char
*
crl_path
,
long
tls_version
);
void
free_vio_ssl_acceptor_fd
(
struct
st_VioSSLFd
*
fd
);
#endif
/* HAVE_OPENSSL */
...
...
mysql-test/r/mysqld--help.result
View file @
0513237f
...
...
@@ -1169,6 +1169,8 @@ The following specify which files/extra groups are read (specified before remain
--time-format=name The TIME format (ignored)
--timed-mutexes Specify whether to time mutexes. Deprecated, has no
effect.
--tls-version=name TLS protocol version for secure connections.. Any
combination of: TLSv1.0, TLSv1.1
--tmp-disk-table-size=#
Max size for data for an internal temporary on-disk
MyISAM or Aria table.
...
...
mysql-test/r/ssl_cipher.result
View file @
0513237f
...
...
@@ -2,11 +2,15 @@
# BUG#11760210 - SSL_CIPHER_LIST NOT SET OR RETURNED FOR "SHOW STATUS LIKE 'SSL_CIPHER_LIST'"
#
connect ssl_con,localhost,root,,,,,SSL;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
SHOW STATUS LIKE 'Ssl_cipher_list';
Variable_name Value
Ssl_cipher_list AES128-SHA
select variable_value into @a from information_schema.session_status where variable_name like 'SSL_CIPHER';
select length(@a) > 0;
length(@a) > 0
1
select length(VARIABLE_VALUE) > 0 from information_schema.session_status where variable_name like 'SSL_CIPHER_LIST';
length(VARIABLE_VALUE) > 0
1
select position(@a in VARIABLE_VALUE) > 0 from information_schema.session_status where variable_name like 'SSL_CIPHER_LIST';
position(@a in VARIABLE_VALUE) > 0
1
connection default;
disconnect ssl_con;
mysql-test/t/mysqld--help.test
View file @
0513237f
...
...
@@ -23,7 +23,7 @@ perl;
log
-
slow
-
queries
pid
-
file
slow
-
query
-
log
-
file
log
-
basename
datadir
slave
-
load
-
tmpdir
tmpdir
socket
thread
-
pool
-
size
large
-
files
-
support
lower
-
case
-
file
-
system
system
-
time
-
zone
collation
-
server
character
-
set
-
server
log
-
tc
-
size
version
.*/
;
collation
-
server
character
-
set
-
server
log
-
tc
-
size
tls
-
version
version
.*/
;
# Plugins which may or may not be there:
@
plugins
=
qw
/
innodb
archive
blackhole
federated
partition
...
...
@@ -54,6 +54,9 @@ perl;
$skip
=
1
if
/
--
(
$re2
)
\b
/
;
y
!
\\
!/!
;
s
/
[
]
+/
/
;
# squeeze spaces to remove table formatting
# fix tls_version
s
/
,
TLSv1
.
2
//;
s
/
,
TLSv1
.
3
//;
# fixes for 32-bit
s
/
\b4294967295\b
/
18446744073709551615
/
;
s
/
\b2146435072\b
/
9223372036853727232
/
;
...
...
mysql-test/t/openssl_6975.test
View file @
0513237f
...
...
@@ -18,25 +18,25 @@ let $mysql=$MYSQL --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$
disable_abort_on_error
;
echo
TLS1
.
2
ciphers
:
user
is
ok
with
any
cipher
;
exec
$mysql
--
ssl
-
cipher
=
AES128
-
SHA256
;
exec
$mysql
--
tls
-
version
=
TLSv1
.
2
--
ssl
-
cipher
=
AES128
-
SHA256
;
--
replace_result
DHE
-
RSA
-
CHACHA20
-
POLY1305
DHE
-
RSA
-
AES256
-
GCM
-
SHA384
ECDHE
-
RSA
-
AES256
-
GCM
-
SHA384
DHE
-
RSA
-
AES256
-
GCM
-
SHA384
exec
$mysql
--
ssl
-
cipher
=
TLSv1
.
2
;
exec
$mysql
--
tls
-
version
=
TLSv1
.
2
--
ssl
-
cipher
=
TLSv1
.
2
;
echo
TLS1
.
2
ciphers
:
user
requires
SSLv3
cipher
AES128
-
SHA
;
exec
$mysql
--
user
ssl_sslv3
--
ssl
-
cipher
=
AES128
-
SHA256
;
exec
$mysql
--
user
ssl_sslv3
--
ssl
-
cipher
=
TLSv1
.
