Below is the list of changes that have just been committed into a local
4.0 repository of gluh. When gluh does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://www.mysql.com/doc/I/n/Installing_source_tree.html
ChangeSet
1.1538 03/06/26 12:47:36 gluh@xxxxxxxxxxxxxxxxx +3 -0
Fix bug #673: MySQL 4.0.13 no SSL connection with mysql client possible
vio/viosslfactories.c
1.13 03/06/26 12:47:35 gluh@xxxxxxxxxxxxxxxxx +10 -3
Fix bug #673 MySQL 4.0.13 no SSL connection with mysql client possible
vio/viossl.c
1.20 03/06/26 12:47:35 gluh@xxxxxxxxxxxxxxxxx +2 -4
Fix bug #673 MySQL 4.0.13 no SSL connection with mysql client possible
sql/sql_acl.cc
1.98 03/06/26 12:47:34 gluh@xxxxxxxxxxxxxxxxx +5 -2
Fix bug #673 MySQL 4.0.13 no SSL connection with mysql client possible
# This is a BitKeeper patch. What follows are the unified diffs for the
# set of deltas contained in the patch. The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User: gluh
# Host: gluh.mysql.r18.ru
# Root: /home/gluh/mysql-4.0.for_fix
--- 1.97/sql/sql_acl.cc Thu May 8 02:00:38 2003
+++ 1.98/sql/sql_acl.cc Thu Jun 26 12:47:34 2003
@@ -546,7 +546,9 @@
We need to check for absence of SSL because without SSL
we should reject connection.
*/
- if (vio_type(vio) == VIO_TYPE_SSL &&
SSL_get_peer_certificate(vio->ssl_))
+ if (vio_type(vio) == VIO_TYPE_SSL &&
+ SSL_get_verify_result(vio->ssl_) == X509_V_OK &&
+ SSL_get_peer_certificate(vio->ssl_))
user_access=acl_user->access;
break;
case SSL_TYPE_SPECIFIED: /* Client should have specified attrib */
@@ -554,7 +556,8 @@
We need to check for absence of SSL because without SSL
we should reject connection.
*/
- if (vio_type(vio) == VIO_TYPE_SSL)
+ if (vio_type(vio) == VIO_TYPE_SSL &&
+ SSL_get_verify_result(vio->ssl_) == X509_V_OK)
{
if (acl_user->ssl_cipher)
{
--- 1.19/vio/viossl.c Mon Apr 28 21:05:55 2003
+++ 1.20/vio/viossl.c Thu Jun 26 12:47:35 2003
@@ -287,8 +287,7 @@
SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
SSL_set_fd(vio->ssl_,vio->sd);
SSL_set_accept_state(vio->ssl_);
- if (SSL_do_handshake(vio->ssl_) < 1 ||
- SSL_get_verify_result(vio->ssl_) != X509_V_OK)
+ if (SSL_do_handshake(vio->ssl_) < 1)
{
DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors();
@@ -361,8 +360,7 @@
SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
SSL_set_fd (vio->ssl_, vio->sd);
SSL_set_connect_state(vio->ssl_);
- if (SSL_do_handshake(vio->ssl_) < 1 ||
- SSL_get_verify_result(vio->ssl_) != X509_V_OK)
+ if (SSL_do_handshake(vio->ssl_) < 1)
{
DBUG_PRINT("error", ("SSL_do_handshake failure"));
report_errors();
--- 1.12/vio/viosslfactories.c Tue Nov 5 12:05:55 2002
+++ 1.13/vio/viosslfactories.c Thu Jun 26 12:47:35 2003
@@ -178,6 +178,11 @@
/************************ VioSSLConnectorFd **********************************/
+/*
+ TODO:
+ Add option --verify to mysql to be able to change verification mode
+*/
+
struct st_VioSSLConnectorFd *
new_VioSSLConnectorFd(const char* key_file,
const char* cert_file,
@@ -185,7 +190,7 @@
const char* ca_path,
const char* cipher)
{
- int verify = SSL_VERIFY_PEER;
+ int verify = SSL_VERIFY_NONE;
struct st_VioSSLConnectorFd* ptr;
int result;
DH *dh=NULL;
@@ -264,7 +269,10 @@
/************************ VioSSLAcceptorFd **********************************/
-
+/*
+ TODO:
+ Add option --verify to mysqld to be able to change verification mode
+*/
struct st_VioSSLAcceptorFd*
new_VioSSLAcceptorFd(const char *key_file,
const char *cert_file,
@@ -273,7 +281,6 @@
const char *cipher)
{
int verify = (SSL_VERIFY_PEER |
- SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
SSL_VERIFY_CLIENT_ONCE);
struct st_VioSSLAcceptorFd* ptr;
int result;
--
MySQL Internals Mailing List
For list archives: http://lists.mysql.com/internals
To unsubscribe:
http://lists.mysql.com/internals?unsub=gcdmd-internals@xxxxxxxxxxx
|
