List:Commits« Previous MessageNext Message »
From:Nirbhay Choubey Date:July 5 2011 7:08pm
Subject:Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3200)
Bug#11747191
View as plain text  
Hi Joro,

Overall patch looks good, however I would suggest :

1) The code

+    mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
+    mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);

      is getting repeated in all the client programs and rpl_slave.cc.
      IMHO, we should add something like  'mysql_ssl_set_extended()' in 
client.c
      to make it call 'mysql_ssl_set()' and further add the two new 
introduced options.

2) The added tests look sufficient, but it would be good if we also
     get it tested with upgrade/downgrade tests scenarios.

3) Please fix openssl_1 test under main suite.

4) Found a couple of stray spaces (mentioned below).

Best,
Nirbhay


On Friday 17 June 2011 07:23 PM, Georgi Kodinov wrote:
> #Atfile:///Users/kgeorge/mysql/work/B11747191-trunk/  based
> onrevid:marko.makela@stripped
>
>   3200 Georgi Kodinov	2011-06-17
>        Bug #11747191: 31224: SUPPORT FOR SSL CERTIFICATE REVOCATION LISTS
>
>        Added support for --ssl-crl and --ssl-crlpath to all client and server
> binaries
>        that work with OpenSSL.
>        You can specify none, one or both of the above.
>
>        --ssl-crl takes a file path for a PEM encoded Certificate revocation lists.
>        The relevant file is parsed and loaded into the X509 store of the SSL
> context.
>
>        --ssl-crlpath takes a directory path. This directory must contain PEM encoded
>        CRL (or other) files that are named by their hash value,
> .e.g.<hash_value>.r[0-9]
>
>        See OpenSSL's X509_STORE_load_locations() for more details of the above.
>        Note that if none of the --ssl-crl* options is specified no CRL checks will
> be
>        performed, even if the -capath contains certificate revocation lists.
>
>        Added Master_SSL_crl and Master_SSL_CRLPATH to CNANGE MASTER command.
>        Added new columns Ssl_crl and Ssl_crlpath to mysql.slave_master_info system
> table.
>        Reengineered mysql_ssl_set() in the C API into a number of mysql_options
> calls
>        as follows (while keeping mysql_ssl_add()):
>
>        mysql_ssl_add(mysql, key, cert, ca, capath, cipher)
>        {
>        mysql_options(mysql, MYSQL_OPT_SSL_KEY,    key)
>        mysql_options(mysql, MYSQL_OPT_SSL_CERT,   cert)
>        mysql_options(mysql, MYSQL_OPT_SSL_CA,     ca)
>        mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath)
>        mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher)
>        }
>
>        Added two new mysql_options that correspond to the command line calls :
>        MYSQL_OPT_SSL_CRL  and MYSQL_OPT_SSL_CRLPATH.
>
>        Added tests and a set of cryptographic keys and crls to test the new options.
>
>      added:
>        mysql-test/include/have_openssl.inc
>        mysql-test/r/openssl.require
>        mysql-test/r/ssl-crl-clients.result
>        mysql-test/r/ssl-crl-empty-crl.result
>        mysql-test/r/ssl-crl-revoked-crl.result
>        mysql-test/r/ssl-crl-revoked-crlpath.result
>        mysql-test/std_data/crl-ca-cert.pem
>        mysql-test/std_data/crl-client-cert.pem
>        mysql-test/std_data/crl-client-key.pem
>        mysql-test/std_data/crl-client-revoked.crl
>        mysql-test/std_data/crl-empty.crl
>        mysql-test/std_data/crl-server-cert.pem
>        mysql-test/std_data/crl-server-key.pem
>        mysql-test/std_data/crldir/
>        mysql-test/std_data/crldir/fc725416.r0
>        mysql-test/t/ssl-crl-clients-master.opt
>        mysql-test/t/ssl-crl-clients.test
>        mysql-test/t/ssl-crl-empty-crl-master.opt
>        mysql-test/t/ssl-crl-empty-crl.test
>        mysql-test/t/ssl-crl-revoked-crl-master.opt
>        mysql-test/t/ssl-crl-revoked-crl.test
>        mysql-test/t/ssl-crl-revoked-crlpath-master.opt
>        mysql-test/t/ssl-crl-revoked-crlpath.test
>      modified:
>        client/client_priv.h
>        client/mysql.cc
>        client/mysqladmin.cc
>        client/mysqlcheck.c
>        client/mysqldump.c
>        client/mysqlimport.c
>        client/mysqlshow.c
>        client/mysqlslap.c
>        client/mysqltest.cc
>        include/mysql.h
>        include/mysql.h.pp
>        include/sslopt-case.h
>        include/sslopt-longopts.h
>        include/sslopt-vars.h
>        include/violite.h
>        mysql-test/include/check-testcase.test
>        mysql-test/r/variables.result
>        mysql-test/suite/sys_vars/r/all_vars.result
>        scripts/mysql_system_tables.sql
>        scripts/mysql_system_tables_fix.sql
>        sql-common/client.c
>        sql/lex.h
>        sql/mysqld.cc
>        sql/mysqld.h
>        sql/rpl_mi.cc
>        sql/rpl_mi.h
>        sql/rpl_slave.cc
>        sql/sql_lex.h
>        sql/sql_yacc.yy
>        sql/sys_vars.cc
>        vio/viosslfactories.c
> === modified file 'client/client_priv.h'
> --- a/client/client_priv.h	2011-06-09 17:44:21 +0000
> +++ b/client/client_priv.h	2011-06-17 13:53:47 +0000
> @@ -87,6 +87,7 @@ enum options_client
>     OPT_DEFAULT_PLUGIN,
>     OPT_RAW_OUTPUT, OPT_WAIT_SERVER_ID, OPT_STOP_NEVER,
>     OPT_BINLOG_ROWS_EVENT_MAX_SIZE,
> +  OPT_SSL_CRL, OPT_SSL_CRLPATH,
>     OPT_MAX_CLIENT_OPTION
>   };
>
>
> === modified file 'client/mysql.cc'
> --- a/client/mysql.cc	2011-06-09 17:44:21 +0000
> +++ b/client/mysql.cc	2011-06-17 13:53:47 +0000
> @@ -4301,8 +4301,12 @@ sql_real_connect(char *host,char *databa
>       mysql_options(&mysql,MYSQL_OPT_LOCAL_INFILE,
> (char*)&opt_local_infile);
>   #if defined(HAVE_OPENSSL)&&  !defined(EMBEDDED_LIBRARY)
>     if (opt_use_ssl)
> +  {
>       mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
>   		  opt_ssl_capath, opt_ssl_cipher);
> +    mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
> +    mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
> +  }
>     mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
>                   (char*)&opt_ssl_verify_server_cert);
>   #endif
>
> === modified file 'client/mysqladmin.cc'
> --- a/client/mysqladmin.cc	2011-06-06 10:29:45 +0000
> +++ b/client/mysqladmin.cc	2011-06-17 13:53:47 +0000
> @@ -340,8 +340,12 @@ int main(int argc,char *argv[])
>     }
>   #ifdef HAVE_OPENSSL
>     if (opt_use_ssl)
> +  {
>       mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
>   		  opt_ssl_capath, opt_ssl_cipher);
> +    mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
> +    mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
> +  }
>     mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
>                   (char*)&opt_ssl_verify_server_cert);
>   #endif
>
> === modified file 'client/mysqlcheck.c'
> --- a/client/mysqlcheck.c	2011-06-06 10:29:45 +0000
> +++ b/client/mysqlcheck.c	2011-06-17 13:53:47 +0000
> @@ -835,8 +835,12 @@ static int dbConnect(char *host, char *u
>       mysql_options(&mysql_connection, MYSQL_OPT_COMPRESS, NullS);
>   #ifdef HAVE_OPENSSL
>     if (opt_use_ssl)
> +  {
>       mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
>   		  opt_ssl_capath, opt_ssl_cipher);
> +    mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
> +    mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
> +  }
>   #endif
>     if (opt_protocol)
>      
> mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
>
> === modified file 'client/mysqldump.c'
> --- a/client/mysqldump.c	2011-06-06 10:29:45 +0000
> +++ b/client/mysqldump.c	2011-06-17 13:53:47 +0000
> @@ -1465,8 +1465,12 @@ static int connect_to_db(char *host, cha
>       mysql_options(&mysql_connection,MYSQL_OPT_COMPRESS,NullS);
>   #ifdef HAVE_OPENSSL
>     if (opt_use_ssl)
> +  {
>       mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
>                     opt_ssl_capath, opt_ssl_cipher);
> +    mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
> +    mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
> +  }
>     mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
>                   (char*)&opt_ssl_verify_server_cert);
>   #endif
>
> === modified file 'client/mysqlimport.c'
> --- a/client/mysqlimport.c	2011-06-06 10:29:45 +0000
> +++ b/client/mysqlimport.c	2011-06-17 13:53:47 +0000
> @@ -430,8 +430,12 @@ static MYSQL *db_connect(char *host, cha
>   		  (char*)&opt_local_file);
>   #ifdef HAVE_OPENSSL
>     if (opt_use_ssl)
> +  {
>       mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
>   		  opt_ssl_capath, opt_ssl_cipher);
> +    mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
> +    mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
> +  }
>     mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
>                   (char*)&opt_ssl_verify_server_cert);
>   #endif
>
> === modified file 'client/mysqlshow.c'
> --- a/client/mysqlshow.c	2011-06-06 10:29:45 +0000
> +++ b/client/mysqlshow.c	2011-06-17 13:53:47 +0000
> @@ -113,8 +113,12 @@ int main(int argc, char **argv)
>       mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS);
>   #ifdef HAVE_OPENSSL
>     if (opt_use_ssl)
> +  {
>       mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
>   		  opt_ssl_capath, opt_ssl_cipher);
> +    mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
> +    mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
> +  }
>     mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
>                   (char*)&opt_ssl_verify_server_cert);
>   #endif
>
> === modified file 'client/mysqlslap.c'
> --- a/client/mysqlslap.c	2011-06-06 10:29:45 +0000