2
;
exec
$mysql
--
user
ssl_sslv3
--
tls
-
version
=
TLSv1
.
2
--
ssl
-
cipher
=
AES128
-
SHA256
;
exec
$mysql
--
user
ssl_sslv3
--
tls
-
version
=
TLSv1
.
2
--
ssl
-
cipher
=
TLSv1
.
2
;
echo
TLS1
.
2
ciphers
:
user
requires
TLSv1
.
2
cipher
AES128
-
SHA256
;
exec
$mysql
--
user
ssl_tls12
--
ssl
-
cipher
=
AES128
-
SHA256
;
exec
$mysql
--
user
ssl_tls12
--
ssl
-
cipher
=
TLSv1
.
2
;
exec
$mysql
--
user
ssl_tls12
--
tls
-
version
=
TLSv1
.
2
--
ssl
-
cipher
=
AES128
-
SHA256
;
exec
$mysql
--
user
ssl_tls12
--
tls
-
version
=
TLSv1
.
2
--
ssl
-
cipher
=
TLSv1
.
2
;
echo
SSLv3
ciphers
:
user
is
ok
with
any
cipher
;
exec
$mysql
--
ssl
-
cipher
=
AES256
-
SHA
;
exec
$mysql
--
ssl
-
cipher
=
SSLv3
;
exec
$mysql
--
tls
-
version
=
TLSv1
.
0
,
TLSv1
.
1
,
TLSv1
.
2
--
ssl
-
cipher
=
AES256
-
SHA
;
exec
$mysql
--
tls
-
version
=
TLSv1
.
0
,
TLSv1
.
1
,
TLSv1
.
2
--
ssl
-
cipher
=
SSLv3
;
echo
SSLv3
ciphers
:
user
requires
SSLv3
cipher
AES128
-
SHA
;
exec
$mysql
--
user
ssl_sslv3
--
ssl
-
cipher
=
AES128
-
SHA
;
exec
$mysql
--
user
ssl_sslv3
--
ssl
-
cipher
=
SSLv3
;
exec
$mysql
--
user
ssl_sslv3
--
tls
-
version
=
TLSv1
.
0
,
TLSv1
.
1
,
TLSv1
.
2
--
ssl
-
cipher
=
AES128
-
SHA
;
exec
$mysql
--
user
ssl_sslv3
--
tls
-
version
=
TLSv1
.
0
,
TLSv1
.
1
,
TLSv1
.
2
--
ssl
-
cipher
=
SSLv3
;
echo
SSLv3
ciphers
:
user
requires
TLSv1
.
2
cipher
AES128
-
SHA256
;
exec
$mysql
--
user
ssl_tls12
--
ssl
-
cipher
=
AES128
-
SHA
;
exec
$mysql
--
user
ssl_tls12
--
ssl
-
cipher
=
SSLv3
;
exec
$mysql
--
user
ssl_tls12
--
tls
-
version
=
TLSv1
.
0
,
TLSv1
.
1
,
TLSv1
.
2
--
ssl
-
cipher
=
AES128
-
SHA
;
exec
$mysql
--
user
ssl_tls12
--
tls
-
version
=
TLSv1
.
0
,
TLSv1
.
1
,
TLSv1
.
2
--
ssl
-
cipher
=
SSLv3
;
drop
user
ssl_sslv3
@
localhost
;
drop
user
ssl_tls12
@
localhost
;
...
...
mysql-test/t/ssl.test
View file @
0513237f
...
...
@@ -34,7 +34,7 @@ disconnect ssl_con;
create
user
mysqltest_1
@
localhost
;
grant
usage
on
mysqltest
.*
to
mysqltest_1
@
localhost
require
cipher
"AES256-SHA"
;
--
exec
$MYSQL
-
umysqltest_1
--
ssl
-
cipher
=
AES256
-
SHA
-
e
"show status like 'ssl_cipher'"
2
>&
1
--
exec
$MYSQL
-
umysqltest_1
--
tls_version
=
TLSv1
.
2
--
ssl
-
cipher
=
AES256
-
SHA
-
e
"show status like 'ssl_cipher'"
2
>&
1
drop
user
mysqltest_1
@
localhost
;
# Wait till all disconnects are completed
...
...
mysql-test/t/ssl_cert_verify.test
View file @
0513237f
...
...
@@ -30,7 +30,7 @@ let $ssl_verify_pass_path = --ssl --ssl-ca=$MYSQL_TEST_DIR/std_data/ca-cert-veri
--
enable_reconnect
--
source
include
/
wait_until_connected_again
.
inc
--
replace_result
TLSv1
.
2
TLS_VERSION
TLSv1
.
1
TLS_VERSION
TLSv1
TLS_VERSION
--
replace_result
TLSv1
.
3
TLS_VERSION
TLSv1
.
2
TLS_VERSION
TLSv1
.
1
TLS_VERSION
TLSv1
TLS_VERSION
--
exec
$MYSQL
--
protocol
=
tcp
--
ssl
-
ca
=
$MYSQL_TEST_DIR
/
std_data
/
ca
-
cert
-
verify
.
pem
--
ssl
-
verify
-
server
-
cert
-
e
"SHOW STATUS like 'Ssl_version'"
--
echo
# restart server using restart
...
...
mysql-test/t/ssl_cipher.test
View file @
0513237f
...
...
@@ -13,8 +13,13 @@
connect
(
ssl_con
,
localhost
,
root
,,,,,
SSL
);
# Check Cipher Name and Cipher List
SHOW
STATUS
LIKE
'Ssl_cipher'
;
SHOW
STATUS
LIKE
'Ssl_cipher_list'
;
select
variable_value
into
@
a
from
information_schema
.
session_status
where
variable_name
like
'SSL_CIPHER'
;
# Check if cipher is empty
select
length
(
@
a
)
>
0
;
# check if cipher list is empty
select
length
(
VARIABLE_VALUE
)
>
0
from
information_schema
.
session_status
where
variable_name
like
'SSL_CIPHER_LIST'
;
# check if cipher is in list
select
position
(
@
a
in
VARIABLE_VALUE
)
>
0
from
information_schema
.
session_status
where
variable_name
like
'SSL_CIPHER_LIST'
;
connection
default
;
disconnect
ssl_con
;
...
...
sql/mysqld.cc
View file @
0513237f
...
...
@@ -1504,8 +1504,8 @@ HANDLE smem_event_connect_request= 0;
my_bool
opt_use_ssl
=
0
;
char
*
opt_ssl_ca
=
NULL
,
*
opt_ssl_capath
=
NULL
,
*
opt_ssl_cert
=
NULL
,
*
opt_ssl_cipher
=
NULL
,
*
opt_ssl_key
=
NULL
,
*
opt_ssl_crl
=
NULL
,
*
opt_ssl_crlpath
=
NULL
;
*
opt_ssl_crlpath
=
NULL
,
*
opt_tls_version
=
NULL
;
long
tls_version
=
0
;
static
scheduler_functions
thread_scheduler_struct
,
extra_thread_scheduler_struct
;
scheduler_functions
*
thread_scheduler
=
&
thread_scheduler_struct
,
...
...
@@ -4865,7 +4865,8 @@ static void init_ssl()
ssl_acceptor_fd
=
new_VioSSLAcceptorFd
(
opt_ssl_key
,
opt_ssl_cert
,
opt_ssl_ca
,
opt_ssl_capath
,
opt_ssl_cipher
,
&
error
,
opt_ssl_crl
,
opt_ssl_crlpath
);
opt_ssl_crl
,
opt_ssl_crlpath
,
tls_version
);
DBUG_PRINT
(
"info"
,(
"ssl_acceptor_fd: %p"
,
ssl_acceptor_fd
));
if
(
!
ssl_acceptor_fd
)
{
...
...
@@ -7922,16 +7923,6 @@ static int show_ssl_ctx_sess_accept_good(THD *thd, SHOW_VAR *var, char *buff,
return
0
;
}
static
int
show_ssl_ctx_sess_connect_good
(
THD
*
thd
,
SHOW_VAR
*
var
,
char
*
buff
,
enum
enum_var_type
scope
)
{
var
->
type
=
SHOW_LONG
;
var
->
value
=
buff
;
*
((
long
*
)
buff
)
=
(
!
ssl_acceptor_fd
?
0
:
SSL_CTX_sess_connect_good
(
ssl_acceptor_fd
->
ssl_context
));
return
0
;
}
static
int
show_ssl_ctx_sess_accept_renegotiate
(
THD
*
thd
,
SHOW_VAR
*
var
,
char
*
buff
,
enum
enum_var_type
scope
)
...