> +++ b/client/mysqlslap.c	2011-06-17 13:53:47 +0000
> @@ -330,8 +330,12 @@ int main(int argc, char **argv)
>       mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS);
>   #ifdef HAVE_OPENSSL
>     if (opt_use_ssl)
> +  {
>       mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
>                     opt_ssl_capath, opt_ssl_cipher);
> +    mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
> +    mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
> +  }
>   #endif
>     if (opt_protocol)
>       mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol);
>
> === modified file 'client/mysqltest.cc'
> --- a/client/mysqltest.cc	2011-06-06 10:29:45 +0000
> +++ b/client/mysqltest.cc	2011-06-17 13:53:47 +0000
> @@ -5405,6 +5405,8 @@ void do_connect(struct st_command *comma
>   #if defined(HAVE_OPENSSL)&&  !defined(EMBEDDED_LIBRARY)
>       mysql_ssl_set(&con_slot->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
>   		  opt_ssl_capath, opt_ssl_cipher);
> +    mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
> +    mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
>   #if MYSQL_VERSION_ID>= 50000
>       /* Turn on ssl_verify_server_cert only if host is "localhost" */
>       opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost");
> @@ -8385,6 +8387,8 @@ int main(int argc, char **argv)
>     {
>       mysql_ssl_set(&con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,
>   		  opt_ssl_capath, opt_ssl_cipher);
> +    mysql_options(&con->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl);
> +    mysql_options(&con->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath);
>   #if MYSQL_VERSION_ID>= 50000
>       /* Turn on ssl_verify_server_cert only if host is "localhost" */
>       opt_ssl_verify_server_cert= opt_host&&  !strcmp(opt_host,
> "localhost");
>
> === modified file 'include/mysql.h'
> --- a/include/mysql.h	2011-05-06 13:46:57 +0000
> +++ b/include/mysql.h	2011-06-17 13:53:47 +0000
> @@ -167,7 +167,10 @@ enum mysql_option
>     MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH,
>     MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT,
>     MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH,
> -  MYSQL_OPT_BIND
> +  MYSQL_OPT_BIND,
> +  MYSQL_OPT_SSL_KEY, MYSQL_OPT_SSL_CERT,
> +  MYSQL_OPT_SSL_CA, MYSQL_OPT_SSL_CAPATH, MYSQL_OPT_SSL_CIPHER,
> +  MYSQL_OPT_SSL_CRL, MYSQL_OPT_SSL_CRLPATH
>   };
>
>   /**
> @@ -188,6 +191,8 @@ struct st_mysql_options {
>     char *ssl_ca;					/* PEM CA file */
>     char *ssl_capath;				/* PEM directory of CA-s? */
>     char *ssl_cipher;				/* cipher to use */
> +  char *ssl_crl;				/* PEM CRL file */
> +  char *ssl_crlpath;				/* PEM directory of CRL-s? */
>     char *shared_memory_base_name;
>     unsigned long max_allowed_packet;
>     my_bool use_ssl;				/* if to use SSL or not */
>
> === modified file 'include/mysql.h.pp'
> --- a/include/mysql.h.pp	2011-05-31 13:52:09 +0000
> +++ b/include/mysql.h.pp	2011-06-17 13:53:47 +0000
> @@ -260,7 +260,10 @@ enum mysql_option
>     MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH,
>     MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT,
>     MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH,
> -  MYSQL_OPT_BIND
> +  MYSQL_OPT_BIND,
> +  MYSQL_OPT_SSL_KEY, MYSQL_OPT_SSL_CERT,
> +  MYSQL_OPT_SSL_CA, MYSQL_OPT_SSL_CAPATH, MYSQL_OPT_SSL_CIPHER,
> +  MYSQL_OPT_SSL_CRL, MYSQL_OPT_SSL_CRLPATH
>   };
>   struct st_mysql_options_extention;
>   struct st_mysql_options {
> @@ -275,6 +278,8 @@ struct st_mysql_options {
>     char *ssl_ca;
>     char *ssl_capath;
>     char *ssl_cipher;
> +  char *ssl_crl;
> +  char *ssl_crlpath;
>     char *shared_memory_base_name;
>     unsigned long max_allowed_packet;
>     my_bool use_ssl;
>
> === modified file 'include/sslopt-case.h'
> --- a/include/sslopt-case.h	2010-04-13 15:04:45 +0000
> +++ b/include/sslopt-case.h	2011-06-17 13:53:47 +0000
> @@ -22,6 +22,8 @@
>       case OPT_SSL_CA:
>       case OPT_SSL_CAPATH:
>       case OPT_SSL_CIPHER:
> +    case OPT_SSL_CRL:
> +    case OPT_SSL_CRLPATH:
>       /*
>         Enable use of SSL if we are using any ssl option
>         One can disable SSL later by using --skip-ssl or --ssl=0
>
> === modified file 'include/sslopt-longopts.h'
> --- a/include/sslopt-longopts.h	2010-07-28 23:39:52 +0000
> +++ b/include/sslopt-longopts.h	2011-06-17 13:53:47 +0000
> @@ -38,6 +38,13 @@
>     {"ssl-key", OPT_SSL_KEY, "X509 key in PEM format (implies --ssl).",
>      &opt_ssl_key,&opt_ssl_key, 0, GET_STR, REQUIRED_ARG,
>      0, 0, 0, 0, 0, 0},
> +  {"ssl-crl", OPT_SSL_KEY, "Certificate revocation list (implies --ssl).",
> +&opt_ssl_crl,&opt_ssl_crl, 0, GET_STR, REQUIRED_ARG,
> +   0, 0, 0, 0, 0, 0},
> +  {"ssl-crlpath", OPT_SSL_KEY,
> +    "Certificate revocation list path (implies --ssl).",
> +&opt_ssl_crlpath,&opt_ssl_crlpath, 0, GET_STR, REQUIRED_ARG,
> +   0, 0, 0, 0, 0, 0},
>   #ifdef MYSQL_CLIENT
>     {"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT,
>      "Verify server's \"Common Name\" in its cert against hostname used "
>
> === modified file 'include/sslopt-vars.h'
> --- a/include/sslopt-vars.h	2010-04-13 15:04:45 +0000
> +++ b/include/sslopt-vars.h	2011-06-17 13:53:47 +0000
> @@ -22,12 +22,14 @@
>   #else
>   #define SSL_STATIC static
>   #endif
> -SSL_STATIC my_bool opt_use_ssl  = 0;
> -SSL_STATIC char *opt_ssl_ca     = 0;
> -SSL_STATIC char *opt_ssl_capath = 0;
> -SSL_STATIC char *opt_ssl_cert   = 0;
> -SSL_STATIC char *opt_ssl_cipher = 0;
> -SSL_STATIC char *opt_ssl_key    = 0;
> +SSL_STATIC my_bool opt_use_ssl   = 0;
> +SSL_STATIC char *opt_ssl_ca      = 0;
> +SSL_STATIC char *opt_ssl_capath  = 0;
> +SSL_STATIC char *opt_ssl_cert    = 0;
> +SSL_STATIC char *opt_ssl_cipher  = 0;
> +SSL_STATIC char *opt_ssl_key     = 0;
> +SSL_STATIC char *opt_ssl_crl     = 0;
> +SSL_STATIC char *opt_ssl_crlpath = 0;
>   #ifdef MYSQL_CLIENT
>   SSL_STATIC my_bool opt_ssl_verify_server_cert= 0;
>   #endif
>
> === modified file 'include/violite.h'
> --- a/include/violite.h	2011-05-31 13:52:09 +0000
> +++ b/include/violite.h	2011-06-17 13:53:47 +0000
> @@ -155,11 +155,13 @@ int sslconnect(struct st_VioSSLFd*, Vio
>   struct st_VioSSLFd
>   *new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
>   		       const char *ca_file,  const char *ca_path,
> -		       const char *cipher, enum enum_ssl_init_error* error);
> +		       const char *cipher, enum enum_ssl_init_error* error,
> +                       const char *crl_file, const char *crl_path);
>   struct st_VioSSLFd
>   *new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
>   		      const char *ca_file,const char *ca_path,
> -		      const char *cipher, enum enum_ssl_init_error* error);
> +		      const char *cipher, enum enum_ssl_init_error* error,
> +                      const char *crl_file, const char *crl_path);
>   void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd);
>   #endif /* ! EMBEDDED_LIBRARY */
>   #endif /* HAVE_OPENSSL */
>
> === modified file 'mysql-test/include/check-testcase.test'
> --- a/mysql-test/include/check-testcase.test	2011-02-07 15:31:01 +0000
> +++ b/mysql-test/include/check-testcase.test	2011-06-17 13:53:47 +0000
> @@ -69,6 +69,8 @@ if ($tmp)
>     --echo Master_Bind	
>     --echo Last_IO_Error_Timestamp	
>     --echo Last_SQL_Error_Timestamp	
> +  --echo Master_SSL_Crl	
> +  --echo Master_SSL_Crlpath	
>   }
>   if (!$tmp) {
>     # Note: after WL#5177, fields 13-18 shall not be filtered-out.
>
> === added file 'mysql-test/include/have_openssl.inc'
> --- a/mysql-test/include/have_openssl.inc	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/include/have_openssl.inc	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,4 @@
> +-- require r/openssl.require
> +disable_query_log;
> +show variables like "have_openssl";
> +enable_query_log;
>
> === added file 'mysql-test/r/openssl.require'
> --- a/mysql-test/r/openssl.require	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/r/openssl.require	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,2 @@
> +Variable_name	Value
> +have_openssl	YES
>
> === added file 'mysql-test/r/ssl-crl-clients.result'
> --- a/mysql-test/r/ssl-crl-clients.result	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/r/ssl-crl-clients.result	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,24 @@
> +# Test clients with and without CRL lists
> +############ Test mysql ##############
> +# Test mysql connecting to a server with an empty crl
> +Variable_name	Value
> +have_openssl	YES
> +have_ssl	YES
> +ssl_ca	MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
> +ssl_capath	
> +ssl_cert	MYSQL_TEST_DIR/std_data/crl-client-cert.pem
> +ssl_cipher	
> +ssl_crl	
> +ssl_crlpath	
> +ssl_key	MYSQL_TEST_DIR/std_data/crl-client-key.pem
> +# Test mysql connecting to a server with a certificate revoked by -crl
> +# Test mysql connecting to a server with a certificate revoked by -crlpath
> +############ Test mysqladmin ##############
> +# Test mysqladmin connecting to a server with an empty crl
> +mysqld is alive
> +# Test mysqladmin connecting to a server with a certificate revoked by -crl
> +mysqladmin: connect to server at 'localhost' failed
> +error: 'SSL connection error: Failed to set ciphers to use'
> +# Test mysqladmin connecting to a server with a certificate revoked by -crlpath
> +mysqladmin: connet to server at 'localhost' failed
> +error: 'SSL connection error: error:00000005:lib(0):func(0):DH lib'
>
> === added file 'mysql-test/r/ssl-crl-empty-crl.result'