...
@@ -7943,17 +7934,6 @@ static int show_ssl_ctx_sess_accept_renegotiate(THD *thd, SHOW_VAR *var,
return
0
;
}
static
int
show_ssl_ctx_sess_connect_renegotiate
(
THD
*
thd
,
SHOW_VAR
*
var
,
char
*
buff
,
enum
enum_var_type
scope
)
{
var
->
type
=
SHOW_LONG
;
var
->
value
=
buff
;
*
((
long
*
)
buff
)
=
(
!
ssl_acceptor_fd
?
0
:
SSL_CTX_sess_connect_renegotiate
(
ssl_acceptor_fd
->
ssl_context
));
return
0
;
}
static
int
show_ssl_ctx_sess_cb_hits
(
THD
*
thd
,
SHOW_VAR
*
var
,
char
*
buff
,
enum
enum_var_type
scope
)
{
...
...
@@ -8014,16 +7994,6 @@ static int show_ssl_ctx_sess_number(THD *thd, SHOW_VAR *var, char *buff,
return
0
;
}
static
int
show_ssl_ctx_sess_connect
(
THD
*
thd
,
SHOW_VAR
*
var
,
char
*
buff
,
enum
enum_var_type
scope
)
{
var
->
type
=
SHOW_LONG
;
var
->
value
=
buff
;
*
((
long
*
)
buff
)
=
(
!
ssl_acceptor_fd
?
0
:
SSL_CTX_sess_connect
(
ssl_acceptor_fd
->
ssl_context
));
return
0
;
}
static
int
show_ssl_ctx_sess_get_cache_size
(
THD
*
thd
,
SHOW_VAR
*
var
,
char
*
buff
,
enum
enum_var_type
scope
)
...
...
@@ -8035,26 +8005,6 @@ static int show_ssl_ctx_sess_get_cache_size(THD *thd, SHOW_VAR *var,
return
0
;
}
static
int
show_ssl_ctx_get_verify_mode
(
THD
*
thd
,
SHOW_VAR
*
var
,
char
*
buff
,
enum
enum_var_type
scope
)
{
var
->
type
=
SHOW_LONG
;
var
->
value
=
buff
;
*
((
long
*
)
buff
)
=
(
!
ssl_acceptor_fd
?
0
:
SSL_CTX_get_verify_mode
(
ssl_acceptor_fd
->
ssl_context
));
return
0
;
}
static
int
show_ssl_ctx_get_verify_depth
(
THD
*
thd
,
SHOW_VAR
*
var
,
char
*
buff
,
enum
enum_var_type
scope
)
{
var
->
type
=
SHOW_LONG
;
var
->
value
=
buff
;
*
((
long
*
)
buff
)
=
(
!
ssl_acceptor_fd
?
0
:
SSL_CTX_get_verify_depth
(
ssl_acceptor_fd
->
ssl_context
));
return
0
;
}
static
int
show_ssl_ctx_get_session_cache_mode
(
THD
*
thd
,
SHOW_VAR
*
var
,
char
*
buff
,
enum
enum_var_type
scope
)
...
...
@@ -8542,13 +8492,8 @@ SHOW_VAR status_vars[]= {
{
"Ssl_callback_cache_hits"
,
(
char
*
)
&
show_ssl_ctx_sess_cb_hits
,
SHOW_SIMPLE_FUNC
},
{
"Ssl_cipher"
,
(
char
*
)
&
show_ssl_get_cipher
,
SHOW_SIMPLE_FUNC
},
{
"Ssl_cipher_list"
,
(
char
*
)
&
show_ssl_get_cipher_list
,
SHOW_SIMPLE_FUNC
},
{
"Ssl_client_connects"
,
(
char
*
)
&
show_ssl_ctx_sess_connect
,
SHOW_SIMPLE_FUNC
},
{
"Ssl_connect_renegotiates"
,
(
char
*
)
&
show_ssl_ctx_sess_connect_renegotiate
,
SHOW_SIMPLE_FUNC
},
{
"Ssl_ctx_verify_depth"
,
(
char
*
)
&
show_ssl_ctx_get_verify_depth
,
SHOW_SIMPLE_FUNC
},
{
"Ssl_ctx_verify_mode"
,
(
char
*
)
&
show_ssl_ctx_get_verify_mode
,
SHOW_SIMPLE_FUNC
},
{
"Ssl_default_timeout"
,
(
char
*
)
&
show_ssl_get_default_timeout
,
SHOW_SIMPLE_FUNC
},
{
"Ssl_finished_accepts"
,
(
char
*
)
&
show_ssl_ctx_sess_accept_good
,
SHOW_SIMPLE_FUNC
},
{
"Ssl_finished_connects"
,
(
char
*
)
&
show_ssl_ctx_sess_connect_good
,
SHOW_SIMPLE_FUNC
},
{
"Ssl_server_not_after"
,
(
char
*
)
&
show_ssl_get_server_not_after
,
SHOW_SIMPLE_FUNC
},
{
"Ssl_server_not_before"
,
(
char
*
)
&
show_ssl_get_server_not_before
,
SHOW_SIMPLE_FUNC
},
{
"Ssl_session_cache_hits"
,
(
char
*
)
&
show_ssl_ctx_sess_hits
,
SHOW_SIMPLE_FUNC
},
...
...
sql/mysqld.h
View file @
0513237f
...
...
@@ -588,6 +588,7 @@ extern int32 thread_count, service_thread_count;
extern
char
*
opt_ssl_ca
,
*
opt_ssl_capath
,
*
opt_ssl_cert
,
*
opt_ssl_cipher
,
*
opt_ssl_key
,
*
opt_ssl_crl
,
*
opt_ssl_crlpath
;
extern
long
tls_version
;
extern
MYSQL_PLUGIN_IMPORT
pthread_key
(
THD
*
,
THR_THD
);
...
...
@@ -650,6 +651,7 @@ enum options_mysqld
OPT_WSREP_SYNC_WAIT
,
#endif
/* WITH_WSREP */
OPT_MYSQL_COMPATIBILITY
,
OPT_TLS_VERSION
,
OPT_MYSQL_TO_BE_IMPLEMENTED
,
OPT_which_is_always_the_last
};
...
...
sql/sys_vars.cc
View file @
0513237f
...
...
@@ -3198,6 +3198,39 @@ static Sys_var_charptr Sys_ssl_crlpath(
READ_ONLY
GLOBAL_VAR
(
opt_ssl_crlpath
),
SSL_OPT
(
OPT_SSL_CRLPATH
),
IN_FS_CHARSET
,
DEFAULT
(
0
));
static
const
char
*
tls_version_names
[]
=
{
"TLSv1.0"
,
"TLSv1.1"
,
#ifdef TLS1_2_VERSION
"TLSv1.2"
,
#endif
#ifdef TLS1_3_VERSION
"TLSv1.3"
,
#endif
0
};
export
bool
tls_version_string_representation
(
THD
*
thd
,
sql_mode_t
sql_mode
,
LEX_STRING
*
ls
)
{
set_to_string
(
thd
,
ls
,
tls_version
,
tls_version_names
);
return
ls
->
str
==
0
;
}
static
Sys_var_set
Sys_tls_version
(
"tls_version"
,
"TLS protocol version for secure connections."
,
READ_ONLY
GLOBAL_VAR
(
tls_version
),
CMD_LINE
(
REQUIRED_ARG
),
tls_version_names
,
DEFAULT
(
VIO_TLSv1_0
|
VIO_TLSv1_1
#ifdef TLS1_2_VERSION
|
VIO_TLSv1_2
#endif
#ifdef TLS1_3_VERSION
|
VIO_TLSv1_3
#endif
));
static
Sys_var_mybool
Sys_standard_compliant_cte
(
"standard_compliant_cte"
,
"Allow only CTEs compliant to SQL standard"
,
...
...
vio/viosslfactories.c
View file @
0513237f
...
...
@@ -85,7 +85,8 @@ ssl_error_string[] =
"SSL_CTX_set_default_verify_paths failed"
,
"Failed to set ciphers to use"
,
"SSL_CTX_new failed"
,
"SSL_CTX_set_tmp_dh failed"
"SSL_CTX_set_tmp_dh failed"
,
"Unknown TLS version"
};
const
char
*
...
...