> --- a/mysql-test/r/ssl-crl-empty-crl.result	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/r/ssl-crl-empty-crl.result	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,20 @@
> +Variable_name	Value
> +have_openssl	YES
> +have_ssl	YES
> +ssl_ca	MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
> +ssl_capath	
> +ssl_cert	MYSQL_TEST_DIR/std_data/crl-server-cert.pem
> +ssl_cipher	
> +ssl_crl	MYSQL_TEST_DIR/std_data/crl-empty.crl
> +ssl_crlpath	
> +ssl_key	MYSQL_TEST_DIR/std_data/crl-server-key.pem
> +Variable_name	Value
> +have_openssl	YES
> +have_ssl	YES
> +ssl_ca	MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
> +ssl_capath	
> +ssl_cert	MYSQL_TEST_DIR/std_data/crl-server-cert.pem
> +ssl_cipher	
> +ssl_crl	MYSQL_TEST_DIR/std_data/crl-empty.crl
> +ssl_crlpath	
> +ssl_key	MYSQL_TEST_DIR/std_data/crl-server-key.pem
>
> === added file 'mysql-test/r/ssl-crl-revoked-crl.result'
> --- a/mysql-test/r/ssl-crl-revoked-crl.result	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/r/ssl-crl-revoked-crl.result	2011-06-17 13:53:47 +0000
> @@ -0,0 +1 @@
> +# try logging in with a certificate in the server's --ssl-crl : should fail
>
> === added file 'mysql-test/r/ssl-crl-revoked-crlpath.result'
> --- a/mysql-test/r/ssl-crl-revoked-crlpath.result	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/r/ssl-crl-revoked-crlpath.result	2011-06-17 13:53:47 +0000
> @@ -0,0 +1 @@
> +# try logging in with a certificate in the server's --ssl-crlpath : should fail
>
> === modified file 'mysql-test/r/variables.result'
> --- a/mysql-test/r/variables.result	2011-04-12 12:48:26 +0000
> +++ b/mysql-test/r/variables.result	2011-06-17 13:53:47 +0000
> @@ -981,6 +981,8 @@ ssl_ca	#
>   ssl_capath	#
>   ssl_cert	#
>   ssl_cipher	#
> +ssl_crl	#
> +ssl_crlpath	#
>   ssl_key	#
>   select * from information_schema.session_variables where variable_name like 'ssl%'
> order by 1;
>   VARIABLE_NAME	VARIABLE_VALUE
> @@ -988,6 +990,8 @@ SSL_CA	#
>   SSL_CAPATH	#
>   SSL_CERT	#
>   SSL_CIPHER	#
> +SSL_CRL	#
> +SSL_CRLPATH	#
>   SSL_KEY	#
>   select @@log_queries_not_using_indexes;
>   @@log_queries_not_using_indexes
>
> === added file 'mysql-test/std_data/crl-ca-cert.pem'
> --- a/mysql-test/std_data/crl-ca-cert.pem	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/std_data/crl-ca-cert.pem	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,63 @@
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number:
> +            a5:85:ec:60:b1:68:44:22
> +        Signature Algorithm: sha1WithRSAEncryption
> +        Issuer: C=BG, ST=Plovdiv, O=Oracle, OU=MySQL, CN=MySQL CRL test CA
> certificate
> +        Validity
> +            Not Before: Jun 17 07:27:51 2011 GMT
> +            Not After : Jun 15 07:27:51 2016 GMT
> +        Subject: C=BG, ST=Plovdiv, O=Oracle, OU=MySQL, CN=MySQL CRL test CA
> certificate
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +            RSA Public Key: (1024 bit)
> +                Modulus (1024 bit):
> +                    00:9b:08:0b:96:19:57:fb:21:79:f4:16:c9:b8:2c:
> +                    13:2e:e1:fe:5f:6b:18:7d:d4:c4:d7:cd:66:a6:62:
> +                    0e:b7:28:b1:39:76:62:6e:5a:4a:80:f6:0e:8e:84:
> +                    3e:cf:2f:91:0d:36:6d:8b:b5:f9:78:96:f0:5f:82:
> +                    a2:b2:d8:fc:b3:46:b5:30:24:b3:a8:77:60:6c:05:
> +                    c9:8f:82:fd:ad:9f:26:23:29:56:5b:02:6f:f2:00:
> +                    31:86:60:b7:8c:56:b3:95:a8:8d:a9:bb:6b:91:fd:
> +                    5d:f5:6a:21:45:85:63:78:0e:0f:0e:03:6d:53:73:
> +                    0d:6c:aa:5b:f9:fc:fa:fd:f7
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Subject Key Identifier:
> +                C4:1D:2C:68:3F:5F:29:51:EC:C5:54:61:CE:16:13:D2:72:5D:63:E8
> +            X509v3 Authority Key Identifier:
> +                keyid:C4:1D:2C:68:3F:5F:29:51:EC:C5:54:61:CE:16:13:D2:72:5D:63:E8
> +                DirName:/C=BG/ST=Plovdiv/O=Oracle/OU=MySQL/CN=MySQL CRL test CA
> certificate
> +                serial:A5:85:EC:60:B1:68:44:22
> +
> +            X509v3 Basic Constraints:
> +                CA:TRUE
> +    Signature Algorithm: sha1WithRSAEncryption
> +        73:dd:2e:76:71:25:c2:fe:7a:c5:46:ca:f2:c7:a0:43:f0:c7:
> +        3c:24:8d:a6:bd:8d:f2:7c:db:03:1b:2b:8a:c8:23:ae:ef:71:
> +        25:33:5b:10:61:e7:7d:89:30:a8:67:25:2e:e0:06:30:77:da:
> +        b8:87:e5:91:cd:c7:8f:c9:7b:3d:9e:86:80:44:02:6b:d1:06:
> +        85:5d:28:78:cc:a7:a8:35:ac:f7:77:6d:e2:c7:a3:37:bc:9f:
> +        d3:bf:4a:ca:09:dc:d0:78:0c:59:c7:db:4b:67:f1:09:6d:a9:
> +        7a:50:2f:1d:2c:a6:b8:81:0e:e6:4b:ee:d9:be:ae:a5:6a:d7:
> +        56:c4
> +-----BEGIN CERTIFICATE-----
> +MIIDHDCCAoWgAwIBAgIJAKWF7GCxaEQiMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV
> +BAYTAkJHMRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAMBgNV
> +BAsTBU15U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZpY2F0
> +ZTAeFw0xMTA2MTcwNzI3NTFaFw0xNjA2MTUwNzI3NTFaMGgxCzAJBgNVBAYTAkJH
> +MRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAMBgNVBAsTBU15
> +U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZpY2F0ZTCBnzAN
> +BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmwgLlhlX+yF59BbJuCwTLuH+X2sYfdTE
> +181mpmIOtyixOXZiblpKgPYOjoQ+zy+RDTZti7X5eJbwX4Kistj8s0a1MCSzqHdg
> +bAXJj4L9rZ8mIylWWwJv8gAxhmC3jFazlaiNqbtrkf1d9WohRYVjeA4PDgNtU3MN
> +bKpb+fz6/fcCAwEAAaOBzTCByjAdBgNVHQ4EFgQUxB0saD9fKVHsxVRhzhYT0nJd
> +Y+gwgZoGA1UdIwSBkjCBj4AUxB0saD9fKVHsxVRhzhYT0nJdY+ihbKRqMGgxCzAJ
> +BgNVBAYTAkJHMRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAM
> +BgNVBAsTBU15U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZp
> +Y2F0ZYIJAKWF7GCxaEQiMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
> +c90udnElwv56xUbK8segQ/DHPCSNpr2N8nzbAxsrisgjru9xJTNbEGHnfYkwqGcl
> +LuAGMHfauIflkc3Hj8l7PZ6GgEQCa9EGhV0oeMynqDWs93dt4sejN7yf079Kygnc
> +0HgMWcfbS2fxCW2pelAvHSymuIEO5kvu2b6upWrXVsQ=
> +-----END CERTIFICATE-----
>
> === added file 'mysql-test/std_data/crl-client-cert.pem'
> --- a/mysql-test/std_data/crl-client-cert.pem	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/std_data/crl-client-cert.pem	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,62 @@
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number:
> +            a5:85:ec:60:b1:68:44:24
> +        Signature Algorithm: sha1WithRSAEncryption
> +        Issuer: C=BG, ST=Plovdiv, O=Oracle, OU=MySQL, CN=MySQL CRL test CA
> certificate
> +        Validity
> +            Not Before: Jun 17 07:32:32 2011 GMT
> +            Not After : Jun 16 07:32:32 2014 GMT
> +        Subject: C=BG, ST=Plovdiv, L=Plovdiv, O=Oracle, OU=MySQL, CN=MySQL CRL test
> client certificate
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +            RSA Public Key: (1024 bit)
> +                Modulus (1024 bit):
> +                    00:bd:18:bf:c5:37:7e:f7:8a:1d:22:c0:4f:5a:70:
> +                    51:ea:df:56:4f:29:e9:c7:a5:8a:ab:5a:48:b5:f9:
> +                    bf:cd:2a:73:f8:fa:13:20:fd:33:17:11:93:51:f0:
> +                    4f:fa:a5:6a:bc:37:94:92:de:7d:c1:09:c6:43:c0:
> +                    f7:cd:dd:ac:06:bf:fe:0c:9f:fc:ec:5b:83:a1:1e:
> +                    34:d8:af:50:17:4d:84:51:20:44:76:81:d1:12:76:
> +                    06:fb:05:29:59:47:0f:9d:97:f1:41:2f:92:0d:e4:
> +                    b6:c1:fb:cf:75:95:a9:0f:cf:b3:4f:69:a3:d1:14:
> +                    e9:6b:cf:be:53:bd:4e:3f:5d
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints:
> +                CA:FALSE
> +            Netscape Comment:
> +                OpenSSL Generated Certificate
> +            X509v3 Subject Key Identifier:
> +                39:37:9C:0B:9F:E4:8E:48:48:71:23:2B:CA:F0:C1:F9:0B:F2:0A:D0
> +            X509v3 Authority Key Identifier:
> +                keyid:C4:1D:2C:68:3F:5F:29:51:EC:C5:54:61:CE:16:13:D2:72:5D:63:E8
> +
> +    Signature Algorithm: sha1WithRSAEncryption
> +        18:03:42:13:af:86:c3:eb:9c:40:4a:d8:9e:e7:25:e1:43:7b:
> +        2f:55:1b:e6:ec:bf:9b:56:b3:c7:cb:78:cd:d2:00:46:39:96:
> +        d8:f8:cd:9d:0e:e7:97:51:93:f8:5b:ed:4f:5a:16:6b:56:fb:
> +        c0:d1:58:3c:7f:e9:64:aa:11:03:ff:3b:5e:9d:6d:c8:53:a8:
> +        4a:30:f7:a6:ae:7c:e0:ed:16:c4:a0:07:9c:75:1a:23:58:13:
> +        70:9e:aa:cc:b8:1d:70:26:85:ad:e1:f3:34:83:1b:e0:72:44:
> +        c4:28:d5:c5:6a:43:83:47:fe:8b:ab:ac:07:55:ff:2c:d9:0f:
> +        5f:c7
> +-----BEGIN CERTIFICATE-----
> +MIIC3zCCAkigAwIBAgIJAKWF7GCxaEQkMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV
> +BAYTAkJHMRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAMBgNV
> +BAsTBU15U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZpY2F0
> +ZTAeFw0xMTA2MTcwNzMyMzJaFw0xNDA2MTYwNzMyMzJaMH4xCzAJBgNVBAYTAkJH
> +MRAwDgYDVQQIEwdQbG92ZGl2MRAwDgYDVQQHEwdQbG92ZGl2MQ8wDQYDVQQKEwZP
> +cmFjbGUxDjAMBgNVBAsTBU15U1FMMSowKAYDVQQDEyFNeVNRTCBDUkwgdGVzdCBj
> +bGllbnQgY2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0Y
> +v8U3fveKHSLAT1pwUerfVk8p6celiqtaSLX5v80qc/j6EyD9MxcRk1HwT/qlarw3
> +lJLefcEJxkPA983drAa//gyf/Oxbg6EeNNivUBdNhFEgRHaB0RJ2BvsFKVlHD52X
> +8UEvkg3ktsH7z3WVqQ/Ps09po9EU6WvPvlO9Tj9dAgMBAAGjezB5MAkGA1UdEwQC
> +MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
> +MB0GA1UdDgQWBBQ5N5wLn+SOSEhxIyvK8MH5C/IK0DAfBgNVHSMEGDAWgBTEHSxo
> +P18pUezFVGHOFhPScl1j6DANBgkqhkiG9w0BAQUFAAOBgQAYA0ITr4bD65xAStie
> +5yXhQ3svVRvm7L+bVrPHy3jN0gBGOZbY+M2dDueXUZP4W+1PWhZrVvvA0Vg8f+lk
> +qhED/ztenW3IU6hKMPemrnzg7RbEoAecdRojWBNwnqrMuB1wJoWt4fM0gxvgckTE
> +KNXFakODR/6Lq6wHVf8s2Q9fxw==
> +-----END CERTIFICATE-----
>
> === added file 'mysql-test/std_data/crl-client-key.pem'
> --- a/mysql-test/std_data/crl-client-key.pem	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/std_data/crl-client-key.pem	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,15 @@
> +-----BEGIN RSA PRIVATE KEY-----
> +MIICXAIBAAKBgQC9GL/FN373ih0iwE9acFHq31ZPKenHpYqrWki1+b/NKnP4+hMg
> +/TMXEZNR8E/6pWq8N5SS3n3BCcZDwPfN3awGv/4Mn/zsW4OhHjTYr1AXTYRRIER2
> +gdESdgb7BSlZRw+dl/FBL5IN5LbB+891lakPz7NPaaPRFOlrz75TvU4/XQIDAQAB
> +AoGAYMe37rIWk47mlpCijIEMDA++Vsn20q2RKV4N9MUcO19M99LV036DlXzzT26V
> +II1k8Wvo6Lpi1lewV6D9symPDwuxO3L/lSwInVSbAaCkRYq7BlpL+ShxsUpWT788
> +ealwFTj3TeM1MCHpFwvO0xGBqFVk+ZadCNZjvwdQi44JCykCQQDqJgOTPPniq5Lk
> +J6d+KWiCPVAEnEWk5lR0jQ2NZhSm4fFmCd0v6bNYhztk7dizSOiIrXnPLXx9Z8v0
> +rwKr5WrHAkEAzr5ps9d/t4V60vAJCK+Sq1b+Qj42yEnH2eIjKAUFO63jkPtpOv9h
> +nzYJTqajvEkHbYJ92elpzGx47FuSOjzAuwJAYpZC5xnDdSccoCf6I+q3cC70pBxQ
> +TpAUe0ZwsFqM039KrtX0ZZoWw22dGm/yz/ogvnucUBks03iCrbGKhGoCPQJAdlhj
> +U5I5Rsl+vH6w/Srbz37Vvv+0BkTNxPiA3Wi6TSZGDPkNjLshm6yn+UDEm4RGXzaC
> +ahoF+QHi2pG0i+e4/wJBAOmbrYbjE2LAzIBy0NvRHslPABTK4zn1L9lzU5XIjV9r
> +y8JiMfGNC5r7To/ERlFUlMbaPA5Zm9XNrZhDROMZLTc=
> +-----END RSA PRIVATE KEY-----
>
> === added file 'mysql-test/std_data/crl-client-revoked.crl'
> --- a/mysql-test/std_data/crl-client-revoked.crl	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/std_data/crl-client-revoked.crl	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,10 @@
> +-----BEGIN X509 CRL-----
> +MIIBbDCB1gIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJCRzEQMA4GA1UE
> +CBMHUGxvdmRpdjEPMA0GA1UEChMGT3JhY2xlMQ4wDAYDVQQLEwVNeVNRTDEmMCQG
> +A1UEAxMdTXlTUUwgQ1JMIHRlc3QgQ0EgY2VydGlmaWNhdGUXDTExMDYxNzA3Mzgy
> +NVoXDTExMDcxNzA3MzgyNVowKjAoAgkApYXsYLFoRCQXDTExMDYxNzA3Mzc1OVow
> +DDAKBgNVHRUEAwoBBaAOMAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEFBQADgYEA
> +GEHNVIG6WcDYLwugXnSkLRi19EDalfQ/ufcIh2M8XQUCIXXYVYLQnh4w7FMOwDz7
> +OaIE+UhdhKjbwITvEQ3XTNueYouofmyTcYEVZuapFcG3M9TKXzaBdOevKMmok0rq
> +kuZ80j5zmCC9kXpIGl5IS+c5KRLqmYxrUNG/gdhxGpg=
> +-----END X509 CRL-----
>
> === added file 'mysql-test/std_data/crl-empty.crl'
> --- a/mysql-test/std_data/crl-empty.crl	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/std_data/crl-empty.crl	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,9 @@
> +-----BEGIN X509 CRL-----
> +MIIBQDCBqgIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJCRzEQMA4GA1UE
> +CBMHUGxvdmRpdjEPMA0GA1UEChMGT3JhY2xlMQ4wDAYDVQQLEwVNeVNRTDEmMCQG
> +A1UEAxMdTXlTUUwgQ1JMIHRlc3QgQ0EgY2VydGlmaWNhdGUXDTExMDYxNzA3MzUy
> +NVoXDTExMDcxNzA3MzUyNVqgDjAMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUA
> +A4GBAJRpOiqqQoAuc0YMw+JDDrwU+bjb+xg49E2Ao+Gcipzq0Z7jACPZFhDt3JRZ
> +tf0qErLImThh4i6P5IS7YOT+yAR8bF6SphePWK0WMFLjsxpQgyJPUvkffgM6BO7A
> +Cg4dnRAWMY4VsvBPtP/TXzDu4tAoznwLlHBW9BST+Ks3EBmF
> +-----END X509 CRL-----
>
> === added file 'mysql-test/std_data/crl-server-cert.pem'
> --- a/mysql-test/std_data/crl-server-cert.pem	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/std_data/crl-server-cert.pem	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,62 @@
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number:
> +            a5:85:ec:60:b1:68:44:23
> +        Signature Algorithm: sha1WithRSAEncryption
> +        Issuer: C=BG, ST=Plovdiv, O=Oracle, OU=MySQL, CN=MySQL CRL test CA
> certificate
> +        Validity
> +            Not Before: Jun 17 07:29:11 2011 GMT
> +            Not After : Jun 16 07:29:11 2014 GMT
> +        Subject: C=BG, ST=Plovdiv, L=Plovdiv, O=Oracle, OU=MySQL, CN=MySQL CRL test
> server certificate
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +            RSA Public Key: (1024 bit)
> +                Modulus (1024 bit):
> +                    00:c4:c6:01:29:db:e6:62:40:07:bd:43:ce:37:8e:
> +                    90:0e:3c:86:cc:6a:0c:40:8e:8e:30:27:f2:84:d3:
> +                    59:e8:7d:e7:97:1e:0d:36:08:0b:cc:28:bb:86:b0:
> +                    0a:64:8c:55:33:f6:ce:19:00:08:b9:93:ca:84:7e:
> +                    9a:4e:81:91:e2:56:32:2a:de:b5:1f:82:b9:8f:33:
> +                    f4:87:f8:10:84:69:69:9a:79:58:08:9a:29:dc:09:
> +                    79:27:90:ec:af:c8:2d:5f:2e:c1:e1:4a:f1:52:21:
> +                    37:58:d4:f9:ef:49:ce:a9:9d:eb:dc:f4:34:30:40:
> +                    d0:d7:38:54:94:2e:d1:ac:25
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints:
> +                CA:FALSE
> +            Netscape Comment:
> +                OpenSSL Generated Certificate
> +            X509v3 Subject Key Identifier:
> +                4A:18:8F:0C:A3:CF:D7:4A:38:83:07:FC:26:E3:EB:96:32:73:FA:8C
> +            X509v3 Authority Key Identifier:
> +                keyid:C4:1D:2C:68:3F:5F:29:51:EC:C5:54:61:CE:16:13:D2:72:5D:63:E8
> +
> +    Signature Algorithm: sha1WithRSAEncryption
> +        61:74:cc:62:70:9e:1f:3e:96:ac:cd:54:4f:34:60:1c:27:51:
> +        f4:d5:f8:2e:d7:18:11:86:4e:b5:52:8c:a1:ef:28:c9:43:d7:
> +        23:2a:22:15:4a:a3:e7:ff:76:fa:25:be:ed:30:05:ea:12:aa:
> +        3f:c8:ab:a7:22:02:ea:cf:50:d4:43:31:5f:51:de:4c:e1:fa:
> +        31:ba:2e:4e:d8:a4:3d:80:ad:17:83:67:0f:1b:6f:0b:74:43:
> +        ce:36:cb:2f:17:9e:6e:ae:c6:eb:ec:93:70:69:82:42:04:b3:
> +        a7:31:1f:65:70:ff:06:ce:9c:22:8a:dc:7d:92:bc:04:24:ca:
> +        20:66
> +-----BEGIN CERTIFICATE-----
> +MIIC3zCCAkigAwIBAgIJAKWF7GCxaEQjMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV
> +BAYTAkJHMRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAMBgNV
> +BAsTBU15U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZpY2F0
> +ZTAeFw0xMTA2MTcwNzI5MTFaFw0xNDA2MTYwNzI5MTFaMH4xCzAJBgNVBAYTAkJH
> +MRAwDgYDVQQIEwdQbG92ZGl2MRAwDgYDVQQHEwdQbG92ZGl2MQ8wDQYDVQQKEwZP
> +cmFjbGUxDjAMBgNVBAsTBU15U1FMMSowKAYDVQQDEyFNeVNRTCBDUkwgdGVzdCBz
> +ZXJ2ZXIgY2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTG
> +ASnb5mJAB71DzjeOkA48hsxqDECOjjAn8oTTWeh955ceDTYIC8wou4awCmSMVTP2
> +zhkACLmTyoR+mk6BkeJWMiretR+CuY8z9If4EIRpaZp5WAiaKdwJeSeQ7K/ILV8u
> +weFK8VIhN1jU+e9Jzqmd69z0NDBA0Nc4VJQu0awlAgMBAAGjezB5MAkGA1UdEwQC
> +MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
> +MB0GA1UdDgQWBBRKGI8Mo8/XSjiDB/wm4+uWMnP6jDAfBgNVHSMEGDAWgBTEHSxo
> +P18pUezFVGHOFhPScl1j6DANBgkqhkiG9w0BAQUFAAOBgQBhdMxicJ4fPpaszVRP
> +NGAcJ1H01fgu1xgRhk61Uoyh7yjJQ9cjKiIVSqPn/3b6Jb7tMAXqEqo/yKunIgLq
> +z1DUQzFfUd5M4foxui5O2KQ9gK0Xg2cPG28LdEPONssvF55ursbr7JNwaYJCBLOn
> +MR9lcP8Gzpwiitx9krwEJMogZg==
> +-----END CERTIFICATE-----
>
> === added file 'mysql-test/std_data/crl-server-key.pem'
> --- a/mysql-test/std_data/crl-server-key.pem	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/std_data/crl-server-key.pem	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,15 @@
> +-----BEGIN RSA PRIVATE KEY-----
> +MIICXAIBAAKBgQDExgEp2+ZiQAe9Q843jpAOPIbMagxAjo4wJ/KE01nofeeXHg02
> +CAvMKLuGsApkjFUz9s4ZAAi5k8qEfppOgZHiVjIq3rUfgrmPM/SH+BCEaWmaeVgI
> +mincCXknkOyvyC1fLsHhSvFSITdY1PnvSc6pnevc9DQwQNDXOFSULtGsJQIDAQAB
> +AoGAfecnZW4jWegYS5xv/RJF0CYgJfkQv9m21s8omJ5W37B3lzSORW0eh1Hkswg+
> +jhlQhwA63Lot2vfaU65h8ytqeGSxUSj0X8bVCsG+7aoQOxeowZs+CLgWPHmXbXw8
> +BI9mFbfkIQ/1x5yMSTv0BNRGUtg+t5FGPsmWxSUtfTme4CECQQDxQGEoesrJ25uE
> +MUcrTSeVpNmzqA8e41+8YIzbyi8nmwzp5gbsgIIF6/P5iMo1T7nIal/8N+FQMft4
> +Ebzb0ZFNAkEA0M2JmH/ctyDQ7RbQx5lVwiHYn9a3inusvsV47kfH24kdRZYSymI8
> +of7O8SGkHFJNeYsJmM3UrsNDlbSd+sCaOQJBAKoM+i8hVp2weU9VuNex28wkVfvH
> +41ifZtUOrVsjidd9+D1KkejUsFHiPqfOntGzL74wFRZggSYZBStePWQotSUCQH29
> +aMDnLtkw79/2v1+TnSs9CqCmwvyoIYz4iiykGVzBI1mGWGZ75ht/wMtBAPz1Kyao
> +be0Q9qUPfaGnlQMt/TECQGrMh32zFPFR98yNS6JDVAVib+d5SaJsV5HXXqKCYxQR
> +u1sv7YeF4/Y+TPKpBSasDNZHQ3zex0M9YOgI+9eEBHk=
> +-----END RSA PRIVATE KEY-----
>
> === added directory 'mysql-test/std_data/crldir'
> === added file 'mysql-test/std_data/crldir/fc725416.r0'
> --- a/mysql-test/std_data/crldir/fc725416.r0	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/std_data/crldir/fc725416.r0	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,10 @@
> +-----BEGIN X509 CRL-----
> +MIIBbDCB1gIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJCRzEQMA4GA1UE
> +CBMHUGxvdmRpdjEPMA0GA1UEChMGT3JhY2xlMQ4wDAYDVQQLEwVNeVNRTDEmMCQG
> +A1UEAxMdTXlTUUwgQ1JMIHRlc3QgQ0EgY2VydGlmaWNhdGUXDTExMDYxNzA3Mzgy
> +NVoXDTExMDcxNzA3MzgyNVowKjAoAgkApYXsYLFoRCQXDTExMDYxNzA3Mzc1OVow
> +DDAKBgNVHRUEAwoBBaAOMAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEFBQADgYEA
> +GEHNVIG6WcDYLwugXnSkLRi19EDalfQ/ufcIh2M8XQUCIXXYVYLQnh4w7FMOwDz7
> +OaIE+UhdhKjbwITvEQ3XTNueYouofmyTcYEVZuapFcG3M9TKXzaBdOevKMmok0rq
> +kuZ80j5zmCC9kXpIGl5IS+c5KRLqmYxrUNG/gdhxGpg=
> +-----END X509 CRL-----
>
> === modified file 'mysql-test/suite/sys_vars/r/all_vars.result'
> --- a/mysql-test/suite/sys_vars/r/all_vars.result	2011-05-31 09:30:59 +0000
> +++ b/mysql-test/suite/sys_vars/r/all_vars.result	2011-06-17 13:53:47 +0000
> @@ -16,6 +16,7 @@ INNODB_STATS_TRANSIENT_SAMPLE_PAGES
>   INNODB_ROLLBACK_SEGMENTS
>   INNODB_STATS_PERSISTENT_SAMPLE_PAGES
>   RELAY_LOG_BASENAME
> +SSL_CRLPATH
>   LOG_BIN_BASENAME
>   INNODB_MONITOR_RESET
>   INNODB_ANALYZE_IS_PERSISTENT
> @@ -24,6 +25,7 @@ INNODB_MONITOR_RESET_ALL
>   INNODB_STATS_METHOD
>   LOG_BIN_INDEX
>   INNODB_SYNC_ARRAY_SIZE
> +SSL_CRL
>   INNODB_MONITOR_DISABLE
>   INNODB_FILE_FORMAT_MAX
>   INNODB_MONITOR_ENABLE
> @@ -32,6 +34,7 @@ INNODB_STATS_TRANSIENT_SAMPLE_PAGES
>   INNODB_ROLLBACK_SEGMENTS
>   INNODB_STATS_PERSISTENT_SAMPLE_PAGES
>   RELAY_LOG_BASENAME
> +SSL_CRLPATH
>   LOG_BIN_BASENAME
>   INNODB_MONITOR_RESET
>   INNODB_ANALYZE_IS_PERSISTENT
> @@ -40,6 +43,7 @@ INNODB_MONITOR_RESET_ALL
>   INNODB_STATS_METHOD
>   LOG_BIN_INDEX
>   INNODB_SYNC_ARRAY_SIZE
> +SSL_CRL
>   INNODB_MONITOR_DISABLE
>   INNODB_FILE_FORMAT_MAX
>   INNODB_MONITOR_ENABLE
>
> === added file 'mysql-test/t/ssl-crl-clients-master.opt'
> --- a/mysql-test/t/ssl-crl-clients-master.opt	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/t/ssl-crl-clients-master.opt	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,3 @@
> +--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
> +--ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem
> +--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem
>
> === added file 'mysql-test/t/ssl-crl-clients.test'
> --- a/mysql-test/t/ssl-crl-clients.test	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/t/ssl-crl-clients.test	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,46 @@
> +# This test should work in embedded server after we fix mysqltest
> +-- source include/not_embedded.inc
> +-- source include/have_ssl_communication.inc
> +-- source include/have_openssl.inc
> +
> +--echo # Test clients with and without CRL lists
> +
> +let $ssl_base = --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
> --ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem
> --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem;
> +let $ssl_empty = $ssl_base --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-empty.crl;
> +let $ssl_crl = $ssl_base
> --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-disabled.crl;
> +let $ssl_crlpath = $ssl_base --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir;
> +
> +
> +--echo ############ Test mysql ##############
> +
> +--echo # Test mysql connecting to a server with an empty crl
> +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
> +--exec $MYSQL $ssl_empty test -e "SHOW VARIABLES like '%ssl%';"
> +
> +--echo # Test mysql connecting to a server with a certificate revoked by -crl
> +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
> +--error 1
> +--exec $MYSQL $ssl_crl test -e "SHOW VARIABLES like '%ssl%';"
> +
> +--echo # Test mysql connecting to a server with a certificate revoked by -crlpath
> +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
> +--error 1
> +--exec $MYSQL $ssl_crlpath test -e "SHOW VARIABLES like '%ssl%';"
> +
> +
> +--echo ############ Test mysqladmin ##############
> +let $admin_prefix = --no-defaults;
> +let $admin_suffix = --default-character-set=latin1 -S $MASTER_MYSOCK -P
> $MASTER_MYPORT -u root --password= ping;
> +
> +--echo # Test mysqladmin connecting to a server with an empty crl
> +--exec $MYSQLADMIN $admin_prefix $ssl_empty $admin_suffix 2>&1
> +
> +--echo # Test mysqladmin connecting to a server with a certificate revoked by -crl
> +--replace_regex /.*mysqladmin.*: connect/mysqladmin: connect/
> +--error 1
> +--exec $MYSQLADMIN $admin_prefix $ssl_crl $admin_suffix 2>&1
> +
> +--echo # Test mysqladmin connecting to a server with a certificate revoked by
> -crlpath
> +--replace_regex /.*mysqladmin.*: connect/mysqladmin: connet/
> +--error 1
> +--exec $MYSQLADMIN $admin_prefix $ssl_crlpath $admin_suffix 2>&1
>
> === added file 'mysql-test/t/ssl-crl-empty-crl-master.opt'
> --- a/mysql-test/t/ssl-crl-empty-crl-master.opt	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/t/ssl-crl-empty-crl-master.opt	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,4 @@
> +--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
> +--ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem
> +--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem
> +--ssl-crl=$MYSQL_TEST_DIR/std_data/crl-empty.crl
>
> === added file 'mysql-test/t/ssl-crl-empty-crl.test'
> --- a/mysql-test/t/ssl-crl-empty-crl.test	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/t/ssl-crl-empty-crl.test	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,12 @@
> +# This test should work in embedded server after we fix mysqltest
> +-- source include/not_embedded.inc
> +-- source include/have_ssl_communication.inc
> +-- source include/have_openssl.inc
> +
> +# test --crl for the client : should connect
> +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
> +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
> --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem
> --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test
> --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-empty.crl -e "SHOW VARIABLES like '%ssl%';"
> +
> +# test --crlpath for the client : should connect
> +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
> +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
> --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem
> --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem
> --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir test -e "SHOW VARIABLES like '%ssl%';"
>
> === added file 'mysql-test/t/ssl-crl-revoked-crl-master.opt'
> --- a/mysql-test/t/ssl-crl-revoked-crl-master.opt	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/t/ssl-crl-revoked-crl-master.opt	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,4 @@
> +--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
> +--ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem
> +--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem
> +--ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl
>
> === added file 'mysql-test/t/ssl-crl-revoked-crl.test'
> --- a/mysql-test/t/ssl-crl-revoked-crl.test	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/t/ssl-crl-revoked-crl.test	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,9 @@
> +# This test should work in embedded server after we fix mysqltest
> +-- source include/not_embedded.inc
> +-- source include/have_ssl_communication.inc
> +-- source include/have_openssl.inc
> +
> +--echo # try logging in with a certificate in the server's --ssl-crl : should fail
> +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
> +--error 1
> +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
> --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem
> --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW VARIABLES like
> '%ssl%';"
>
> === added file 'mysql-test/t/ssl-crl-revoked-crlpath-master.opt'
> --- a/mysql-test/t/ssl-crl-revoked-crlpath-master.opt	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/t/ssl-crl-revoked-crlpath-master.opt	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,4 @@
> +--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
> +--ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem
> +--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem
> +--ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir
>
> === added file 'mysql-test/t/ssl-crl-revoked-crlpath.test'
> --- a/mysql-test/t/ssl-crl-revoked-crlpath.test	1970-01-01 00:00:00 +0000
> +++ b/mysql-test/t/ssl-crl-revoked-crlpath.test	2011-06-17 13:53:47 +0000
> @@ -0,0 +1,9 @@
> +# This test should work in embedded server after we fix mysqltest
> +-- source include/not_embedded.inc
> +-- source include/have_ssl_communication.inc
> +-- source include/have_openssl.inc
> +
> +--echo # try logging in with a certificate in the server's --ssl-crlpath : should
> fail
> +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR
> +--error 1
> +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem
> --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem
> --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW VARIABLES like
> '%ssl%';"
>
> === modified file 'scripts/mysql_system_tables.sql'
> --- a/scripts/mysql_system_tables.sql	2011-06-13 16:28:34 +0000
> +++ b/scripts/mysql_system_tables.sql	2011-06-17 13:53:47 +0000
> @@ -102,7 +102,7 @@ CREATE TABLE IF NOT EXISTS ndb_binlog_in
>
>   CREATE TABLE IF NOT EXISTS slave_relay_log_info (Master_id INTEGER UNSIGNED NOT
> NULL, Number_of_lines INTEGER UNSIGNED NOT NULL COMMENT 'Number of lines in the file or
> rows in the table. Used to version table definitions.', Relay_log_name TEXT CHARACTER SET
> utf8 COLLATE utf8_bin NOT NULL COMMENT 'The name of the current relay log file.',
> Relay_log_pos BIGINT UNSIGNED NOT NULL COMMENT 'The relay log position of the last
> executed event.', Master_log_name TEXT CHARACTER SET utf8 COLLATE utf8_bin NOT NULL
> COMMENT 'The name of the master binary log file from which the events in the relay log
> file were read.', Master_log_pos BIGINT UNSIGNED NOT NULL COMMENT 'The master log position
> of the last executed event.', Sql_delay INTEGER NOT NULL COMMENT 'The number of seconds
> that the slave must lag behind the master.', PRIMARY KEY(Master_id)) ENGINE=MYISAM DEFAULT
> CHARSET=utf8 COMMENT 'Relay Log Information';
>
> -CREATE TABLE IF NOT EXISTS slave_master_info (Master_id INTEGER UNSIGNED NOT NULL,
> Number_of_lines INTEGER UNSIGNED NOT NULL COMMENT 'Number of lines in the file.',
> Master_log_name TEXT CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'The name of the
> master binary log currently being read from the master.', Master_log_pos BIGINT UNSIGNED
> NOT NULL COMMENT 'The master log position of the last read event.', Host TEXT CHARACTER
> SET utf8 COLLATE utf8_bin COMMENT 'The host name of the master.', User_name TEXT CHARACTER
> SET utf8 COLLATE utf8_bin COMMENT 'The user name used to connect to the master.',
> User_password TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The password used to
> connect to the master.', Port INTEGER UNSIGNED NOT NULL COMMENT 'The network port used to
> connect to the master.', Connect_retry INTEGER UNSIGNED NOT NULL COMMENT 'The period (in
> seconds) that the slave will wait before trying to reconnect to the master.', Enabled_ssl
> BOOLEAN NOT NULL COMMENT 'In!
>
>   dicates whether the server supports SSL connections.', Ssl_ca TEXT CHARACTER SET
> utf8 COLLATE utf8_bin COMMENT 'The file used for the Certificate Authority (CA)
> certificate.', Ssl_capath TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The path to
> the Certificate Authority (CA) certificates.', Ssl_cert TEXT CHARACTER SET utf8 COLLATE
> utf8_bin COMMENT 'The name of the SSL certificate file.', Ssl_cipher TEXT CHARACTER SET
> utf8 COLLATE utf8_bin COMMENT 'The name of the cipher in use for the SSL connection.',
> Ssl_key TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name of the SSL key file.',
> Ssl_verify_server_cert BOOLEAN NOT NULL COMMENT 'Whether to verify the server
> certificate.', Heartbeat FLOAT NOT NULL COMMENT '', Bind TEXT CHARACTER SET utf8 COLLATE
> utf8_bin COMMENT 'Displays which interface is employed when connecting to the MySQL
> server', Ignored_server_ids TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The number
> of server IDs to be ignored, followed by the a!
>
>   ctual server IDs', Uuid TEXT CHARACTER SET utf8 COLLATE utf8_bin COMME
> NT 'The master server uuid.', Retry_count BIGINT UNSIGNED NOT NULL COMMENT 'Number of
> reconnect attempts, to the master, before giving up.', PRIMARY KEY(Master_id))
> ENGINE=MYISAM DEFAULT CHARSET=utf8 COMMENT 'Master Information';
> +CREATE TABLE IF NOT EXISTS slave_master_info (Master_id INTEGER UNSIGNED NOT NULL,
> Number_of_lines INTEGER UNSIGNED NOT NULL COMMENT 'Number of lines in the file.',
> Master_log_name TEXT CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'The name of the
> master binary log currently being read from the master.', Master_log_pos BIGINT UNSIGNED
> NOT NULL COMMENT 'The master log position of the last read event.', Host TEXT CHARACTER
> SET utf8 COLLATE utf8_bin COMMENT 'The host name of the master.', User_name TEXT CHARACTER
> SET utf8 COLLATE utf8_bin COMMENT 'The user name used to connect to the master.',
> User_password TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The password used to
> connect to the master.', Port INTEGER UNSIGNED NOT NULL COMMENT 'The network port used to
> connect to the master.', Connect_retry INTEGER UNSIGNED NOT NULL COMMENT 'The period (in
> seconds) that the slave will wait before trying to reconnect to the master.', Enabled_ssl
> BOOLEAN NOT NULL COMMENT 'In!
>
>   dicates whether the server supports SSL connections.', Ssl_ca TEXT CHARACTER SET
> utf8 COLLATE utf8_bin COMMENT 'The file used for the Certificate Authority (CA)
> certificate.', Ssl_capath TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The path to
> the Certificate Authority (CA) certificates.', Ssl_cert TEXT CHARACTER SET utf8 COLLATE
> utf8_bin COMMENT 'The name of the SSL certificate file.', Ssl_cipher TEXT CHARACTER SET
> utf8 COLLATE utf8_bin COMMENT 'The name of the cipher in use for the SSL connection.',
> Ssl_key TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name of the SSL key file.',
> Ssl_verify_server_cert BOOLEAN NOT NULL COMMENT 'Whether to verify the server
> certificate.', Heartbeat FLOAT NOT NULL COMMENT '', Bind TEXT CHARACTER SET utf8 COLLATE
> utf8_bin COMMENT 'Displays which interface is employed when connecting to the MySQL
> server', Ignored_server_ids TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The number
> of server IDs to be ignored, followed by the a!
>
>   ctual server IDs', Uuid TEXT CHARACTER SET utf8 COLLATE utf8_bin COMME
> NT 'The master server uuid.', Retry_count BIGINT UNSIGNED NOT NULL COMMENT 'Number of
> reconnect attempts, to the master, before giving up.', Ssl_crl TEXT CHARACTER SET utf8
> COLLATE utf8_bin COMMENT 'The file used for the Certificate Revocation List (CRL)',
> Ssl_crlpath TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The path used for
> Certificate Revocation List (CRL) files', PRIMARY KEY(Master_id)) ENGINE=MYISAM DEFAULT
> CHARSET=utf8 COMMENT 'Master Information';
>
>   --
>   -- PERFORMANCE SCHEMA INSTALLATION
>
> === modified file 'scripts/mysql_system_tables_fix.sql'
> --- a/scripts/mysql_system_tables_fix.sql	2011-04-07 09:55:09 +0000
> +++ b/scripts/mysql_system_tables_fix.sql	2011-06-17 13:53:47 +0000
> @@ -660,3 +660,6 @@ DROP TABLE tmp_proxies_priv;
>   # changes was correct
>
>   flush privileges;
> +
> +ALTER TABLE slave_master_info ADD Ssl_crl TEXT CHARACTER SET utf8 COLLATE utf8_bin
> COMMENT 'The file used for the Certificate Revocation List (CRL)';
> +ALTER TABLE slave_master_info ADD Ssl_crlpath TEXT CHARACTER SET utf8 COLLATE
> utf8_bin COMMENT 'The path used for Certificate Revocation List (CRL) files';
>
> === modified file 'sql-common/client.c'
> --- a/sql-common/client.c	2011-05-31 13:52:09 +0000
> +++ b/sql-common/client.c	2011-06-17 13:53:47 +0000
> @@ -1011,7 +1011,7 @@ static const char *default_options[]=
>     "ssl-cipher", "max-allowed-packet", "protocol", "shared-memory-base-name",
>     "multi-results", "multi-statements", "multi-queries", "secure-auth",
>     "report-data-truncation", "plugin-dir", "default-auth",
> -  "bind-address",
> +  "bind-address", "ssl-crl", "ssl-crlpath",
>     NullS
>   };
>   enum option_id {
> @@ -1023,7 +1023,7 @@ enum option_id {
>     OPT_ssl_cipher, OPT_max_allowed_packet, OPT_protocol,
> OPT_shared_memory_base_name,
>     OPT_multi_results, OPT_multi_statements, OPT_multi_queries, OPT_secure_auth,
>     OPT_report_data_truncation, OPT_plugin_dir, OPT_default_auth,
> -  OPT_bind_address,
> +  OPT_bind_address, OPT_ssl_crl, OPT_ssl_crlpath,
>     OPT_keep_this_one_last
>   };
>
> @@ -1184,12 +1184,22 @@ void mysql_read_default_options(struct s
>             my_free(options->ssl_cipher);
>             options->ssl_cipher= my_strdup(opt_arg, MYF(MY_WME));
>             break;
> +	case OPT_ssl_crl:
> +	  my_free(options->ssl_crl);
> +          options->ssl_crl = my_strdup(opt_arg, MYF(MY_WME));
> +          break;
> +	case OPT_ssl_crlpath:
> +	  my_free(options->ssl_crlpath);
> +          options->ssl_crlpath = my_strdup(opt_arg, MYF(MY_WME));
> +          break;
>   #else
>   	case OPT_ssl_key:
>   	case OPT_ssl_cert:
>   	case OPT_ssl_ca:
>   	case OPT_ssl_capath:
>           case OPT_ssl_cipher:
> +        case OPT_ssl_crl:
> +        case OPT_ssl_crlpath:
>   	  break;
>   #endif /* HAVE_OPENSSL&&  !EMBEDDED_LIBRARY */
>   	case OPT_character_sets_dir:
> @@ -1644,15 +1654,18 @@ mysql_ssl_set(MYSQL *mysql __attribute__
>   	      const char *capath __attribute__((unused)),
>   	      const char *cipher __attribute__((unused)))
>   {
> +  my_bool result= 0;
>     DBUG_ENTER("mysql_ssl_set");
>   #if defined(HAVE_OPENSSL)&&  !defined(EMBEDDED_LIBRARY)
> -  mysql->options.ssl_key=    strdup_if_not_null(key);
> -  mysql->options.ssl_cert=   strdup_if_not_null(cert);
> -  mysql->options.ssl_ca=     strdup_if_not_null(ca);
> -  mysql->options.ssl_capath= strdup_if_not_null(capath);
> -  mysql->options.ssl_cipher= strdup_if_not_null(cipher);
> -#endif /* HAVE_OPENSSL&&  !EMBEDDED_LIBRARY */
> -  DBUG_RETURN(0);
> +  result=

Some stray spaces at the end above. ^

> +    mysql_options(mysql, MYSQL_OPT_SSL_KEY,    key)    +
> +    mysql_options(mysql, MYSQL_OPT_SSL_CERT,   cert)   +
> +    mysql_options(mysql, MYSQL_OPT_SSL_CA,     ca)     +
> +    mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath) +
> +    mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher)

And, a space at the end here ^.

> +    ? 1 : 0;
> +#endif
> +    DBUG_RETURN(result);
>   }
>
>
> @@ -1674,6 +1687,8 @@ mysql_ssl_free(MYSQL *mysql __attribute_
>     my_free(mysql->options.ssl_ca);
>     my_free(mysql->options.ssl_capath);
>     my_free(mysql->options.ssl_cipher);
> +  my_free(mysql->options.ssl_crl);
> +  my_free(mysql->options.ssl_crlpath);
>     if (ssl_fd)
>       SSL_CTX_free(ssl_fd->ssl_context);
>     my_free(mysql->connector_fd);
> @@ -1682,6 +1697,8 @@ mysql_ssl_free(MYSQL *mysql __attribute_
>     mysql->options.ssl_ca = 0;
>     mysql->options.ssl_capath = 0;
>     mysql->options.ssl_cipher= 0;
> +  mysql->options.ssl_crl = 0;
> +  mysql->options.ssl_crlpath = 0;
>     mysql->options.use_ssl = FALSE;
>     mysql->connector_fd = 0;
>     DBUG_VOID_RETURN;
> @@ -2350,7 +2367,8 @@ static int send_client_reply_packet(MCPV
>   #if defined(HAVE_OPENSSL)&&  !defined(EMBEDDED_LIBRARY)
>     if (mysql->options.ssl_key || mysql->options.ssl_cert ||
>         mysql->options.ssl_ca || mysql->options.ssl_capath ||
> -      mysql->options.ssl_cipher)
> +      mysql->options.ssl_cipher ||
> +      mysql->options.ssl_crl || mysql->options.ssl_crlpath)
>       mysql->options.use_ssl= 1;
>     if (mysql->options.use_ssl)
>       mysql->client_flag|= CLIENT_SSL;
> @@ -2411,7 +2429,9 @@ static int send_client_reply_packet(MCPV
>                                           options->ssl_ca,
>                                           options->ssl_capath,
>                                           options->ssl_cipher,
> -&ssl_init_error)))
> +&ssl_init_error,
> +                                        options->ssl_crl,
> +                                        options->ssl_crlpath)))
>       {
>         set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
>                                  ER(CR_SSL_CONNECTION_ERROR),
> sslGetErrString(ssl_init_error));
> @@ -3975,6 +3995,20 @@ mysql_fetch_lengths(MYSQL_RES *res)
>     return res->lengths;
>   }
>
> +#if defined(HAVE_OPENSSL)&&  !defined(EMBEDDED_LIBRARY)
> +#define SET_SSL_OPTION(opt_var,arg) \
> +    if (mysql->options.opt_var) \
> +      my_free(mysql->options.opt_var); \
> +    mysql->options.opt_var= arg ? my_strdup(arg, MYF(MY_WME)) : NULL; \
> +    if (mysql->options.opt_var) \
> +      mysql->options.use_ssl= 1
> +#else
> +#define SET_SSL_OPTION(opt_var,arg) \
> +    { \
> +      ; \
> +    } while(0)
> +#endif
> +
>
>   int STDCALL
>   mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg)
> @@ -4066,6 +4100,13 @@ mysql_options(MYSQL *mysql,enum mysql_op
>     case MYSQL_DEFAULT_AUTH:
>       EXTENSION_SET_STRING(&mysql->options, default_auth, arg);
>       break;
> +  case MYSQL_OPT_SSL_KEY:      SET_SSL_OPTION(ssl_key, arg);     break;
> +  case MYSQL_OPT_SSL_CERT:     SET_SSL_OPTION(ssl_cert, arg);    break;
> +  case MYSQL_OPT_SSL_CA:       SET_SSL_OPTION(ssl_ca, arg);      break;
> +  case MYSQL_OPT_SSL_CAPATH:   SET_SSL_OPTION(ssl_capath, arg);  break;
> +  case MYSQL_OPT_SSL_CIPHER:   SET_SSL_OPTION(ssl_cipher, arg);  break;
> +  case MYSQL_OPT_SSL_CRL:      SET_SSL_OPTION(ssl_crl, arg);     break;
> +  case MYSQL_OPT_SSL_CRLPATH:  SET_SSL_OPTION(ssl_crlpath, arg); break;
>     default:
>       DBUG_RETURN(1);
>     }
>
> === modified file 'sql/lex.h'
> --- a/sql/lex.h	2010-11-25 11:20:16 +0000
> +++ b/sql/lex.h	2011-06-17 13:53:47 +0000
> @@ -331,6 +331,8 @@ static SYMBOL symbols[] = {
>     { "MASTER_SSL_CAPATH",SYM(MASTER_SSL_CAPATH_SYM)},
>     { "MASTER_SSL_CERT",  SYM(MASTER_SSL_CERT_SYM)},
>     { "MASTER_SSL_CIPHER",SYM(MASTER_SSL_CIPHER_SYM)},
> +  { "MASTER_SSL_CRL",   SYM(MASTER_SSL_CRL_SYM)},
> +  { "MASTER_SSL_CRLPATH",SYM(MASTER_SSL_CRLPATH_SYM)},
>     { "MASTER_SSL_KEY",   SYM(MASTER_SSL_KEY_SYM)},
>     { "MASTER_SSL_VERIFY_SERVER_CERT", SYM(MASTER_SSL_VERIFY_SERVER_CERT_SYM)},
>     { "MASTER_USER",           SYM(MASTER_USER_SYM)},
>
> === modified file 'sql/mysqld.cc'
> --- a/sql/mysqld.cc	2011-06-06 10:29:45 +0000
> +++ b/sql/mysqld.cc	2011-06-17 13:53:47 +0000
> @@ -911,7 +911,8 @@ HANDLE smem_event_connect_request= 0;
>
>   my_bool opt_use_ssl  = 0;
>   char *opt_ssl_ca= NULL, *opt_ssl_capath= NULL, *opt_ssl_cert= NULL,
> -     *opt_ssl_cipher= NULL, *opt_ssl_key= NULL;
> +     *opt_ssl_cipher= NULL, *opt_ssl_key= NULL, *opt_ssl_crl= NULL,
> +     *opt_ssl_crlpath= NULL;
>
>   #ifdef HAVE_OPENSSL
>   #include<openssl/crypto.h>
> @@ -3853,7 +3854,8 @@ static void init_ssl()
>       /* having ssl_acceptor_fd != 0 signals the use of SSL */
>       ssl_acceptor_fd= new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert,
>   					  opt_ssl_ca, opt_ssl_capath,
> -					  opt_ssl_cipher,&error);
> +					  opt_ssl_cipher,&error,
> +                                          opt_ssl_crl, opt_ssl_crlpath);
>       DBUG_PRINT("info",("ssl_acceptor_fd: 0x%lx", (long) ssl_acceptor_fd));
>       if (!ssl_acceptor_fd)
>       {
>
> === modified file 'sql/mysqld.h'
> --- a/sql/mysqld.h	2011-05-19 09:11:38 +0000
> +++ b/sql/mysqld.h	2011-06-17 13:53:47 +0000
> @@ -477,7 +477,7 @@ extern int32 thread_running;
>   extern my_atomic_rwlock_t thread_running_lock;
>
>   extern char *opt_ssl_ca, *opt_ssl_capath, *opt_ssl_cert, *opt_ssl_cipher,
> -            *opt_ssl_key;
> +            *opt_ssl_key, *opt_ssl_crl, *opt_ssl_crlpath;
>
>   extern MYSQL_PLUGIN_IMPORT pthread_key(THD*, THR_THD);
>
> @@ -533,7 +533,9 @@ enum options_mysqld
>     OPT_WANT_CORE,
>     OPT_ENGINE_CONDITION_PUSHDOWN,
>     OPT_LOG_ERROR,
> -  OPT_MAX_LONG_DATA_SIZE
> +  OPT_MAX_LONG_DATA_SIZE,
> +  OPT_SSL_CRL,
> +  OPT_SSL_CRLPATH,
>   };
>
>
>
> === modified file 'sql/rpl_mi.cc'
> --- a/sql/rpl_mi.cc	2011-04-28 16:50:10 +0000
> +++ b/sql/rpl_mi.cc	2011-06-17 13:53:47 +0000
> @@ -43,8 +43,14 @@ enum {
>     /* line for master_retry_count */
>     LINE_FOR_MASTER_RETRY_COUNT= 20,
>
> +  /* line for ssl_crl */
> +  LINE_FOR_SSL_CRL= 21,
> +
> +  /* line for ssl_crl */
> +  LINE_FOR_SSL_CRLPATH= 22,
> +
>     /* Number of lines currently used when saving master info file */
> -  LINES_IN_MASTER_INFO= LINE_FOR_MASTER_RETRY_COUNT
> +  LINES_IN_MASTER_INFO= LINE_FOR_SSL_CRLPATH
>   };
>
>   /*
> @@ -73,7 +79,9 @@ const char *info_mi_fields []=
>     "bind",
>     "ignore_server_ids",
>     "uuid",
> -  "retry_count"
> +  "retry_count",
> +  "ssl_crl",
> +  "ssl_crlpath",
>   };
>
>   Master_info::Master_info(
> @@ -105,6 +113,7 @@ Master_info::Master_info(
>     host[0] = 0; user[0] = 0; password[0] = 0; bind_addr[0] = 0;
>     ssl_ca[0]= 0; ssl_capath[0]= 0; ssl_cert[0]= 0;
>     ssl_cipher[0]= 0; ssl_key[0]= 0;
> +  ssl_crl[0]= 0; ssl_crlpath[0]= 0;
>     master_uuid[0]= 0;
>     ignore_server_ids= new Server_ids();
>   }
> @@ -412,6 +421,13 @@ bool Master_info::read_info(Rpl_info_han
>         DBUG_RETURN(TRUE);
>     }
>
> +  if (lines>= LINE_FOR_SSL_CRLPATH)
> +  {
> +    if (from->get_info(ssl_crl, sizeof(ssl_crl), 0) ||
> +        from->get_info(ssl_crlpath, sizeof(ssl_crlpath), 0))
> +      DBUG_RETURN(TRUE);
> +  }
> +
>     ssl= (my_bool) test(temp_ssl);
>     ssl_verify_server_cert= (my_bool) test(temp_ssl_verify_server_cert);
>     master_log_pos= (my_off_t) temp_master_log_pos;
> @@ -457,7 +473,9 @@ bool Master_info::write_info(Rpl_info_ha
>         to->set_info(bind_addr) ||
>         to->set_info(ignore_server_ids) ||
>         to->set_info(master_uuid) ||
> -      to->set_info(retry_count))
> +      to->set_info(retry_count) ||
> +      to->set_info(ssl_crl) ||
> +      to->set_info(ssl_crlpath))
>       DBUG_RETURN(TRUE);
>
>     if (to->flush_info(force))
>
> === modified file 'sql/rpl_mi.h'
> --- a/sql/rpl_mi.h	2011-04-28 16:50:10 +0000
> +++ b/sql/rpl_mi.h	2011-06-17 13:53:47 +0000
> @@ -73,6 +73,7 @@ public:
>     my_bool ssl; // enables use of SSL connection if true
>     char ssl_ca[FN_REFLEN], ssl_capath[FN_REFLEN], ssl_cert[FN_REFLEN];
>     char ssl_cipher[FN_REFLEN], ssl_key[FN_REFLEN];
> +  char ssl_crl[FN_REFLEN], ssl_crlpath[FN_REFLEN];
>     my_bool ssl_verify_server_cert;
>
>     MYSQL* mysql;
>
> === modified file 'sql/rpl_slave.cc'
> --- a/sql/rpl_slave.cc	2011-06-10 16:57:01 +0000
> +++ b/sql/rpl_slave.cc	2011-06-17 13:53:47 +0000
> @@ -2050,6 +2050,10 @@ bool show_master_info(THD* thd, Master_i
>                                                sizeof(mi->bind_addr)));
>     field_list.push_back(new Item_empty_string("Last_IO_Error_Timestamp", 20));
>     field_list.push_back(new Item_empty_string("Last_SQL_Error_Timestamp", 20));
> +  field_list.push_back(new Item_empty_string("Master_SSL_Crl",
> +                                             sizeof(mi->ssl_crl)));
> +  field_list.push_back(new Item_empty_string("Master_SSL_Crlpath",
> +                                             sizeof(mi->ssl_crlpath)));
>
>
>     if (protocol->send_result_set_metadata(&field_list,
> @@ -2227,6 +2231,10 @@ bool show_master_info(THD* thd, Master_i
>       protocol->store(mi->last_error().timestamp,&my_charset_bin);
>       // Last_SQL_Error_Timestamp
>       protocol->store(mi->rli->last_error().timestamp,&my_charset_bin);
> +    // Master_Ssl_Crl
> +    protocol->store(mi->ssl_ca,&my_charset_bin);
> +    // Master_Ssl_Crlpath
> +    protocol->store(mi->ssl_capath,&my_charset_bin);
>
>       mysql_mutex_unlock(&mi->rli->err_lock);
>       mysql_mutex_unlock(&mi->err_lock);
> @@ -4701,6 +4709,10 @@ static int connect_to_master(THD* thd, M
>                     mi->ssl_ca[0]?mi->ssl_ca:0,
>                     mi->ssl_capath[0]?mi->ssl_capath:0,
>                     mi->ssl_cipher[0]?mi->ssl_cipher:0);
> +    mysql_options(mysql, MYSQL_OPT_SSL_CRL,
> +                  mi->ssl_crl[0] ? mi->ssl_crl : 0);
> +    mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH,
> +                  mi->ssl_crlpath[0] ? mi->ssl_crlpath : 0);
>       mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
>                     &mi->ssl_verify_server_cert);
>     }
> @@ -4832,6 +4844,10 @@ MYSQL *rpl_connect_master(MYSQL *mysql)
>                     mi->ssl_ca[0]?mi->ssl_ca:0,
>                     mi->ssl_capath[0]?mi->ssl_capath:0,
>                     mi->ssl_cipher[0]?mi->ssl_cipher:0);
> +    mysql_options(mysql, MYSQL_OPT_SSL_CRL,
> +                  mi->ssl_crl[0] ? mi->ssl_crl : 0);
> +    mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH,
> +                  mi->ssl_crlpath[0] ? mi->ssl_crlpath : 0);
>       mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT,
>                     &mi->ssl_verify_server_cert);
>     }
> @@ -5902,10 +5918,14 @@ bool change_master(THD* thd, Master_info
>       strmake(mi->ssl_cipher, lex_mi->ssl_cipher,
> sizeof(mi->ssl_cipher)-1);
>     if (lex_mi->ssl_key)
>       strmake(mi->ssl_key, lex_mi->ssl_key, sizeof(mi->ssl_key)-1);
> +  if (lex_mi->ssl_crl)
> +    strmake(mi->ssl_crl, lex_mi->ssl_crl, sizeof(mi->ssl_crl)-1);
> +  if (lex_mi->ssl_crlpath)
> +    strmake(mi->ssl_crlpath, lex_mi->ssl_crlpath,
> sizeof(mi->ssl_crlpath)-1);
>   #ifndef HAVE_OPENSSL
>     if (lex_mi->ssl || lex_mi->ssl_ca || lex_mi->ssl_capath ||
>         lex_mi->ssl_cert || lex_mi->ssl_cipher || lex_mi->ssl_key ||
> -      lex_mi->ssl_verify_server_cert )
> +      lex_mi->ssl_verify_server_cert || lex_mi->ssl_crl ||
> lex_mi->ssl_crlpath)
>       push_warning(thd, MYSQL_ERROR::WARN_LEVEL_NOTE,
>                    ER_SLAVE_IGNORED_SSL_PARAMS, ER(ER_SLAVE_IGNORED_SSL_PARAMS));
>   #endif
>
> === modified file 'sql/sql_lex.h'
> --- a/sql/sql_lex.h	2011-06-10 09:52:57 +0000
> +++ b/sql/sql_lex.h	2011-06-17 13:53:47 +0000
> @@ -220,6 +220,7 @@ typedef struct st_lex_master_info
>       ssl, ssl_verify_server_cert, heartbeat_opt, repl_ignore_server_ids_opt,
>       retry_count_opt;
>     char *ssl_key, *ssl_cert, *ssl_ca, *ssl_capath, *ssl_cipher;
> +  char *ssl_crl, *ssl_crlpath;
>     char *relay_log_name;
>     ulong relay_log_pos;
>     DYNAMIC_ARRAY repl_ignore_server_ids;
>
> === modified file 'sql/sql_yacc.yy'
> --- a/sql/sql_yacc.yy	2011-06-09 18:18:22 +0000
> +++ b/sql/sql_yacc.yy	2011-06-17 13:53:47 +0000
> @@ -1088,6 +1088,8 @@ bool my_yyoverflow(short **a, YYSTYPE **
>   %token  MASTER_SSL_CA_SYM
>   %token  MASTER_SSL_CERT_SYM
>   %token  MASTER_SSL_CIPHER_SYM
> +%token  MASTER_SSL_CRL_SYM
> +%token  MASTER_SSL_CRLPATH_SYM
>   %token  MASTER_SSL_KEY_SYM
>   %token  MASTER_SSL_SYM
>   %token  MASTER_SSL_VERIFY_SERVER_CERT_SYM
> @@ -1964,6 +1966,14 @@ master_def:
>               Lex->mi.ssl_verify_server_cert= $3 ?
>                 LEX_MASTER_INFO::LEX_MI_ENABLE : LEX_MASTER_INFO::LEX_MI_DISABLE;
>             }
> +        | MASTER_SSL_CRL_SYM EQ TEXT_STRING_sys
> +          {
> +            Lex->mi.ssl_crl= $3.str;
> +          }
> +        | MASTER_SSL_CRLPATH_SYM EQ TEXT_STRING_sys
> +          {
> +            Lex->mi.ssl_crlpath= $3.str;
> +          }
>
>           | MASTER_HEARTBEAT_PERIOD_SYM EQ NUM_literal
>             {
> @@ -12727,6 +12737,8 @@ keyword_sp:
>           | MASTER_SSL_CAPATH_SYM    {}
>           | MASTER_SSL_CERT_SYM      {}
>           | MASTER_SSL_CIPHER_SYM    {}
> +        | MASTER_SSL_CRL_SYM       {}
> +        | MASTER_SSL_CRLPATH_SYM   {}
>           | MASTER_SSL_KEY_SYM       {}
>           | MAX_CONNECTIONS_PER_HOUR {}
>           | MAX_QUERIES_PER_HOUR     {}
>
> === modified file 'sql/sys_vars.cc'
> --- a/sql/sys_vars.cc	2011-06-10 16:57:01 +0000
> +++ b/sql/sys_vars.cc	2011-06-17 13:53:47 +0000
> @@ -2293,6 +2293,19 @@ static Sys_var_charptr Sys_ssl_key(
>          READ_ONLY GLOBAL_VAR(opt_ssl_key), SSL_OPT(OPT_SSL_KEY),
>          IN_FS_CHARSET, DEFAULT(0));
>
> +static Sys_var_charptr Sys_ssl_crl(
> +       "ssl_crl",
> +       "CRL file in PEM format (check OpenSSL docs, implies --ssl)",
> +       READ_ONLY GLOBAL_VAR(opt_ssl_crl), SSL_OPT(OPT_SSL_CA),
> +       IN_FS_CHARSET, DEFAULT(0));
> +
> +static Sys_var_charptr Sys_ssl_crlpath(
> +       "ssl_crlpath",
> +       "CRL directory (check OpenSSL docs, implies --ssl)",
> +       READ_ONLY GLOBAL_VAR(opt_ssl_crlpath), SSL_OPT(OPT_SSL_CAPATH),
> +       IN_FS_CHARSET, DEFAULT(0));
> +
> +
>   // why ENUM and not BOOL ?
>   static const char *updatable_views_with_limit_names[]= {"NO", "YES", 0};
>   static Sys_var_enum Sys_updatable_views_with_limit(
>
> === modified file 'vio/viosslfactories.c'
> --- a/vio/viosslfactories.c	2011-05-19 09:47:43 +0000
> +++ b/vio/viosslfactories.c	2011-06-17 13:53:47 +0000
> @@ -165,19 +165,22 @@ static struct st_VioSSLFd *
>   new_VioSSLFd(const char *key_file, const char *cert_file,
>                const char *ca_file, const char *ca_path,
>                const char *cipher, SSL_METHOD *method,
> -             enum enum_ssl_init_error *error)
> +             enum enum_ssl_init_error *error,
> +             const char *crl_file, const char *crl_path)
>   {
>     DH *dh;
>     struct st_VioSSLFd *ssl_fd;
>     DBUG_ENTER("new_VioSSLFd");
>     DBUG_PRINT("enter",
>                ("key_file: '%s'  cert_file: '%s'  ca_file: '%s'  ca_path: '%s'  "
> -              "cipher: '%s'",
> +              "cipher: '%s' crl_file: '%s' crl_path: '%s' ",
>                 key_file ? key_file : "NULL",
>                 cert_file ? cert_file : "NULL",
>                 ca_file ? ca_file : "NULL",
>                 ca_path ? ca_path : "NULL",
> -              cipher ? cipher : "NULL"));
> +              cipher ? cipher : "NULL",
> +              ca_file ? ca_file : "NULL",
> +              ca_path ? ca_path : "NULL"));
>
>     check_ssl_init();
>
> @@ -225,6 +228,25 @@ new_VioSSLFd(const char *key_file, const
>       }
>     }
>
> +  if (crl_file || crl_path)
> +  {
> +    X509_STORE *store= SSL_CTX_get_cert_store(ssl_fd->ssl_context);
> +    /* Load crls from the trusted ca */
> +    if (X509_STORE_load_locations(store, crl_file, crl_path) == 0 ||
> +        X509_STORE_set_flags(store,
> +                             X509_V_FLAG_CRL_CHECK |
> +                             X509_V_FLAG_CRL_CHECK_ALL) == 0)
> +    {
> +      DBUG_PRINT("warning", ("X509_STORE_load_locations for CRL failed"));
> +      *error= SSL_INITERR_BAD_PATHS;
> +      DBUG_PRINT("error", ("%s", sslGetErrString(*error)));
> +      report_errors();
> +      SSL_CTX_free(ssl_fd->ssl_context);
> +      my_free(ssl_fd);
> +      DBUG_RETURN(0);
> +    }
> +  }
> +
>     if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, error))
>     {
>       DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
> @@ -249,7 +271,8 @@ new_VioSSLFd(const char *key_file, const
>   struct st_VioSSLFd *
>   new_VioSSLConnectorFd(const char *key_file, const char *cert_file,
>                         const char *ca_file, const char *ca_path,
> -                      const char *cipher, enum enum_ssl_init_error* error)
> +                      const char *cipher, enum enum_ssl_init_error* error,
> +                      const char *crl_file, const char *crl_path)
>   {
>     struct st_VioSSLFd *ssl_fd;
>     int verify= SSL_VERIFY_PEER;
> @@ -262,7 +285,8 @@ new_VioSSLConnectorFd(const char *key_fi
>       verify= SSL_VERIFY_NONE;
>
>     if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
> -                             ca_path, cipher, TLSv1_client_method(), error)))
> +                             ca_path, cipher, TLSv1_client_method(), error,
> +                             crl_file, crl_path)))
>     {
>       return 0;
>     }
> @@ -279,12 +303,14 @@ new_VioSSLConnectorFd(const char *key_fi
>   struct st_VioSSLFd *
>   new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
>   		     const char *ca_file, const char *ca_path,
> -		     const char *cipher, enum enum_ssl_init_error* error)
> +		     const char *cipher, enum enum_ssl_init_error* error,
> +                     const char *crl_file, const char *crl_path)
>   {
>     struct st_VioSSLFd *ssl_fd;
>     int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
>     if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
> -                             ca_path, cipher, TLSv1_server_method(), error)))
> +                             ca_path, cipher, TLSv1_server_method(), error,
> +                             crl_file, crl_path)))
>     {
>       return 0;
>     }
>
>
>
>


Thread
bzr commit into mysql-trunk branch (Georgi.Kodinov:3200) Bug#11747191Georgi Kodinov19 Jun
  • Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3200)Bug#11747191Nirbhay Choubey6 Jul
    • Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3200)Bug#11747191Sergei Golubchik7 Jul
      • Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3200) Bug#11747191Georgi Kodinov10 Jul