@@ -166,21 +167,58 @@ static void check_ssl_init()
}
}
static
long
vio_tls_protocol_options
(
long
tls_version
)
{
long
tls_protocol_flags
=
#ifdef TLS1_3_VERSION
SSL_OP_NO_TLSv1_3
|
#endif
#ifdef TLS1_2_VERSION
SSL_OP_NO_TLSv1_2
|
#endif
SSL_OP_NO_TLSv1_1
|
SSL_OP_NO_TLSv1
;
long
disabled_tls_protocols
=
tls_protocol_flags
,
disabled_ssl_protocols
=
SSL_OP_NO_SSLv2
|
SSL_OP_NO_SSLv3
;
if
(
!
tls_version
)
return
disabled_ssl_protocols
;
if
(
tls_version
&
VIO_TLSv1_0
)
disabled_tls_protocols
&=
~
SSL_OP_NO_TLSv1
;
if
(
tls_version
&
VIO_TLSv1_1
)
disabled_tls_protocols
&=
~
SSL_OP_NO_TLSv1_1
;
#ifdef TLS1_2_VERSION
if
(
tls_version
&
VIO_TLSv1_2
)
disabled_tls_protocols
&=
~
SSL_OP_NO_TLSv1_2
;
#endif
#ifdef TLS1_3_VERSION
if
(
tls_version
&
VIO_TLSv1_3
)
disabled_tls_protocols
&=
~
SSL_OP_NO_TLSv1_3
;
#endif
/* some garbage was specified in tls_version option */
if
(
tls_protocol_flags
==
disabled_tls_protocols
)
return
-
1
;
return
(
disabled_tls_protocols
|
disabled_ssl_protocols
);
}
/************************ VioSSLFd **********************************/
static
struct
st_VioSSLFd
*
new_VioSSLFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
cipher
,
my_bool
is_client_method
,
enum
enum_ssl_init_error
*
error
,
const
char
*
crl_file
,
const
char
*
crl_path
)
const
char
*
crl_file
,
const
char
*
crl_path
,
long
tls_version
)
{
DH
*
dh
;
struct
st_VioSSLFd
*
ssl_fd
;
long
ssl_ctx_options
=
SSL_OP_NO_SSLv2
|
SSL_OP_NO_SSLv3
;
long
ssl_ctx_options
;
DBUG_ENTER
(
"new_VioSSLFd"
);
DBUG_PRINT
(
"enter"
,
(
"key_file: '%s' cert_file: '%s' ca_file: '%s' ca_path: '%s' "
"cipher: '%s' crl_file: '%s' crl_path: '%s'
"
,
"cipher: '%s' crl_file: '%s' crl_path: '%s'"
,
key_file
?
key_file
:
"NULL"
,
cert_file
?
cert_file
:
"NULL"
,
ca_file
?
ca_file
:
"NULL"
,
...
...
@@ -203,6 +241,14 @@ new_VioSSLFd(const char *key_file, const char *cert_file,
goto
err1
;
}
ssl_ctx_options
=
vio_tls_protocol_options
(
tls_version
);
if
(
ssl_ctx_options
==
-
1
)
{
*
error
=
SSL_INITERR_PROTOCOL
;
DBUG_PRINT
(
"error"
,
(
"%s"
,
sslGetErrString
(
*
error
)));
goto
err1
;
}
SSL_CTX_set_options
(
ssl_fd
->
ssl_context
,
ssl_ctx_options
);
/*
...
...
@@ -317,7 +363,7 @@ new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
if
(
!
(
ssl_fd
=
new_VioSSLFd
(
key_file
,
cert_file
,
ca_file
,
ca_path
,
cipher
,
TRUE
,
error
,
crl_file
,
crl_path
)))
crl_file
,
crl_path
,
0
)))
{
return
0
;
}
...
...
@@ -335,13 +381,14 @@ struct st_VioSSLFd *
new_VioSSLAcceptorFd
(
const
char
*
key_file
,
const
char
*
cert_file
,
const
char
*
ca_file
,
const
char
*
ca_path
,
const
char
*
cipher
,
enum
enum_ssl_init_error
*
error
,
const
char
*
crl_file
,
const
char
*
crl_path
)
const
char
*
crl_file
,
const
char
*
crl_path
,
long
tls_version
)
{
struct
st_VioSSLFd
*
ssl_fd
;
int
verify
=
SSL_VERIFY_PEER
|
SSL_VERIFY_CLIENT_ONCE
;
if
(
!
(
ssl_fd
=
new_VioSSLFd
(
key_file
,
cert_file
,
ca_file
,
ca_path
,
cipher
,
FALSE
,
error
,
crl_file
,
crl_path
)))
crl_file
,
crl_path
,
tls_version
)))
{
return
0
;
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment