From: Nirbhay Choubey Date: July 5 2011 7:08pm Subject: Re: bzr commit into mysql-trunk branch (Georgi.Kodinov:3200) Bug#11747191 List-Archive: http://lists.mysql.com/commits/140203 Message-Id: <4E136144.6080606@oracle.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="__130989297654746935abhmt107.oracle.com" --__130989297654746935abhmt107.oracle.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Joro, Overall patch looks good, however I would suggest : 1) The code + mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); + mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); is getting repeated in all the client programs and rpl_slave.cc. IMHO, we should add something like 'mysql_ssl_set_extended()' in=20 client.c to make it call 'mysql_ssl_set()' and further add the two new=20 introduced options. 2) The added tests look sufficient, but it would be good if we also get it tested with upgrade/downgrade tests scenarios. 3) Please fix openssl_1 test under main suite. 4) Found a couple of stray spaces (mentioned below). Best, Nirbhay On Friday 17 June 2011 07:23 PM, Georgi Kodinov wrote: > #Atfile:///Users/kgeorge/mysql/work/B11747191-trunk/ based onrevid:mar= ko.makela@stripped > > 3200 Georgi Kodinov 2011-06-17 > Bug #11747191: 31224: SUPPORT FOR SSL CERTIFICATE REVOCATION LIS= TS > > Added support for --ssl-crl and --ssl-crlpath to all client and = server binaries > that work with OpenSSL. > You can specify none, one or both of the above. > > --ssl-crl takes a file path for a PEM encoded Certificate revoca= tion lists. > The relevant file is parsed and loaded into the X509 store of th= e SSL context. > > --ssl-crlpath takes a directory path. This directory must contai= n PEM encoded > CRL (or other) files that are named by their hash value, .e.g..r[0-9] > > See OpenSSL's X509_STORE_load_locations() for more details of th= e above. > Note that if none of the --ssl-crl* options is specified no CRL = checks will be > performed, even if the -capath contains certificate revocation l= ists. > > Added Master_SSL_crl and Master_SSL_CRLPATH to CNANGE MASTER com= mand. > Added new columns Ssl_crl and Ssl_crlpath to mysql.slave_master_= info system table. > Reengineered mysql_ssl_set() in the C API into a number of mysql= _options calls > as follows (while keeping mysql_ssl_add()): > > mysql_ssl_add(mysql, key, cert, ca, capath, cipher) > { > mysql_options(mysql, MYSQL_OPT_SSL_KEY, key) > mysql_options(mysql, MYSQL_OPT_SSL_CERT, cert) > mysql_options(mysql, MYSQL_OPT_SSL_CA, ca) > mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath) > mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher) > } > > Added two new mysql_options that correspond to the command line = calls : > MYSQL_OPT_SSL_CRL and MYSQL_OPT_SSL_CRLPATH. > > Added tests and a set of cryptographic keys and crls to test the= new options. > > added: > mysql-test/include/have_openssl.inc > mysql-test/r/openssl.require > mysql-test/r/ssl-crl-clients.result > mysql-test/r/ssl-crl-empty-crl.result > mysql-test/r/ssl-crl-revoked-crl.result > mysql-test/r/ssl-crl-revoked-crlpath.result > mysql-test/std_data/crl-ca-cert.pem > mysql-test/std_data/crl-client-cert.pem > mysql-test/std_data/crl-client-key.pem > mysql-test/std_data/crl-client-revoked.crl > mysql-test/std_data/crl-empty.crl > mysql-test/std_data/crl-server-cert.pem > mysql-test/std_data/crl-server-key.pem > mysql-test/std_data/crldir/ > mysql-test/std_data/crldir/fc725416.r0 > mysql-test/t/ssl-crl-clients-master.opt > mysql-test/t/ssl-crl-clients.test > mysql-test/t/ssl-crl-empty-crl-master.opt > mysql-test/t/ssl-crl-empty-crl.test > mysql-test/t/ssl-crl-revoked-crl-master.opt > mysql-test/t/ssl-crl-revoked-crl.test > mysql-test/t/ssl-crl-revoked-crlpath-master.opt > mysql-test/t/ssl-crl-revoked-crlpath.test > modified: > client/client_priv.h > client/mysql.cc > client/mysqladmin.cc > client/mysqlcheck.c > client/mysqldump.c > client/mysqlimport.c > client/mysqlshow.c > client/mysqlslap.c > client/mysqltest.cc > include/mysql.h > include/mysql.h.pp > include/sslopt-case.h > include/sslopt-longopts.h > include/sslopt-vars.h > include/violite.h > mysql-test/include/check-testcase.test > mysql-test/r/variables.result > mysql-test/suite/sys_vars/r/all_vars.result > scripts/mysql_system_tables.sql > scripts/mysql_system_tables_fix.sql > sql-common/client.c > sql/lex.h > sql/mysqld.cc > sql/mysqld.h > sql/rpl_mi.cc > sql/rpl_mi.h > sql/rpl_slave.cc > sql/sql_lex.h > sql/sql_yacc.yy > sql/sys_vars.cc > vio/viosslfactories.c > =3D=3D=3D modified file 'client/client_priv.h' > --- a/client/client_priv.h 2011-06-09 17:44:21 +0000 > +++ b/client/client_priv.h 2011-06-17 13:53:47 +0000 > @@ -87,6 +87,7 @@ enum options_client > OPT_DEFAULT_PLUGIN, > OPT_RAW_OUTPUT, OPT_WAIT_SERVER_ID, OPT_STOP_NEVER, > OPT_BINLOG_ROWS_EVENT_MAX_SIZE, > + OPT_SSL_CRL, OPT_SSL_CRLPATH, > OPT_MAX_CLIENT_OPTION > }; > > > =3D=3D=3D modified file 'client/mysql.cc' > --- a/client/mysql.cc 2011-06-09 17:44:21 +0000 > +++ b/client/mysql.cc 2011-06-17 13:53:47 +0000 > @@ -4301,8 +4301,12 @@ sql_real_connect(char *host,char *databa > mysql_options(&mysql,MYSQL_OPT_LOCAL_INFILE, (char*)&opt_local_in= file); > #if defined(HAVE_OPENSSL)&& !defined(EMBEDDED_LIBRARY) > if (opt_use_ssl) > + { > mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, > opt_ssl_capath, opt_ssl_cipher); > + mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); > + mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); > + } > mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, > (char*)&opt_ssl_verify_server_cert); > #endif > > =3D=3D=3D modified file 'client/mysqladmin.cc' > --- a/client/mysqladmin.cc 2011-06-06 10:29:45 +0000 > +++ b/client/mysqladmin.cc 2011-06-17 13:53:47 +0000 > @@ -340,8 +340,12 @@ int main(int argc,char *argv[]) > } > #ifdef HAVE_OPENSSL > if (opt_use_ssl) > + { > mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, > opt_ssl_capath, opt_ssl_cipher); > + mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); > + mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); > + } > mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, > (char*)&opt_ssl_verify_server_cert); > #endif > > =3D=3D=3D modified file 'client/mysqlcheck.c' > --- a/client/mysqlcheck.c 2011-06-06 10:29:45 +0000 > +++ b/client/mysqlcheck.c 2011-06-17 13:53:47 +0000 > @@ -835,8 +835,12 @@ static int dbConnect(char *host, char *u > mysql_options(&mysql_connection, MYSQL_OPT_COMPRESS, NullS); > #ifdef HAVE_OPENSSL > if (opt_use_ssl) > + { > mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_s= sl_ca, > opt_ssl_capath, opt_ssl_cipher); > + mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl); > + mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_cr= lpath); > + } > #endif > if (opt_protocol) > mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_pr= otocol); > > =3D=3D=3D modified file 'client/mysqldump.c' > --- a/client/mysqldump.c 2011-06-06 10:29:45 +0000 > +++ b/client/mysqldump.c 2011-06-17 13:53:47 +0000 > @@ -1465,8 +1465,12 @@ static int connect_to_db(char *host, cha > mysql_options(&mysql_connection,MYSQL_OPT_COMPRESS,NullS); > #ifdef HAVE_OPENSSL > if (opt_use_ssl) > + { > mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_s= sl_ca, > opt_ssl_capath, opt_ssl_cipher); > + mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl); > + mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_cr= lpath); > + } > mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, > (char*)&opt_ssl_verify_server_cert); > #endif > > =3D=3D=3D modified file 'client/mysqlimport.c' > --- a/client/mysqlimport.c 2011-06-06 10:29:45 +0000 > +++ b/client/mysqlimport.c 2011-06-17 13:53:47 +0000 > @@ -430,8 +430,12 @@ static MYSQL *db_connect(char *host, cha > (char*)&opt_local_file); > #ifdef HAVE_OPENSSL > if (opt_use_ssl) > + { > mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, > opt_ssl_capath, opt_ssl_cipher); > + mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); > + mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); > + } > mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, > (char*)&opt_ssl_verify_server_cert); > #endif > > =3D=3D=3D modified file 'client/mysqlshow.c' > --- a/client/mysqlshow.c 2011-06-06 10:29:45 +0000 > +++ b/client/mysqlshow.c 2011-06-17 13:53:47 +0000 > @@ -113,8 +113,12 @@ int main(int argc, char **argv) > mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS); > #ifdef HAVE_OPENSSL > if (opt_use_ssl) > + { > mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, > opt_ssl_capath, opt_ssl_cipher); > + mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); > + mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); > + } > mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, > (char*)&opt_ssl_verify_server_cert); > #endif > > =3D=3D=3D modified file 'client/mysqlslap.c' > --- a/client/mysqlslap.c 2011-06-06 10:29:45 +0000 > +++ b/client/mysqlslap.c 2011-06-17 13:53:47 +0000 > @@ -330,8 +330,12 @@ int main(int argc, char **argv) > mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS); > #ifdef HAVE_OPENSSL > if (opt_use_ssl) > + { > mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, > opt_ssl_capath, opt_ssl_cipher); > + mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); > + mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); > + } > #endif > if (opt_protocol) > mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); > > =3D=3D=3D modified file 'client/mysqltest.cc' > --- a/client/mysqltest.cc 2011-06-06 10:29:45 +0000 > +++ b/client/mysqltest.cc 2011-06-17 13:53:47 +0000 > @@ -5405,6 +5405,8 @@ void do_connect(struct st_command *comma > #if defined(HAVE_OPENSSL)&& !defined(EMBEDDED_LIBRARY) > mysql_ssl_set(&con_slot->mysql, opt_ssl_key, opt_ssl_cert, opt_ss= l_ca, > opt_ssl_capath, opt_ssl_cipher); > + mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); > + mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crl= path); > #if MYSQL_VERSION_ID>=3D 50000 > /* Turn on ssl_verify_server_cert only if host is "localhost" */ > opt_ssl_verify_server_cert=3D !strcmp(ds_host.str, "localhost"); > @@ -8385,6 +8387,8 @@ int main(int argc, char **argv) > { > mysql_ssl_set(&con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca,= > opt_ssl_capath, opt_ssl_cipher); > + mysql_options(&con->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); > + mysql_options(&con->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath)= ; > #if MYSQL_VERSION_ID>=3D 50000 > /* Turn on ssl_verify_server_cert only if host is "localhost" */ > opt_ssl_verify_server_cert=3D opt_host&& !strcmp(opt_host, "loca= lhost"); > > =3D=3D=3D modified file 'include/mysql.h' > --- a/include/mysql.h 2011-05-06 13:46:57 +0000 > +++ b/include/mysql.h 2011-06-17 13:53:47 +0000 > @@ -167,7 +167,10 @@ enum mysql_option > MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH,= > MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT, > MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_A= UTH, > - MYSQL_OPT_BIND > + MYSQL_OPT_BIND, > + MYSQL_OPT_SSL_KEY, MYSQL_OPT_SSL_CERT, > + MYSQL_OPT_SSL_CA, MYSQL_OPT_SSL_CAPATH, MYSQL_OPT_SSL_CIPHER, > + MYSQL_OPT_SSL_CRL, MYSQL_OPT_SSL_CRLPATH > }; > > /** > @@ -188,6 +191,8 @@ struct st_mysql_options { > char *ssl_ca; /* PEM CA file */ > char *ssl_capath; /* PEM directory of CA-s? */ > char *ssl_cipher; /* cipher to use */ > + char *ssl_crl; /* PEM CRL file */ > + char *ssl_crlpath; /* PEM directory of CRL-s? */ > char *shared_memory_base_name; > unsigned long max_allowed_packet; > my_bool use_ssl; /* if to use SSL or not */ > > =3D=3D=3D modified file 'include/mysql.h.pp' > --- a/include/mysql.h.pp 2011-05-31 13:52:09 +0000 > +++ b/include/mysql.h.pp 2011-06-17 13:53:47 +0000 > @@ -260,7 +260,10 @@ enum mysql_option > MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH,= > MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT, > MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_A= UTH, > - MYSQL_OPT_BIND > + MYSQL_OPT_BIND, > + MYSQL_OPT_SSL_KEY, MYSQL_OPT_SSL_CERT, > + MYSQL_OPT_SSL_CA, MYSQL_OPT_SSL_CAPATH, MYSQL_OPT_SSL_CIPHER, > + MYSQL_OPT_SSL_CRL, MYSQL_OPT_SSL_CRLPATH > }; > struct st_mysql_options_extention; > struct st_mysql_options { > @@ -275,6 +278,8 @@ struct st_mysql_options { > char *ssl_ca; > char *ssl_capath; > char *ssl_cipher; > + char *ssl_crl; > + char *ssl_crlpath; > char *shared_memory_base_name; > unsigned long max_allowed_packet; > my_bool use_ssl; > > =3D=3D=3D modified file 'include/sslopt-case.h' > --- a/include/sslopt-case.h 2010-04-13 15:04:45 +0000 > +++ b/include/sslopt-case.h 2011-06-17 13:53:47 +0000 > @@ -22,6 +22,8 @@ > case OPT_SSL_CA: > case OPT_SSL_CAPATH: > case OPT_SSL_CIPHER: > + case OPT_SSL_CRL: > + case OPT_SSL_CRLPATH: > /* > Enable use of SSL if we are using any ssl option > One can disable SSL later by using --skip-ssl or --ssl=3D0 > > =3D=3D=3D modified file 'include/sslopt-longopts.h' > --- a/include/sslopt-longopts.h 2010-07-28 23:39:52 +0000 > +++ b/include/sslopt-longopts.h 2011-06-17 13:53:47 +0000 > @@ -38,6 +38,13 @@ > {"ssl-key", OPT_SSL_KEY, "X509 key in PEM format (implies --ssl).",= > &opt_ssl_key,&opt_ssl_key, 0, GET_STR, REQUIRED_ARG, > 0, 0, 0, 0, 0, 0}, > + {"ssl-crl", OPT_SSL_KEY, "Certificate revocation list (implies --ssl= ).", > +&opt_ssl_crl,&opt_ssl_crl, 0, GET_STR, REQUIRED_ARG, > + 0, 0, 0, 0, 0, 0}, > + {"ssl-crlpath", OPT_SSL_KEY, > + "Certificate revocation list path (implies --ssl).", > +&opt_ssl_crlpath,&opt_ssl_crlpath, 0, GET_STR, REQUIRED_ARG, > + 0, 0, 0, 0, 0, 0}, > #ifdef MYSQL_CLIENT > {"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT, > "Verify server's \"Common Name\" in its cert against hostname used= " > > =3D=3D=3D modified file 'include/sslopt-vars.h' > --- a/include/sslopt-vars.h 2010-04-13 15:04:45 +0000 > +++ b/include/sslopt-vars.h 2011-06-17 13:53:47 +0000 > @@ -22,12 +22,14 @@ > #else > #define SSL_STATIC static > #endif > -SSL_STATIC my_bool opt_use_ssl =3D 0; > -SSL_STATIC char *opt_ssl_ca =3D 0; > -SSL_STATIC char *opt_ssl_capath =3D 0; > -SSL_STATIC char *opt_ssl_cert =3D 0; > -SSL_STATIC char *opt_ssl_cipher =3D 0; > -SSL_STATIC char *opt_ssl_key =3D 0; > +SSL_STATIC my_bool opt_use_ssl =3D 0; > +SSL_STATIC char *opt_ssl_ca =3D 0; > +SSL_STATIC char *opt_ssl_capath =3D 0; > +SSL_STATIC char *opt_ssl_cert =3D 0; > +SSL_STATIC char *opt_ssl_cipher =3D 0; > +SSL_STATIC char *opt_ssl_key =3D 0; > +SSL_STATIC char *opt_ssl_crl =3D 0; > +SSL_STATIC char *opt_ssl_crlpath =3D 0; > #ifdef MYSQL_CLIENT > SSL_STATIC my_bool opt_ssl_verify_server_cert=3D 0; > #endif > > =3D=3D=3D modified file 'include/violite.h' > --- a/include/violite.h 2011-05-31 13:52:09 +0000 > +++ b/include/violite.h 2011-06-17 13:53:47 +0000 > @@ -155,11 +155,13 @@ int sslconnect(struct st_VioSSLFd*, Vio > struct st_VioSSLFd > *new_VioSSLConnectorFd(const char *key_file, const char *cert_file, > const char *ca_file, const char *ca_path, > - const char *cipher, enum enum_ssl_init_error* error); > + const char *cipher, enum enum_ssl_init_error* error, > + const char *crl_file, const char *crl_path); > struct st_VioSSLFd > *new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, > const char *ca_file,const char *ca_path, > - const char *cipher, enum enum_ssl_init_error* error); > + const char *cipher, enum enum_ssl_init_error* error, > + const char *crl_file, const char *crl_path); > void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd); > #endif /* ! EMBEDDED_LIBRARY */ > #endif /* HAVE_OPENSSL */ > > =3D=3D=3D modified file 'mysql-test/include/check-testcase.test' > --- a/mysql-test/include/check-testcase.test 2011-02-07 15:31:01 +0000 > +++ b/mysql-test/include/check-testcase.test 2011-06-17 13:53:47 +0000 > @@ -69,6 +69,8 @@ if ($tmp) > --echo Master_Bind=09 > --echo Last_IO_Error_Timestamp=09 > --echo Last_SQL_Error_Timestamp=09 > + --echo Master_SSL_Crl=09 > + --echo Master_SSL_Crlpath=09 > } > if (!$tmp) { > # Note: after WL#5177, fields 13-18 shall not be filtered-out. > > =3D=3D=3D added file 'mysql-test/include/have_openssl.inc' > --- a/mysql-test/include/have_openssl.inc 1970-01-01 00:00:00 +0000 > +++ b/mysql-test/include/have_openssl.inc 2011-06-17 13:53:47 +0000 > @@ -0,0 +1,4 @@ > +-- require r/openssl.require > +disable_query_log; > +show variables like "have_openssl"; > +enable_query_log; > > =3D=3D=3D added file 'mysql-test/r/openssl.require' > --- a/mysql-test/r/openssl.require 1970-01-01 00:00:00 +0000 > +++ b/mysql-test/r/openssl.require 2011-06-17 13:53:47 +0000 > @@ -0,0 +1,2 @@ > +Variable_name Value > +have_openssl YES > > =3D=3D=3D added file 'mysql-test/r/ssl-crl-clients.result' > --- a/mysql-test/r/ssl-crl-clients.result 1970-01-01 00:00:00 +0000 > +++ b/mysql-test/r/ssl-crl-clients.result 2011-06-17 13:53:47 +0000 > @@ -0,0 +1,24 @@ > +# Test clients with and without CRL lists > +############ Test mysql ############## > +# Test mysql connecting to a server with an empty crl > +Variable_name Value > +have_openssl YES > +have_ssl YES > +ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem > +ssl_capath=09 > +ssl_cert MYSQL_TEST_DIR/std_data/crl-client-cert.pem > +ssl_cipher=09 > +ssl_crl=09 > +ssl_crlpath=09 > +ssl_key MYSQL_TEST_DIR/std_data/crl-client-key.pem > +# Test mysql connecting to a server with a certificate revoked by -crl= > +# Test mysql connecting to a server with a certificate revoked by -crl= path > +############ Test mysqladmin ############## > +# Test mysqladmin connecting to a server with an empty crl > +mysqld is alive > +# Test mysqladmin connecting to a server with a certificate revoked by= -crl > +mysqladmin: connect to server at 'localhost' failed > +error: 'SSL connection error: Failed to set ciphers to use' > +# Test mysqladmin connecting to a server with a certificate revoked by= -crlpath > +mysqladmin: connet to server at 'localhost' failed > +error: 'SSL connection error: error:00000005:lib(0):func(0):DH lib' > > =3D=3D=3D added file 'mysql-test/r/ssl-crl-empty-crl.result' > --- a/mysql-test/r/ssl-crl-empty-crl.result 1970-01-01 00:00:00 +0000 > +++ b/mysql-test/r/ssl-crl-empty-crl.result 2011-06-17 13:53:47 +0000 > @@ -0,0 +1,20 @@ > +Variable_name Value > +have_openssl YES > +have_ssl YES > +ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem > +ssl_capath=09 > +ssl_cert MYSQL_TEST_DIR/std_data/crl-server-cert.pem > +ssl_cipher=09 > +ssl_crl MYSQL_TEST_DIR/std_data/crl-empty.crl > +ssl_crlpath=09 > +ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem > +Variable_name Value > +have_openssl YES > +have_ssl YES > +ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem > +ssl_capath=09 > +ssl_cert MYSQL_TEST_DIR/std_data/crl-server-cert.pem > +ssl_cipher=09 > +ssl_crl MYSQL_TEST_DIR/std_data/crl-empty.crl > +ssl_crlpath=09 > +ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem > > =3D=3D=3D added file 'mysql-test/r/ssl-crl-revoked-crl.result' > --- a/mysql-test/r/ssl-crl-revoked-crl.result 1970-01-01 00:00:00 +0000= > +++ b/mysql-test/r/ssl-crl-revoked-crl.result 2011-06-17 13:53:47 +0000= > @@ -0,0 +1 @@ > +# try logging in with a certificate in the server's --ssl-crl : should= fail > > =3D=3D=3D added file 'mysql-test/r/ssl-crl-revoked-crlpath.result' > --- a/mysql-test/r/ssl-crl-revoked-crlpath.result 1970-01-01 00:00:00 += 0000 > +++ b/mysql-test/r/ssl-crl-revoked-crlpath.result 2011-06-17 13:53:47 += 0000 > @@ -0,0 +1 @@ > +# try logging in with a certificate in the server's --ssl-crlpath : sh= ould fail > > =3D=3D=3D modified file 'mysql-test/r/variables.result' > --- a/mysql-test/r/variables.result 2011-04-12 12:48:26 +0000 > +++ b/mysql-test/r/variables.result 2011-06-17 13:53:47 +0000 > @@ -981,6 +981,8 @@ ssl_ca # > ssl_capath # > ssl_cert # > ssl_cipher # > +ssl_crl # > +ssl_crlpath # > ssl_key # > select * from information_schema.session_variables where variable_nam= e like 'ssl%' order by 1; > VARIABLE_NAME VARIABLE_VALUE > @@ -988,6 +990,8 @@ SSL_CA # > SSL_CAPATH # > SSL_CERT # > SSL_CIPHER # > +SSL_CRL # > +SSL_CRLPATH # > SSL_KEY # > select @@log_queries_not_using_indexes; > @@log_queries_not_using_indexes > > =3D=3D=3D added file 'mysql-test/std_data/crl-ca-cert.pem' > --- a/mysql-test/std_data/crl-ca-cert.pem 1970-01-01 00:00:00 +0000 > +++ b/mysql-test/std_data/crl-ca-cert.pem 2011-06-17 13:53:47 +0000 > @@ -0,0 +1,63 @@ > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: > + a5:85:ec:60:b1:68:44:22 > + Signature Algorithm: sha1WithRSAEncryption > + Issuer: C=3DBG, ST=3DPlovdiv, O=3DOracle, OU=3DMySQL, CN=3DMyS= QL CRL test CA certificate > + Validity > + Not Before: Jun 17 07:27:51 2011 GMT > + Not After : Jun 15 07:27:51 2016 GMT > + Subject: C=3DBG, ST=3DPlovdiv, O=3DOracle, OU=3DMySQL, CN=3DMy= SQL CRL test CA certificate > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + RSA Public Key: (1024 bit) > + Modulus (1024 bit): > + 00:9b:08:0b:96:19:57:fb:21:79:f4:16:c9:b8:2c: > + 13:2e:e1:fe:5f:6b:18:7d:d4:c4:d7:cd:66:a6:62: > + 0e:b7:28:b1:39:76:62:6e:5a:4a:80:f6:0e:8e:84: > + 3e:cf:2f:91:0d:36:6d:8b:b5:f9:78:96:f0:5f:82: > + a2:b2:d8:fc:b3:46:b5:30:24:b3:a8:77:60:6c:05: > + c9:8f:82:fd:ad:9f:26:23:29:56:5b:02:6f:f2:00: > + 31:86:60:b7:8c:56:b3:95:a8:8d:a9:bb:6b:91:fd: > + 5d:f5:6a:21:45:85:63:78:0e:0f:0e:03:6d:53:73: > + 0d:6c:aa:5b:f9:fc:fa:fd:f7 > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Subject Key Identifier: > + C4:1D:2C:68:3F:5F:29:51:EC:C5:54:61:CE:16:13:D2:72:5D:= 63:E8 > + X509v3 Authority Key Identifier: > + keyid:C4:1D:2C:68:3F:5F:29:51:EC:C5:54:61:CE:16:13:D2:= 72:5D:63:E8 > + DirName:/C=3DBG/ST=3DPlovdiv/O=3DOracle/OU=3DMySQL/CN=3D= MySQL CRL test CA certificate > + serial:A5:85:EC:60:B1:68:44:22 > + > + X509v3 Basic Constraints: > + CA:TRUE > + Signature Algorithm: sha1WithRSAEncryption > + 73:dd:2e:76:71:25:c2:fe:7a:c5:46:ca:f2:c7:a0:43:f0:c7: > + 3c:24:8d:a6:bd:8d:f2:7c:db:03:1b:2b:8a:c8:23:ae:ef:71: > + 25:33:5b:10:61:e7:7d:89:30:a8:67:25:2e:e0:06:30:77:da: > + b8:87:e5:91:cd:c7:8f:c9:7b:3d:9e:86:80:44:02:6b:d1:06: > + 85:5d:28:78:cc:a7:a8:35:ac:f7:77:6d:e2:c7:a3:37:bc:9f: > + d3:bf:4a:ca:09:dc:d0:78:0c:59:c7:db:4b:67:f1:09:6d:a9: > + 7a:50:2f:1d:2c:a6:b8:81:0e:e6:4b:ee:d9:be:ae:a5:6a:d7: > + 56:c4 > +-----BEGIN CERTIFICATE----- > +MIIDHDCCAoWgAwIBAgIJAKWF7GCxaEQiMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV > +BAYTAkJHMRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAMBgNV > +BAsTBU15U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZpY2F0 > +ZTAeFw0xMTA2MTcwNzI3NTFaFw0xNjA2MTUwNzI3NTFaMGgxCzAJBgNVBAYTAkJH > +MRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAMBgNVBAsTBU15 > +U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZpY2F0ZTCBnzAN > +BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmwgLlhlX+yF59BbJuCwTLuH+X2sYfdTE > +181mpmIOtyixOXZiblpKgPYOjoQ+zy+RDTZti7X5eJbwX4Kistj8s0a1MCSzqHdg > +bAXJj4L9rZ8mIylWWwJv8gAxhmC3jFazlaiNqbtrkf1d9WohRYVjeA4PDgNtU3MN > +bKpb+fz6/fcCAwEAAaOBzTCByjAdBgNVHQ4EFgQUxB0saD9fKVHsxVRhzhYT0nJd > +Y+gwgZoGA1UdIwSBkjCBj4AUxB0saD9fKVHsxVRhzhYT0nJdY+ihbKRqMGgxCzAJ > +BgNVBAYTAkJHMRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAM > +BgNVBAsTBU15U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZp > +Y2F0ZYIJAKWF7GCxaEQiMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA > +c90udnElwv56xUbK8segQ/DHPCSNpr2N8nzbAxsrisgjru9xJTNbEGHnfYkwqGcl > +LuAGMHfauIflkc3Hj8l7PZ6GgEQCa9EGhV0oeMynqDWs93dt4sejN7yf079Kygnc > +0HgMWcfbS2fxCW2pelAvHSymuIEO5kvu2b6upWrXVsQ=3D > +-----END CERTIFICATE----- > > =3D=3D=3D added file 'mysql-test/std_data/crl-client-cert.pem' > --- a/mysql-test/std_data/crl-client-cert.pem 1970-01-01 00:00:00 +0000= > +++ b/mysql-test/std_data/crl-client-cert.pem 2011-06-17 13:53:47 +0000= > @@ -0,0 +1,62 @@ > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: > + a5:85:ec:60:b1:68:44:24 > + Signature Algorithm: sha1WithRSAEncryption > + Issuer: C=3DBG, ST=3DPlovdiv, O=3DOracle, OU=3DMySQL, CN=3DMyS= QL CRL test CA certificate > + Validity > + Not Before: Jun 17 07:32:32 2011 GMT > + Not After : Jun 16 07:32:32 2014 GMT > + Subject: C=3DBG, ST=3DPlovdiv, L=3DPlovdiv, O=3DOracle, OU=3DM= ySQL, CN=3DMySQL CRL test client certificate > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + RSA Public Key: (1024 bit) > + Modulus (1024 bit): > + 00:bd:18:bf:c5:37:7e:f7:8a:1d:22:c0:4f:5a:70: > + 51:ea:df:56:4f:29:e9:c7:a5:8a:ab:5a:48:b5:f9: > + bf:cd:2a:73:f8:fa:13:20:fd:33:17:11:93:51:f0: > + 4f:fa:a5:6a:bc:37:94:92:de:7d:c1:09:c6:43:c0: > + f7:cd:dd:ac:06:bf:fe:0c:9f:fc:ec:5b:83:a1:1e: > + 34:d8:af:50:17:4d:84:51:20:44:76:81:d1:12:76: > + 06:fb:05:29:59:47:0f:9d:97:f1:41:2f:92:0d:e4: > + b6:c1:fb:cf:75:95:a9:0f:cf:b3:4f:69:a3:d1:14: > + e9:6b:cf:be:53:bd:4e:3f:5d > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: > + CA:FALSE > + Netscape Comment: > + OpenSSL Generated Certificate > + X509v3 Subject Key Identifier: > + 39:37:9C:0B:9F:E4:8E:48:48:71:23:2B:CA:F0:C1:F9:0B:F2:= 0A:D0 > + X509v3 Authority Key Identifier: > + keyid:C4:1D:2C:68:3F:5F:29:51:EC:C5:54:61:CE:16:13:D2:= 72:5D:63:E8 > + > + Signature Algorithm: sha1WithRSAEncryption > + 18:03:42:13:af:86:c3:eb:9c:40:4a:d8:9e:e7:25:e1:43:7b: > + 2f:55:1b:e6:ec:bf:9b:56:b3:c7:cb:78:cd:d2:00:46:39:96: > + d8:f8:cd:9d:0e:e7:97:51:93:f8:5b:ed:4f:5a:16:6b:56:fb: > + c0:d1:58:3c:7f:e9:64:aa:11:03:ff:3b:5e:9d:6d:c8:53:a8: > + 4a:30:f7:a6:ae:7c:e0:ed:16:c4:a0:07:9c:75:1a:23:58:13: > + 70:9e:aa:cc:b8:1d:70:26:85:ad:e1:f3:34:83:1b:e0:72:44: > + c4:28:d5:c5:6a:43:83:47:fe:8b:ab:ac:07:55:ff:2c:d9:0f: > + 5f:c7 > +-----BEGIN CERTIFICATE----- > +MIIC3zCCAkigAwIBAgIJAKWF7GCxaEQkMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV > +BAYTAkJHMRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAMBgNV > +BAsTBU15U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZpY2F0 > +ZTAeFw0xMTA2MTcwNzMyMzJaFw0xNDA2MTYwNzMyMzJaMH4xCzAJBgNVBAYTAkJH > +MRAwDgYDVQQIEwdQbG92ZGl2MRAwDgYDVQQHEwdQbG92ZGl2MQ8wDQYDVQQKEwZP > +cmFjbGUxDjAMBgNVBAsTBU15U1FMMSowKAYDVQQDEyFNeVNRTCBDUkwgdGVzdCBj > +bGllbnQgY2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0Y > +v8U3fveKHSLAT1pwUerfVk8p6celiqtaSLX5v80qc/j6EyD9MxcRk1HwT/qlarw3 > +lJLefcEJxkPA983drAa//gyf/Oxbg6EeNNivUBdNhFEgRHaB0RJ2BvsFKVlHD52X > +8UEvkg3ktsH7z3WVqQ/Ps09po9EU6WvPvlO9Tj9dAgMBAAGjezB5MAkGA1UdEwQC > +MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl > +MB0GA1UdDgQWBBQ5N5wLn+SOSEhxIyvK8MH5C/IK0DAfBgNVHSMEGDAWgBTEHSxo > +P18pUezFVGHOFhPScl1j6DANBgkqhkiG9w0BAQUFAAOBgQAYA0ITr4bD65xAStie > +5yXhQ3svVRvm7L+bVrPHy3jN0gBGOZbY+M2dDueXUZP4W+1PWhZrVvvA0Vg8f+lk > +qhED/ztenW3IU6hKMPemrnzg7RbEoAecdRojWBNwnqrMuB1wJoWt4fM0gxvgckTE > +KNXFakODR/6Lq6wHVf8s2Q9fxw=3D=3D > +-----END CERTIFICATE----- > > =3D=3D=3D added file 'mysql-test/std_data/crl-client-key.pem' > --- a/mysql-test/std_data/crl-client-key.pem 1970-01-01 00:00:00 +0000 > +++ b/mysql-test/std_data/crl-client-key.pem 2011-06-17 13:53:47 +0000 > @@ -0,0 +1,15 @@ > +-----BEGIN RSA PRIVATE KEY----- > +MIICXAIBAAKBgQC9GL/FN373ih0iwE9acFHq31ZPKenHpYqrWki1+b/NKnP4+hMg > +/TMXEZNR8E/6pWq8N5SS3n3BCcZDwPfN3awGv/4Mn/zsW4OhHjTYr1AXTYRRIER2 > +gdESdgb7BSlZRw+dl/FBL5IN5LbB+891lakPz7NPaaPRFOlrz75TvU4/XQIDAQAB > +AoGAYMe37rIWk47mlpCijIEMDA++Vsn20q2RKV4N9MUcO19M99LV036DlXzzT26V > +II1k8Wvo6Lpi1lewV6D9symPDwuxO3L/lSwInVSbAaCkRYq7BlpL+ShxsUpWT788 > +ealwFTj3TeM1MCHpFwvO0xGBqFVk+ZadCNZjvwdQi44JCykCQQDqJgOTPPniq5Lk > +J6d+KWiCPVAEnEWk5lR0jQ2NZhSm4fFmCd0v6bNYhztk7dizSOiIrXnPLXx9Z8v0 > +rwKr5WrHAkEAzr5ps9d/t4V60vAJCK+Sq1b+Qj42yEnH2eIjKAUFO63jkPtpOv9h > +nzYJTqajvEkHbYJ92elpzGx47FuSOjzAuwJAYpZC5xnDdSccoCf6I+q3cC70pBxQ > +TpAUe0ZwsFqM039KrtX0ZZoWw22dGm/yz/ogvnucUBks03iCrbGKhGoCPQJAdlhj > +U5I5Rsl+vH6w/Srbz37Vvv+0BkTNxPiA3Wi6TSZGDPkNjLshm6yn+UDEm4RGXzaC > +ahoF+QHi2pG0i+e4/wJBAOmbrYbjE2LAzIBy0NvRHslPABTK4zn1L9lzU5XIjV9r > +y8JiMfGNC5r7To/ERlFUlMbaPA5Zm9XNrZhDROMZLTc=3D > +-----END RSA PRIVATE KEY----- > > =3D=3D=3D added file 'mysql-test/std_data/crl-client-revoked.crl' > --- a/mysql-test/std_data/crl-client-revoked.crl 1970-01-01 00:00:00 +0= 000 > +++ b/mysql-test/std_data/crl-client-revoked.crl 2011-06-17 13:53:47 +0= 000 > @@ -0,0 +1,10 @@ > +-----BEGIN X509 CRL----- > +MIIBbDCB1gIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJCRzEQMA4GA1UE > +CBMHUGxvdmRpdjEPMA0GA1UEChMGT3JhY2xlMQ4wDAYDVQQLEwVNeVNRTDEmMCQG > +A1UEAxMdTXlTUUwgQ1JMIHRlc3QgQ0EgY2VydGlmaWNhdGUXDTExMDYxNzA3Mzgy > +NVoXDTExMDcxNzA3MzgyNVowKjAoAgkApYXsYLFoRCQXDTExMDYxNzA3Mzc1OVow > +DDAKBgNVHRUEAwoBBaAOMAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEFBQADgYEA > +GEHNVIG6WcDYLwugXnSkLRi19EDalfQ/ufcIh2M8XQUCIXXYVYLQnh4w7FMOwDz7 > +OaIE+UhdhKjbwITvEQ3XTNueYouofmyTcYEVZuapFcG3M9TKXzaBdOevKMmok0rq > +kuZ80j5zmCC9kXpIGl5IS+c5KRLqmYxrUNG/gdhxGpg=3D > +-----END X509 CRL----- > > =3D=3D=3D added file 'mysql-test/std_data/crl-empty.crl' > --- a/mysql-test/std_data/crl-empty.crl 1970-01-01 00:00:00 +0000 > +++ b/mysql-test/std_data/crl-empty.crl 2011-06-17 13:53:47 +0000 > @@ -0,0 +1,9 @@ > +-----BEGIN X509 CRL----- > +MIIBQDCBqgIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJCRzEQMA4GA1UE > +CBMHUGxvdmRpdjEPMA0GA1UEChMGT3JhY2xlMQ4wDAYDVQQLEwVNeVNRTDEmMCQG > +A1UEAxMdTXlTUUwgQ1JMIHRlc3QgQ0EgY2VydGlmaWNhdGUXDTExMDYxNzA3MzUy > +NVoXDTExMDcxNzA3MzUyNVqgDjAMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUA > +A4GBAJRpOiqqQoAuc0YMw+JDDrwU+bjb+xg49E2Ao+Gcipzq0Z7jACPZFhDt3JRZ > +tf0qErLImThh4i6P5IS7YOT+yAR8bF6SphePWK0WMFLjsxpQgyJPUvkffgM6BO7A > +Cg4dnRAWMY4VsvBPtP/TXzDu4tAoznwLlHBW9BST+Ks3EBmF > +-----END X509 CRL----- > > =3D=3D=3D added file 'mysql-test/std_data/crl-server-cert.pem' > --- a/mysql-test/std_data/crl-server-cert.pem 1970-01-01 00:00:00 +0000= > +++ b/mysql-test/std_data/crl-server-cert.pem 2011-06-17 13:53:47 +0000= > @@ -0,0 +1,62 @@ > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: > + a5:85:ec:60:b1:68:44:23 > + Signature Algorithm: sha1WithRSAEncryption > + Issuer: C=3DBG, ST=3DPlovdiv, O=3DOracle, OU=3DMySQL, CN=3DMyS= QL CRL test CA certificate > + Validity > + Not Before: Jun 17 07:29:11 2011 GMT > + Not After : Jun 16 07:29:11 2014 GMT > + Subject: C=3DBG, ST=3DPlovdiv, L=3DPlovdiv, O=3DOracle, OU=3DM= ySQL, CN=3DMySQL CRL test server certificate > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + RSA Public Key: (1024 bit) > + Modulus (1024 bit): > + 00:c4:c6:01:29:db:e6:62:40:07:bd:43:ce:37:8e: > + 90:0e:3c:86:cc:6a:0c:40:8e:8e:30:27:f2:84:d3: > + 59:e8:7d:e7:97:1e:0d:36:08:0b:cc:28:bb:86:b0: > + 0a:64:8c:55:33:f6:ce:19:00:08:b9:93:ca:84:7e: > + 9a:4e:81:91:e2:56:32:2a:de:b5:1f:82:b9:8f:33: > + f4:87:f8:10:84:69:69:9a:79:58:08:9a:29:dc:09: > + 79:27:90:ec:af:c8:2d:5f:2e:c1:e1:4a:f1:52:21: > + 37:58:d4:f9:ef:49:ce:a9:9d:eb:dc:f4:34:30:40: > + d0:d7:38:54:94:2e:d1:ac:25 > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: > + CA:FALSE > + Netscape Comment: > + OpenSSL Generated Certificate > + X509v3 Subject Key Identifier: > + 4A:18:8F:0C:A3:CF:D7:4A:38:83:07:FC:26:E3:EB:96:32:73:= FA:8C > + X509v3 Authority Key Identifier: > + keyid:C4:1D:2C:68:3F:5F:29:51:EC:C5:54:61:CE:16:13:D2:= 72:5D:63:E8 > + > + Signature Algorithm: sha1WithRSAEncryption > + 61:74:cc:62:70:9e:1f:3e:96:ac:cd:54:4f:34:60:1c:27:51: > + f4:d5:f8:2e:d7:18:11:86:4e:b5:52:8c:a1:ef:28:c9:43:d7: > + 23:2a:22:15:4a:a3:e7:ff:76:fa:25:be:ed:30:05:ea:12:aa: > + 3f:c8:ab:a7:22:02:ea:cf:50:d4:43:31:5f:51:de:4c:e1:fa: > + 31:ba:2e:4e:d8:a4:3d:80:ad:17:83:67:0f:1b:6f:0b:74:43: > + ce:36:cb:2f:17:9e:6e:ae:c6:eb:ec:93:70:69:82:42:04:b3: > + a7:31:1f:65:70:ff:06:ce:9c:22:8a:dc:7d:92:bc:04:24:ca: > + 20:66 > +-----BEGIN CERTIFICATE----- > +MIIC3zCCAkigAwIBAgIJAKWF7GCxaEQjMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV > +BAYTAkJHMRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAMBgNV > +BAsTBU15U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZpY2F0 > +ZTAeFw0xMTA2MTcwNzI5MTFaFw0xNDA2MTYwNzI5MTFaMH4xCzAJBgNVBAYTAkJH > +MRAwDgYDVQQIEwdQbG92ZGl2MRAwDgYDVQQHEwdQbG92ZGl2MQ8wDQYDVQQKEwZP > +cmFjbGUxDjAMBgNVBAsTBU15U1FMMSowKAYDVQQDEyFNeVNRTCBDUkwgdGVzdCBz > +ZXJ2ZXIgY2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTG > +ASnb5mJAB71DzjeOkA48hsxqDECOjjAn8oTTWeh955ceDTYIC8wou4awCmSMVTP2 > +zhkACLmTyoR+mk6BkeJWMiretR+CuY8z9If4EIRpaZp5WAiaKdwJeSeQ7K/ILV8u > +weFK8VIhN1jU+e9Jzqmd69z0NDBA0Nc4VJQu0awlAgMBAAGjezB5MAkGA1UdEwQC > +MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl > +MB0GA1UdDgQWBBRKGI8Mo8/XSjiDB/wm4+uWMnP6jDAfBgNVHSMEGDAWgBTEHSxo > +P18pUezFVGHOFhPScl1j6DANBgkqhkiG9w0BAQUFAAOBgQBhdMxicJ4fPpaszVRP > +NGAcJ1H01fgu1xgRhk61Uoyh7yjJQ9cjKiIVSqPn/3b6Jb7tMAXqEqo/yKunIgLq > +z1DUQzFfUd5M4foxui5O2KQ9gK0Xg2cPG28LdEPONssvF55ursbr7JNwaYJCBLOn > +MR9lcP8Gzpwiitx9krwEJMogZg=3D=3D > +-----END CERTIFICATE----- > > =3D=3D=3D added file 'mysql-test/std_data/crl-server-key.pem' > --- a/mysql-test/std_data/crl-server-key.pem 1970-01-01 00:00:00 +0000 > +++ b/mysql-test/std_data/crl-server-key.pem 2011-06-17 13:53:47 +0000 > @@ -0,0 +1,15 @@ > +-----BEGIN RSA PRIVATE KEY----- > +MIICXAIBAAKBgQDExgEp2+ZiQAe9Q843jpAOPIbMagxAjo4wJ/KE01nofeeXHg02 > +CAvMKLuGsApkjFUz9s4ZAAi5k8qEfppOgZHiVjIq3rUfgrmPM/SH+BCEaWmaeVgI > +mincCXknkOyvyC1fLsHhSvFSITdY1PnvSc6pnevc9DQwQNDXOFSULtGsJQIDAQAB > +AoGAfecnZW4jWegYS5xv/RJF0CYgJfkQv9m21s8omJ5W37B3lzSORW0eh1Hkswg+ > +jhlQhwA63Lot2vfaU65h8ytqeGSxUSj0X8bVCsG+7aoQOxeowZs+CLgWPHmXbXw8 > +BI9mFbfkIQ/1x5yMSTv0BNRGUtg+t5FGPsmWxSUtfTme4CECQQDxQGEoesrJ25uE > +MUcrTSeVpNmzqA8e41+8YIzbyi8nmwzp5gbsgIIF6/P5iMo1T7nIal/8N+FQMft4 > +Ebzb0ZFNAkEA0M2JmH/ctyDQ7RbQx5lVwiHYn9a3inusvsV47kfH24kdRZYSymI8 > +of7O8SGkHFJNeYsJmM3UrsNDlbSd+sCaOQJBAKoM+i8hVp2weU9VuNex28wkVfvH > +41ifZtUOrVsjidd9+D1KkejUsFHiPqfOntGzL74wFRZggSYZBStePWQotSUCQH29 > +aMDnLtkw79/2v1+TnSs9CqCmwvyoIYz4iiykGVzBI1mGWGZ75ht/wMtBAPz1Kyao > +be0Q9qUPfaGnlQMt/TECQGrMh32zFPFR98yNS6JDVAVib+d5SaJsV5HXXqKCYxQR > +u1sv7YeF4/Y+TPKpBSasDNZHQ3zex0M9YOgI+9eEBHk=3D > +-----END RSA PRIVATE KEY----- > > =3D=3D=3D added directory 'mysql-test/std_data/crldir' > =3D=3D=3D added file 'mysql-test/std_data/crldir/fc725416.r0' > --- a/mysql-test/std_data/crldir/fc725416.r0 1970-01-01 00:00:00 +0000 > +++ b/mysql-test/std_data/crldir/fc725416.r0 2011-06-17 13:53:47 +0000 > @@ -0,0 +1,10 @@ > +-----BEGIN X509 CRL----- > +MIIBbDCB1gIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJCRzEQMA4GA1UE > +CBMHUGxvdmRpdjEPMA0GA1UEChMGT3JhY2xlMQ4wDAYDVQQLEwVNeVNRTDEmMCQG > +A1UEAxMdTXlTUUwgQ1JMIHRlc3QgQ0EgY2VydGlmaWNhdGUXDTExMDYxNzA3Mzgy > +NVoXDTExMDcxNzA3MzgyNVowKjAoAgkApYXsYLFoRCQXDTExMDYxNzA3Mzc1OVow > +DDAKBgNVHRUEAwoBBaAOMAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEFBQADgYEA > +GEHNVIG6WcDYLwugXnSkLRi19EDalfQ/ufcIh2M8XQUCIXXYVYLQnh4w7FMOwDz7 > +OaIE+UhdhKjbwITvEQ3XTNueYouofmyTcYEVZuapFcG3M9TKXzaBdOevKMmok0rq > +kuZ80j5zmCC9kXpIGl5IS+c5KRLqmYxrUNG/gdhxGpg=3D > +-----END X509 CRL----- > > =3D=3D=3D modified file 'mysql-test/suite/sys_vars/r/all_vars.result' > --- a/mysql-test/suite/sys_vars/r/all_vars.result 2011-05-31 09:30:59 += 0000 > +++ b/mysql-test/suite/sys_vars/r/all_vars.result 2011-06-17 13:53:47 += 0000 > @@ -16,6 +16,7 @@ INNODB_STATS_TRANSIENT_SAMPLE_PAGES > INNODB_ROLLBACK_SEGMENTS > INNODB_STATS_PERSISTENT_SAMPLE_PAGES > RELAY_LOG_BASENAME > +SSL_CRLPATH > LOG_BIN_BASENAME > INNODB_MONITOR_RESET > INNODB_ANALYZE_IS_PERSISTENT > @@ -24,6 +25,7 @@ INNODB_MONITOR_RESET_ALL > INNODB_STATS_METHOD > LOG_BIN_INDEX > INNODB_SYNC_ARRAY_SIZE > +SSL_CRL > INNODB_MONITOR_DISABLE > INNODB_FILE_FORMAT_MAX > INNODB_MONITOR_ENABLE > @@ -32,6 +34,7 @@ INNODB_STATS_TRANSIENT_SAMPLE_PAGES > INNODB_ROLLBACK_SEGMENTS > INNODB_STATS_PERSISTENT_SAMPLE_PAGES > RELAY_LOG_BASENAME > +SSL_CRLPATH > LOG_BIN_BASENAME > INNODB_MONITOR_RESET > INNODB_ANALYZE_IS_PERSISTENT > @@ -40,6 +43,7 @@ INNODB_MONITOR_RESET_ALL > INNODB_STATS_METHOD > LOG_BIN_INDEX > INNODB_SYNC_ARRAY_SIZE > +SSL_CRL > INNODB_MONITOR_DISABLE > INNODB_FILE_FORMAT_MAX > INNODB_MONITOR_ENABLE > > =3D=3D=3D added file 'mysql-test/t/ssl-crl-clients-master.opt' > --- a/mysql-test/t/ssl-crl-clients-master.opt 1970-01-01 00:00:00 +0000= > +++ b/mysql-test/t/ssl-crl-clients-master.opt 2011-06-17 13:53:47 +0000= > @@ -0,0 +1,3 @@ > +--ssl-ca=3D$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem > +--ssl-key=3D$MYSQL_TEST_DIR/std_data/crl-client-key.pem > +--ssl-cert=3D$MYSQL_TEST_DIR/std_data/crl-client-cert.pem > > =3D=3D=3D added file 'mysql-test/t/ssl-crl-clients.test' > --- a/mysql-test/t/ssl-crl-clients.test 1970-01-01 00:00:00 +0000 > +++ b/mysql-test/t/ssl-crl-clients.test 2011-06-17 13:53:47 +0000 > @@ -0,0 +1,46 @@ > +# This test should work in embedded server after we fix mysqltest > +-- source include/not_embedded.inc > +-- source include/have_ssl_communication.inc > +-- source include/have_openssl.inc > + > +--echo # Test clients with and without CRL lists > + > +let $ssl_base =3D --ssl-ca=3D$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem = --ssl-key=3D$MYSQL_TEST_DIR/std_data/crl-server-key.pem --ssl-cert=3D$MYS= QL_TEST_DIR/std_data/crl-server-cert.pem; > +let $ssl_empty =3D $ssl_base --ssl-crl=3D$MYSQL_TEST_DIR/std_data/crl-= empty.crl; > +let $ssl_crl =3D $ssl_base --ssl-crl=3D$MYSQL_TEST_DIR/std_data/crl-cl= ient-disabled.crl; > +let $ssl_crlpath =3D $ssl_base --ssl-crlpath=3D$MYSQL_TEST_DIR/std_dat= a/crldir; > + > + > +--echo ############ Test mysql ############## > + > +--echo # Test mysql connecting to a server with an empty crl > +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR > +--exec $MYSQL $ssl_empty test -e "SHOW VARIABLES like '%ssl%';" > + > +--echo # Test mysql connecting to a server with a certificate revoked = by -crl > +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR > +--error 1 > +--exec $MYSQL $ssl_crl test -e "SHOW VARIABLES like '%ssl%';" > + > +--echo # Test mysql connecting to a server with a certificate revoked = by -crlpath > +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR > +--error 1 > +--exec $MYSQL $ssl_crlpath test -e "SHOW VARIABLES like '%ssl%';" > + > + > +--echo ############ Test mysqladmin ############## > +let $admin_prefix =3D --no-defaults; > +let $admin_suffix =3D --default-character-set=3Dlatin1 -S $MASTER_MYSO= CK -P $MASTER_MYPORT -u root --password=3D ping; > + > +--echo # Test mysqladmin connecting to a server with an empty crl > +--exec $MYSQLADMIN $admin_prefix $ssl_empty $admin_suffix 2>&1 > + > +--echo # Test mysqladmin connecting to a server with a certificate rev= oked by -crl > +--replace_regex /.*mysqladmin.*: connect/mysqladmin: connect/ > +--error 1 > +--exec $MYSQLADMIN $admin_prefix $ssl_crl $admin_suffix 2>&1 > + > +--echo # Test mysqladmin connecting to a server with a certificate rev= oked by -crlpath > +--replace_regex /.*mysqladmin.*: connect/mysqladmin: connet/ > +--error 1 > +--exec $MYSQLADMIN $admin_prefix $ssl_crlpath $admin_suffix 2>&1 > > =3D=3D=3D added file 'mysql-test/t/ssl-crl-empty-crl-master.opt' > --- a/mysql-test/t/ssl-crl-empty-crl-master.opt 1970-01-01 00:00:00 +00= 00 > +++ b/mysql-test/t/ssl-crl-empty-crl-master.opt 2011-06-17 13:53:47 +00= 00 > @@ -0,0 +1,4 @@ > +--ssl-ca=3D$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem > +--ssl-key=3D$MYSQL_TEST_DIR/std_data/crl-server-key.pem > +--ssl-cert=3D$MYSQL_TEST_DIR/std_data/crl-server-cert.pem > +--ssl-crl=3D$MYSQL_TEST_DIR/std_data/crl-empty.crl > > =3D=3D=3D added file 'mysql-test/t/ssl-crl-empty-crl.test' > --- a/mysql-test/t/ssl-crl-empty-crl.test 1970-01-01 00:00:00 +0000 > +++ b/mysql-test/t/ssl-crl-empty-crl.test 2011-06-17 13:53:47 +0000 > @@ -0,0 +1,12 @@ > +# This test should work in embedded server after we fix mysqltest > +-- source include/not_embedded.inc > +-- source include/have_ssl_communication.inc > +-- source include/have_openssl.inc > + > +# test --crl for the client : should connect > +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR > +--exec $MYSQL --ssl-ca=3D$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ss= l-key=3D$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=3D$MYSQL_T= EST_DIR/std_data/crl-client-cert.pem test --ssl-crl=3D$MYSQL_TEST_DIR/std= _data/crl-empty.crl -e "SHOW VARIABLES like '%ssl%';" > + > +# test --crlpath for the client : should connect > +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR > +--exec $MYSQL --ssl-ca=3D$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ss= l-key=3D$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=3D$MYSQL_T= EST_DIR/std_data/crl-client-cert.pem --ssl-crlpath=3D$MYSQL_TEST_DIR/std_= data/crldir test -e "SHOW VARIABLES like '%ssl%';" > > =3D=3D=3D added file 'mysql-test/t/ssl-crl-revoked-crl-master.opt' > --- a/mysql-test/t/ssl-crl-revoked-crl-master.opt 1970-01-01 00:00:00 += 0000 > +++ b/mysql-test/t/ssl-crl-revoked-crl-master.opt 2011-06-17 13:53:47 += 0000 > @@ -0,0 +1,4 @@ > +--ssl-ca=3D$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem > +--ssl-key=3D$MYSQL_TEST_DIR/std_data/crl-server-key.pem > +--ssl-cert=3D$MYSQL_TEST_DIR/std_data/crl-server-cert.pem > +--ssl-crl=3D$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl > > =3D=3D=3D added file 'mysql-test/t/ssl-crl-revoked-crl.test' > --- a/mysql-test/t/ssl-crl-revoked-crl.test 1970-01-01 00:00:00 +0000 > +++ b/mysql-test/t/ssl-crl-revoked-crl.test 2011-06-17 13:53:47 +0000 > @@ -0,0 +1,9 @@ > +# This test should work in embedded server after we fix mysqltest > +-- source include/not_embedded.inc > +-- source include/have_ssl_communication.inc > +-- source include/have_openssl.inc > + > +--echo # try logging in with a certificate in the server's --ssl-crl := should fail > +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR > +--error 1 > +--exec $MYSQL --ssl-ca=3D$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ss= l-key=3D$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=3D$MYSQL_T= EST_DIR/std_data/crl-client-cert.pem test -e "SHOW VARIABLES like '%ssl%'= ;" > > =3D=3D=3D added file 'mysql-test/t/ssl-crl-revoked-crlpath-master.opt' > --- a/mysql-test/t/ssl-crl-revoked-crlpath-master.opt 1970-01-01 00:00:= 00 +0000 > +++ b/mysql-test/t/ssl-crl-revoked-crlpath-master.opt 2011-06-17 13:53:= 47 +0000 > @@ -0,0 +1,4 @@ > +--ssl-ca=3D$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem > +--ssl-key=3D$MYSQL_TEST_DIR/std_data/crl-server-key.pem > +--ssl-cert=3D$MYSQL_TEST_DIR/std_data/crl-server-cert.pem > +--ssl-crlpath=3D$MYSQL_TEST_DIR/std_data/crldir > > =3D=3D=3D added file 'mysql-test/t/ssl-crl-revoked-crlpath.test' > --- a/mysql-test/t/ssl-crl-revoked-crlpath.test 1970-01-01 00:00:00 +00= 00 > +++ b/mysql-test/t/ssl-crl-revoked-crlpath.test 2011-06-17 13:53:47 +00= 00 > @@ -0,0 +1,9 @@ > +# This test should work in embedded server after we fix mysqltest > +-- source include/not_embedded.inc > +-- source include/have_ssl_communication.inc > +-- source include/have_openssl.inc > + > +--echo # try logging in with a certificate in the server's --ssl-crlpa= th : should fail > +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR > +--error 1 > +--exec $MYSQL --ssl-ca=3D$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ss= l-key=3D$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=3D$MYSQL_T= EST_DIR/std_data/crl-client-cert.pem test -e "SHOW VARIABLES like '%ssl%'= ;" > > =3D=3D=3D modified file 'scripts/mysql_system_tables.sql' > --- a/scripts/mysql_system_tables.sql 2011-06-13 16:28:34 +0000 > +++ b/scripts/mysql_system_tables.sql 2011-06-17 13:53:47 +0000 > @@ -102,7 +102,7 @@ CREATE TABLE IF NOT EXISTS ndb_binlog_in > > CREATE TABLE IF NOT EXISTS slave_relay_log_info (Master_id INTEGER UN= SIGNED NOT NULL, Number_of_lines INTEGER UNSIGNED NOT NULL COMMENT 'Numbe= r of lines in the file or rows in the table. Used to version table defini= tions.', Relay_log_name TEXT CHARACTER SET utf8 COLLATE utf8_bin NOT NULL= COMMENT 'The name of the current relay log file.', Relay_log_pos BIGINT = UNSIGNED NOT NULL COMMENT 'The relay log position of the last executed ev= ent.', Master_log_name TEXT CHARACTER SET utf8 COLLATE utf8_bin NOT NULL = COMMENT 'The name of the master binary log file from which the events in = the relay log file were read.', Master_log_pos BIGINT UNSIGNED NOT NULL C= OMMENT 'The master log position of the last executed event.', Sql_delay I= NTEGER NOT NULL COMMENT 'The number of seconds that the slave must lag be= hind the master.', PRIMARY KEY(Master_id)) ENGINE=3DMYISAM DEFAULT CHARSE= T=3Dutf8 COMMENT 'Relay Log Information'; > > -CREATE TABLE IF NOT EXISTS slave_master_info (Master_id INTEGER UNSIGN= ED NOT NULL, Number_of_lines INTEGER UNSIGNED NOT NULL COMMENT 'Number of= lines in the file.', Master_log_name TEXT CHARACTER SET utf8 COLLATE utf= 8_bin NOT NULL COMMENT 'The name of the master binary log currently being= read from the master.', Master_log_pos BIGINT UNSIGNED NOT NULL COMMENT = 'The master log position of the last read event.', Host TEXT CHARACTER SE= T utf8 COLLATE utf8_bin COMMENT 'The host name of the master.', User_name= TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The user name used to = connect to the master.', User_password TEXT CHARACTER SET utf8 COLLATE ut= f8_bin COMMENT 'The password used to connect to the master.', Port INTEGE= R UNSIGNED NOT NULL COMMENT 'The network port used to connect to the mast= er.', Connect_retry INTEGER UNSIGNED NOT NULL COMMENT 'The period (in sec= onds) that the slave will wait before trying to reconnect to the master.'= , Enabled_ssl BOOLEAN NOT NULL COMMENT 'In! > > dicates whether the server supports SSL connections.', Ssl_ca TEXT CH= ARACTER SET utf8 COLLATE utf8_bin COMMENT 'The file used for the Certific= ate Authority (CA) certificate.', Ssl_capath TEXT CHARACTER SET utf8 COLL= ATE utf8_bin COMMENT 'The path to the Certificate Authority (CA) certific= ates.', Ssl_cert TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The na= me of the SSL certificate file.', Ssl_cipher TEXT CHARACTER SET utf8 COLL= ATE utf8_bin COMMENT 'The name of the cipher in use for the SSL connectio= n.', Ssl_key TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name o= f the SSL key file.', Ssl_verify_server_cert BOOLEAN NOT NULL COMMENT 'Wh= ether to verify the server certificate.', Heartbeat FLOAT NOT NULL COMMEN= T '', Bind TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'Displays whi= ch interface is employed when connecting to the MySQL server', Ignored_se= rver_ids TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The number of = server IDs to be ignored, followed by the a! > > ctual server IDs', Uuid TEXT CHARACTER SET utf8 COLLATE utf8_bin COMM= E > NT 'The master server uuid.', Retry_count BIGINT UNSIGNED NOT NULL COMM= ENT 'Number of reconnect attempts, to the master, before giving up.', PRI= MARY KEY(Master_id)) ENGINE=3DMYISAM DEFAULT CHARSET=3Dutf8 COMMENT 'Mast= er Information'; > +CREATE TABLE IF NOT EXISTS slave_master_info (Master_id INTEGER UNSIGN= ED NOT NULL, Number_of_lines INTEGER UNSIGNED NOT NULL COMMENT 'Number of= lines in the file.', Master_log_name TEXT CHARACTER SET utf8 COLLATE utf= 8_bin NOT NULL COMMENT 'The name of the master binary log currently being= read from the master.', Master_log_pos BIGINT UNSIGNED NOT NULL COMMENT = 'The master log position of the last read event.', Host TEXT CHARACTER SE= T utf8 COLLATE utf8_bin COMMENT 'The host name of the master.', User_name= TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The user name used to = connect to the master.', User_password TEXT CHARACTER SET utf8 COLLATE ut= f8_bin COMMENT 'The password used to connect to the master.', Port INTEGE= R UNSIGNED NOT NULL COMMENT 'The network port used to connect to the mast= er.', Connect_retry INTEGER UNSIGNED NOT NULL COMMENT 'The period (in sec= onds) that the slave will wait before trying to reconnect to the master.'= , Enabled_ssl BOOLEAN NOT NULL COMMENT 'In! > > dicates whether the server supports SSL connections.', Ssl_ca TEXT CH= ARACTER SET utf8 COLLATE utf8_bin COMMENT 'The file used for the Certific= ate Authority (CA) certificate.', Ssl_capath TEXT CHARACTER SET utf8 COLL= ATE utf8_bin COMMENT 'The path to the Certificate Authority (CA) certific= ates.', Ssl_cert TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The na= me of the SSL certificate file.', Ssl_cipher TEXT CHARACTER SET utf8 COLL= ATE utf8_bin COMMENT 'The name of the cipher in use for the SSL connectio= n.', Ssl_key TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name o= f the SSL key file.', Ssl_verify_server_cert BOOLEAN NOT NULL COMMENT 'Wh= ether to verify the server certificate.', Heartbeat FLOAT NOT NULL COMMEN= T '', Bind TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'Displays whi= ch interface is employed when connecting to the MySQL server', Ignored_se= rver_ids TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The number of = server IDs to be ignored, followed by the a! > > ctual server IDs', Uuid TEXT CHARACTER SET utf8 COLLATE utf8_bin COMM= E > NT 'The master server uuid.', Retry_count BIGINT UNSIGNED NOT NULL COMM= ENT 'Number of reconnect attempts, to the master, before giving up.', Ssl= _crl TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The file used for = the Certificate Revocation List (CRL)', Ssl_crlpath TEXT CHARACTER SET ut= f8 COLLATE utf8_bin COMMENT 'The path used for Certificate Revocation Lis= t (CRL) files', PRIMARY KEY(Master_id)) ENGINE=3DMYISAM DEFAULT CHARSET=3D= utf8 COMMENT 'Master Information'; > > -- > -- PERFORMANCE SCHEMA INSTALLATION > > =3D=3D=3D modified file 'scripts/mysql_system_tables_fix.sql' > --- a/scripts/mysql_system_tables_fix.sql 2011-04-07 09:55:09 +0000 > +++ b/scripts/mysql_system_tables_fix.sql 2011-06-17 13:53:47 +0000 > @@ -660,3 +660,6 @@ DROP TABLE tmp_proxies_priv; > # changes was correct > > flush privileges; > + > +ALTER TABLE slave_master_info ADD Ssl_crl TEXT CHARACTER SET utf8 COLL= ATE utf8_bin COMMENT 'The file used for the Certificate Revocation List (= CRL)'; > +ALTER TABLE slave_master_info ADD Ssl_crlpath TEXT CHARACTER SET utf8 = COLLATE utf8_bin COMMENT 'The path used for Certificate Revocation List (= CRL) files'; > > =3D=3D=3D modified file 'sql-common/client.c' > --- a/sql-common/client.c 2011-05-31 13:52:09 +0000 > +++ b/sql-common/client.c 2011-06-17 13:53:47 +0000 > @@ -1011,7 +1011,7 @@ static const char *default_options[]=3D > "ssl-cipher", "max-allowed-packet", "protocol", "shared-memory-base= -name", > "multi-results", "multi-statements", "multi-queries", "secure-auth"= , > "report-data-truncation", "plugin-dir", "default-auth", > - "bind-address", > + "bind-address", "ssl-crl", "ssl-crlpath", > NullS > }; > enum option_id { > @@ -1023,7 +1023,7 @@ enum option_id { > OPT_ssl_cipher, OPT_max_allowed_packet, OPT_protocol, OPT_shared_me= mory_base_name, > OPT_multi_results, OPT_multi_statements, OPT_multi_queries, OPT_sec= ure_auth, > OPT_report_data_truncation, OPT_plugin_dir, OPT_default_auth, > - OPT_bind_address, > + OPT_bind_address, OPT_ssl_crl, OPT_ssl_crlpath, > OPT_keep_this_one_last > }; > > @@ -1184,12 +1184,22 @@ void mysql_read_default_options(struct s > my_free(options->ssl_cipher); > options->ssl_cipher=3D my_strdup(opt_arg, MYF(MY_WME)); > break; > + case OPT_ssl_crl: > + my_free(options->ssl_crl); > + options->ssl_crl =3D my_strdup(opt_arg, MYF(MY_WME)); > + break; > + case OPT_ssl_crlpath: > + my_free(options->ssl_crlpath); > + options->ssl_crlpath =3D my_strdup(opt_arg, MYF(MY_WME)); > + break; > #else > case OPT_ssl_key: > case OPT_ssl_cert: > case OPT_ssl_ca: > case OPT_ssl_capath: > case OPT_ssl_cipher: > + case OPT_ssl_crl: > + case OPT_ssl_crlpath: > break; > #endif /* HAVE_OPENSSL&& !EMBEDDED_LIBRARY */ > case OPT_character_sets_dir: > @@ -1644,15 +1654,18 @@ mysql_ssl_set(MYSQL *mysql __attribute__ > const char *capath __attribute__((unused)), > const char *cipher __attribute__((unused))) > { > + my_bool result=3D 0; > DBUG_ENTER("mysql_ssl_set"); > #if defined(HAVE_OPENSSL)&& !defined(EMBEDDED_LIBRARY) > - mysql->options.ssl_key=3D strdup_if_not_null(key); > - mysql->options.ssl_cert=3D strdup_if_not_null(cert); > - mysql->options.ssl_ca=3D strdup_if_not_null(ca); > - mysql->options.ssl_capath=3D strdup_if_not_null(capath); > - mysql->options.ssl_cipher=3D strdup_if_not_null(cipher); > -#endif /* HAVE_OPENSSL&& !EMBEDDED_LIBRARY */ > - DBUG_RETURN(0); > + result=3D Some stray spaces at the end above. ^ > + mysql_options(mysql, MYSQL_OPT_SSL_KEY, key) + > + mysql_options(mysql, MYSQL_OPT_SSL_CERT, cert) + > + mysql_options(mysql, MYSQL_OPT_SSL_CA, ca) + > + mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath) + > + mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher) And, a space at the end here ^. > + ? 1 : 0; > +#endif > + DBUG_RETURN(result); > } > > > @@ -1674,6 +1687,8 @@ mysql_ssl_free(MYSQL *mysql __attribute_ > my_free(mysql->options.ssl_ca); > my_free(mysql->options.ssl_capath); > my_free(mysql->options.ssl_cipher); > + my_free(mysql->options.ssl_crl); > + my_free(mysql->options.ssl_crlpath); > if (ssl_fd) > SSL_CTX_free(ssl_fd->ssl_context); > my_free(mysql->connector_fd); > @@ -1682,6 +1697,8 @@ mysql_ssl_free(MYSQL *mysql __attribute_ > mysql->options.ssl_ca =3D 0; > mysql->options.ssl_capath =3D 0; > mysql->options.ssl_cipher=3D 0; > + mysql->options.ssl_crl =3D 0; > + mysql->options.ssl_crlpath =3D 0; > mysql->options.use_ssl =3D FALSE; > mysql->connector_fd =3D 0; > DBUG_VOID_RETURN; > @@ -2350,7 +2367,8 @@ static int send_client_reply_packet(MCPV > #if defined(HAVE_OPENSSL)&& !defined(EMBEDDED_LIBRARY) > if (mysql->options.ssl_key || mysql->options.ssl_cert || > mysql->options.ssl_ca || mysql->options.ssl_capath || > - mysql->options.ssl_cipher) > + mysql->options.ssl_cipher || > + mysql->options.ssl_crl || mysql->options.ssl_crlpath) > mysql->options.use_ssl=3D 1; > if (mysql->options.use_ssl) > mysql->client_flag|=3D CLIENT_SSL; > @@ -2411,7 +2429,9 @@ static int send_client_reply_packet(MCPV > options->ssl_ca, > options->ssl_capath, > options->ssl_cipher, > -&ssl_init_error))) > +&ssl_init_error, > + options->ssl_crl, > + options->ssl_crlpath))) > { > set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknow= n_sqlstate, > ER(CR_SSL_CONNECTION_ERROR), sslGetErr= String(ssl_init_error)); > @@ -3975,6 +3995,20 @@ mysql_fetch_lengths(MYSQL_RES *res) > return res->lengths; > } > > +#if defined(HAVE_OPENSSL)&& !defined(EMBEDDED_LIBRARY) > +#define SET_SSL_OPTION(opt_var,arg) \ > + if (mysql->options.opt_var) \ > + my_free(mysql->options.opt_var); \ > + mysql->options.opt_var=3D arg ? my_strdup(arg, MYF(MY_WME)) : NULL= ; \ > + if (mysql->options.opt_var) \ > + mysql->options.use_ssl=3D 1 > +#else > +#define SET_SSL_OPTION(opt_var,arg) \ > + { \ > + ; \ > + } while(0) > +#endif > + > > int STDCALL > mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg)= > @@ -4066,6 +4100,13 @@ mysql_options(MYSQL *mysql,enum mysql_op > case MYSQL_DEFAULT_AUTH: > EXTENSION_SET_STRING(&mysql->options, default_auth, arg); > break; > + case MYSQL_OPT_SSL_KEY: SET_SSL_OPTION(ssl_key, arg); break= ; > + case MYSQL_OPT_SSL_CERT: SET_SSL_OPTION(ssl_cert, arg); break= ; > + case MYSQL_OPT_SSL_CA: SET_SSL_OPTION(ssl_ca, arg); break= ; > + case MYSQL_OPT_SSL_CAPATH: SET_SSL_OPTION(ssl_capath, arg); break= ; > + case MYSQL_OPT_SSL_CIPHER: SET_SSL_OPTION(ssl_cipher, arg); break= ; > + case MYSQL_OPT_SSL_CRL: SET_SSL_OPTION(ssl_crl, arg); break= ; > + case MYSQL_OPT_SSL_CRLPATH: SET_SSL_OPTION(ssl_crlpath, arg); break= ; > default: > DBUG_RETURN(1); > } > > =3D=3D=3D modified file 'sql/lex.h' > --- a/sql/lex.h 2010-11-25 11:20:16 +0000 > +++ b/sql/lex.h 2011-06-17 13:53:47 +0000 > @@ -331,6 +331,8 @@ static SYMBOL symbols[] =3D { > { "MASTER_SSL_CAPATH",SYM(MASTER_SSL_CAPATH_SYM)}, > { "MASTER_SSL_CERT", SYM(MASTER_SSL_CERT_SYM)}, > { "MASTER_SSL_CIPHER",SYM(MASTER_SSL_CIPHER_SYM)}, > + { "MASTER_SSL_CRL", SYM(MASTER_SSL_CRL_SYM)}, > + { "MASTER_SSL_CRLPATH",SYM(MASTER_SSL_CRLPATH_SYM)}, > { "MASTER_SSL_KEY", SYM(MASTER_SSL_KEY_SYM)}, > { "MASTER_SSL_VERIFY_SERVER_CERT", SYM(MASTER_SSL_VERIFY_SERVER_CER= T_SYM)}, > { "MASTER_USER", SYM(MASTER_USER_SYM)}, > > =3D=3D=3D modified file 'sql/mysqld.cc' > --- a/sql/mysqld.cc 2011-06-06 10:29:45 +0000 > +++ b/sql/mysqld.cc 2011-06-17 13:53:47 +0000 > @@ -911,7 +911,8 @@ HANDLE smem_event_connect_request=3D 0; > > my_bool opt_use_ssl =3D 0; > char *opt_ssl_ca=3D NULL, *opt_ssl_capath=3D NULL, *opt_ssl_cert=3D N= ULL, > - *opt_ssl_cipher=3D NULL, *opt_ssl_key=3D NULL; > + *opt_ssl_cipher=3D NULL, *opt_ssl_key=3D NULL, *opt_ssl_crl=3D NU= LL, > + *opt_ssl_crlpath=3D NULL; > > #ifdef HAVE_OPENSSL > #include > @@ -3853,7 +3854,8 @@ static void init_ssl() > /* having ssl_acceptor_fd !=3D 0 signals the use of SSL */ > ssl_acceptor_fd=3D new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert= , > opt_ssl_ca, opt_ssl_capath, > - opt_ssl_cipher,&error); > + opt_ssl_cipher,&error, > + opt_ssl_crl, opt_ssl_crlpath= ); > DBUG_PRINT("info",("ssl_acceptor_fd: 0x%lx", (long) ssl_acceptor_= fd)); > if (!ssl_acceptor_fd) > { > > =3D=3D=3D modified file 'sql/mysqld.h' > --- a/sql/mysqld.h 2011-05-19 09:11:38 +0000 > +++ b/sql/mysqld.h 2011-06-17 13:53:47 +0000 > @@ -477,7 +477,7 @@ extern int32 thread_running; > extern my_atomic_rwlock_t thread_running_lock; > > extern char *opt_ssl_ca, *opt_ssl_capath, *opt_ssl_cert, *opt_ssl_cip= her, > - *opt_ssl_key; > + *opt_ssl_key, *opt_ssl_crl, *opt_ssl_crlpath; > > extern MYSQL_PLUGIN_IMPORT pthread_key(THD*, THR_THD); > > @@ -533,7 +533,9 @@ enum options_mysqld > OPT_WANT_CORE, > OPT_ENGINE_CONDITION_PUSHDOWN, > OPT_LOG_ERROR, > - OPT_MAX_LONG_DATA_SIZE > + OPT_MAX_LONG_DATA_SIZE, > + OPT_SSL_CRL, > + OPT_SSL_CRLPATH, > }; > > > > =3D=3D=3D modified file 'sql/rpl_mi.cc' > --- a/sql/rpl_mi.cc 2011-04-28 16:50:10 +0000 > +++ b/sql/rpl_mi.cc 2011-06-17 13:53:47 +0000 > @@ -43,8 +43,14 @@ enum { > /* line for master_retry_count */ > LINE_FOR_MASTER_RETRY_COUNT=3D 20, > > + /* line for ssl_crl */ > + LINE_FOR_SSL_CRL=3D 21, > + > + /* line for ssl_crl */ > + LINE_FOR_SSL_CRLPATH=3D 22, > + > /* Number of lines currently used when saving master info file */ > - LINES_IN_MASTER_INFO=3D LINE_FOR_MASTER_RETRY_COUNT > + LINES_IN_MASTER_INFO=3D LINE_FOR_SSL_CRLPATH > }; > > /* > @@ -73,7 +79,9 @@ const char *info_mi_fields []=3D > "bind", > "ignore_server_ids", > "uuid", > - "retry_count" > + "retry_count", > + "ssl_crl", > + "ssl_crlpath", > }; > > Master_info::Master_info( > @@ -105,6 +113,7 @@ Master_info::Master_info( > host[0] =3D 0; user[0] =3D 0; password[0] =3D 0; bind_addr[0] =3D 0= ; > ssl_ca[0]=3D 0; ssl_capath[0]=3D 0; ssl_cert[0]=3D 0; > ssl_cipher[0]=3D 0; ssl_key[0]=3D 0; > + ssl_crl[0]=3D 0; ssl_crlpath[0]=3D 0; > master_uuid[0]=3D 0; > ignore_server_ids=3D new Server_ids(); > } > @@ -412,6 +421,13 @@ bool Master_info::read_info(Rpl_info_han > DBUG_RETURN(TRUE); > } > > + if (lines>=3D LINE_FOR_SSL_CRLPATH) > + { > + if (from->get_info(ssl_crl, sizeof(ssl_crl), 0) || > + from->get_info(ssl_crlpath, sizeof(ssl_crlpath), 0)) > + DBUG_RETURN(TRUE); > + } > + > ssl=3D (my_bool) test(temp_ssl); > ssl_verify_server_cert=3D (my_bool) test(temp_ssl_verify_server_cer= t); > master_log_pos=3D (my_off_t) temp_master_log_pos; > @@ -457,7 +473,9 @@ bool Master_info::write_info(Rpl_info_ha > to->set_info(bind_addr) || > to->set_info(ignore_server_ids) || > to->set_info(master_uuid) || > - to->set_info(retry_count)) > + to->set_info(retry_count) || > + to->set_info(ssl_crl) || > + to->set_info(ssl_crlpath)) > DBUG_RETURN(TRUE); > > if (to->flush_info(force)) > > =3D=3D=3D modified file 'sql/rpl_mi.h' > --- a/sql/rpl_mi.h 2011-04-28 16:50:10 +0000 > +++ b/sql/rpl_mi.h 2011-06-17 13:53:47 +0000 > @@ -73,6 +73,7 @@ public: > my_bool ssl; // enables use of SSL connection if true > char ssl_ca[FN_REFLEN], ssl_capath[FN_REFLEN], ssl_cert[FN_REFLEN];= > char ssl_cipher[FN_REFLEN], ssl_key[FN_REFLEN]; > + char ssl_crl[FN_REFLEN], ssl_crlpath[FN_REFLEN]; > my_bool ssl_verify_server_cert; > > MYSQL* mysql; > > =3D=3D=3D modified file 'sql/rpl_slave.cc' > --- a/sql/rpl_slave.cc 2011-06-10 16:57:01 +0000 > +++ b/sql/rpl_slave.cc 2011-06-17 13:53:47 +0000 > @@ -2050,6 +2050,10 @@ bool show_master_info(THD* thd, Master_i > sizeof(mi->bind_addr)));= > field_list.push_back(new Item_empty_string("Last_IO_Error_Timestamp= ", 20)); > field_list.push_back(new Item_empty_string("Last_SQL_Error_Timestam= p", 20)); > + field_list.push_back(new Item_empty_string("Master_SSL_Crl", > + sizeof(mi->ssl_crl))); > + field_list.push_back(new Item_empty_string("Master_SSL_Crlpath", > + sizeof(mi->ssl_crlpath)))= ; > > > if (protocol->send_result_set_metadata(&field_list, > @@ -2227,6 +2231,10 @@ bool show_master_info(THD* thd, Master_i > protocol->store(mi->last_error().timestamp,&my_charset_bin); > // Last_SQL_Error_Timestamp > protocol->store(mi->rli->last_error().timestamp,&my_charset_bin);= > + // Master_Ssl_Crl > + protocol->store(mi->ssl_ca,&my_charset_bin); > + // Master_Ssl_Crlpath > + protocol->store(mi->ssl_capath,&my_charset_bin); > > mysql_mutex_unlock(&mi->rli->err_lock); > mysql_mutex_unlock(&mi->err_lock); > @@ -4701,6 +4709,10 @@ static int connect_to_master(THD* thd, M > mi->ssl_ca[0]?mi->ssl_ca:0, > mi->ssl_capath[0]?mi->ssl_capath:0, > mi->ssl_cipher[0]?mi->ssl_cipher:0); > + mysql_options(mysql, MYSQL_OPT_SSL_CRL, > + mi->ssl_crl[0] ? mi->ssl_crl : 0); > + mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, > + mi->ssl_crlpath[0] ? mi->ssl_crlpath : 0); > mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, > &mi->ssl_verify_server_cert); > } > @@ -4832,6 +4844,10 @@ MYSQL *rpl_connect_master(MYSQL *mysql) > mi->ssl_ca[0]?mi->ssl_ca:0, > mi->ssl_capath[0]?mi->ssl_capath:0, > mi->ssl_cipher[0]?mi->ssl_cipher:0); > + mysql_options(mysql, MYSQL_OPT_SSL_CRL, > + mi->ssl_crl[0] ? mi->ssl_crl : 0); > + mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, > + mi->ssl_crlpath[0] ? mi->ssl_crlpath : 0); > mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, > &mi->ssl_verify_server_cert); > } > @@ -5902,10 +5918,14 @@ bool change_master(THD* thd, Master_info > strmake(mi->ssl_cipher, lex_mi->ssl_cipher, sizeof(mi->ssl_cipher= )-1); > if (lex_mi->ssl_key) > strmake(mi->ssl_key, lex_mi->ssl_key, sizeof(mi->ssl_key)-1); > + if (lex_mi->ssl_crl) > + strmake(mi->ssl_crl, lex_mi->ssl_crl, sizeof(mi->ssl_crl)-1); > + if (lex_mi->ssl_crlpath) > + strmake(mi->ssl_crlpath, lex_mi->ssl_crlpath, sizeof(mi->ssl_crlpa= th)-1); > #ifndef HAVE_OPENSSL > if (lex_mi->ssl || lex_mi->ssl_ca || lex_mi->ssl_capath || > lex_mi->ssl_cert || lex_mi->ssl_cipher || lex_mi->ssl_key || > - lex_mi->ssl_verify_server_cert ) > + lex_mi->ssl_verify_server_cert || lex_mi->ssl_crl || lex_mi->ssl= _crlpath) > push_warning(thd, MYSQL_ERROR::WARN_LEVEL_NOTE, > ER_SLAVE_IGNORED_SSL_PARAMS, ER(ER_SLAVE_IGNORED_SSL= _PARAMS)); > #endif > > =3D=3D=3D modified file 'sql/sql_lex.h' > --- a/sql/sql_lex.h 2011-06-10 09:52:57 +0000 > +++ b/sql/sql_lex.h 2011-06-17 13:53:47 +0000 > @@ -220,6 +220,7 @@ typedef struct st_lex_master_info > ssl, ssl_verify_server_cert, heartbeat_opt, repl_ignore_server_id= s_opt, > retry_count_opt; > char *ssl_key, *ssl_cert, *ssl_ca, *ssl_capath, *ssl_cipher; > + char *ssl_crl, *ssl_crlpath; > char *relay_log_name; > ulong relay_log_pos; > DYNAMIC_ARRAY repl_ignore_server_ids; > > =3D=3D=3D modified file 'sql/sql_yacc.yy' > --- a/sql/sql_yacc.yy 2011-06-09 18:18:22 +0000 > +++ b/sql/sql_yacc.yy 2011-06-17 13:53:47 +0000 > @@ -1088,6 +1088,8 @@ bool my_yyoverflow(short **a, YYSTYPE ** > %token MASTER_SSL_CA_SYM > %token MASTER_SSL_CERT_SYM > %token MASTER_SSL_CIPHER_SYM > +%token MASTER_SSL_CRL_SYM > +%token MASTER_SSL_CRLPATH_SYM > %token MASTER_SSL_KEY_SYM > %token MASTER_SSL_SYM > %token MASTER_SSL_VERIFY_SERVER_CERT_SYM > @@ -1964,6 +1966,14 @@ master_def: > Lex->mi.ssl_verify_server_cert=3D $3 ? > LEX_MASTER_INFO::LEX_MI_ENABLE : LEX_MASTER_INFO::LEX_M= I_DISABLE; > } > + | MASTER_SSL_CRL_SYM EQ TEXT_STRING_sys > + { > + Lex->mi.ssl_crl=3D $3.str; > + } > + | MASTER_SSL_CRLPATH_SYM EQ TEXT_STRING_sys > + { > + Lex->mi.ssl_crlpath=3D $3.str; > + } > > | MASTER_HEARTBEAT_PERIOD_SYM EQ NUM_literal > { > @@ -12727,6 +12737,8 @@ keyword_sp: > | MASTER_SSL_CAPATH_SYM {} > | MASTER_SSL_CERT_SYM {} > | MASTER_SSL_CIPHER_SYM {} > + | MASTER_SSL_CRL_SYM {} > + | MASTER_SSL_CRLPATH_SYM {} > | MASTER_SSL_KEY_SYM {} > | MAX_CONNECTIONS_PER_HOUR {} > | MAX_QUERIES_PER_HOUR {} > > =3D=3D=3D modified file 'sql/sys_vars.cc' > --- a/sql/sys_vars.cc 2011-06-10 16:57:01 +0000 > +++ b/sql/sys_vars.cc 2011-06-17 13:53:47 +0000 > @@ -2293,6 +2293,19 @@ static Sys_var_charptr Sys_ssl_key( > READ_ONLY GLOBAL_VAR(opt_ssl_key), SSL_OPT(OPT_SSL_KEY), > IN_FS_CHARSET, DEFAULT(0)); > > +static Sys_var_charptr Sys_ssl_crl( > + "ssl_crl", > + "CRL file in PEM format (check OpenSSL docs, implies --ssl)", > + READ_ONLY GLOBAL_VAR(opt_ssl_crl), SSL_OPT(OPT_SSL_CA), > + IN_FS_CHARSET, DEFAULT(0)); > + > +static Sys_var_charptr Sys_ssl_crlpath( > + "ssl_crlpath", > + "CRL directory (check OpenSSL docs, implies --ssl)", > + READ_ONLY GLOBAL_VAR(opt_ssl_crlpath), SSL_OPT(OPT_SSL_CAPATH),= > + IN_FS_CHARSET, DEFAULT(0)); > + > + > // why ENUM and not BOOL ? > static const char *updatable_views_with_limit_names[]=3D {"NO", "YES"= , 0}; > static Sys_var_enum Sys_updatable_views_with_limit( > > =3D=3D=3D modified file 'vio/viosslfactories.c' > --- a/vio/viosslfactories.c 2011-05-19 09:47:43 +0000 > +++ b/vio/viosslfactories.c 2011-06-17 13:53:47 +0000 > @@ -165,19 +165,22 @@ static struct st_VioSSLFd * > new_VioSSLFd(const char *key_file, const char *cert_file, > const char *ca_file, const char *ca_path, > const char *cipher, SSL_METHOD *method, > - enum enum_ssl_init_error *error) > + enum enum_ssl_init_error *error, > + const char *crl_file, const char *crl_path) > { > DH *dh; > struct st_VioSSLFd *ssl_fd; > DBUG_ENTER("new_VioSSLFd"); > DBUG_PRINT("enter", > ("key_file: '%s' cert_file: '%s' ca_file: '%s' ca_pat= h: '%s' " > - "cipher: '%s'", > + "cipher: '%s' crl_file: '%s' crl_path: '%s' ", > key_file ? key_file : "NULL", > cert_file ? cert_file : "NULL", > ca_file ? ca_file : "NULL", > ca_path ? ca_path : "NULL", > - cipher ? cipher : "NULL")); > + cipher ? cipher : "NULL", > + ca_file ? ca_file : "NULL", > + ca_path ? ca_path : "NULL")); > > check_ssl_init(); > > @@ -225,6 +228,25 @@ new_VioSSLFd(const char *key_file, const > } > } > > + if (crl_file || crl_path) > + { > + X509_STORE *store=3D SSL_CTX_get_cert_store(ssl_fd->ssl_context); > + /* Load crls from the trusted ca */ > + if (X509_STORE_load_locations(store, crl_file, crl_path) =3D=3D 0 = || > + X509_STORE_set_flags(store, > + X509_V_FLAG_CRL_CHECK | > + X509_V_FLAG_CRL_CHECK_ALL) =3D=3D 0) > + { > + DBUG_PRINT("warning", ("X509_STORE_load_locations for CRL failed= ")); > + *error=3D SSL_INITERR_BAD_PATHS; > + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); > + report_errors(); > + SSL_CTX_free(ssl_fd->ssl_context); > + my_free(ssl_fd); > + DBUG_RETURN(0); > + } > + } > + > if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, er= ror)) > { > DBUG_PRINT("error", ("vio_set_cert_stuff failed")); > @@ -249,7 +271,8 @@ new_VioSSLFd(const char *key_file, const > struct st_VioSSLFd * > new_VioSSLConnectorFd(const char *key_file, const char *cert_file, > const char *ca_file, const char *ca_path, > - const char *cipher, enum enum_ssl_init_error* er= ror) > + const char *cipher, enum enum_ssl_init_error* er= ror, > + const char *crl_file, const char *crl_path) > { > struct st_VioSSLFd *ssl_fd; > int verify=3D SSL_VERIFY_PEER; > @@ -262,7 +285,8 @@ new_VioSSLConnectorFd(const char *key_fi > verify=3D SSL_VERIFY_NONE; > > if (!(ssl_fd=3D new_VioSSLFd(key_file, cert_file, ca_file, > - ca_path, cipher, TLSv1_client_method(), e= rror))) > + ca_path, cipher, TLSv1_client_method(), e= rror, > + crl_file, crl_path))) > { > return 0; > } > @@ -279,12 +303,14 @@ new_VioSSLConnectorFd(const char *key_fi > struct st_VioSSLFd * > new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, > const char *ca_file, const char *ca_path, > - const char *cipher, enum enum_ssl_init_error* error) > + const char *cipher, enum enum_ssl_init_error* error, > + const char *crl_file, const char *crl_path) > { > struct st_VioSSLFd *ssl_fd; > int verify=3D SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; > if (!(ssl_fd=3D new_VioSSLFd(key_file, cert_file, ca_file, > - ca_path, cipher, TLSv1_server_method(), e= rror))) > + ca_path, cipher, TLSv1_server_method(), e= rror, > + crl_file, crl_path))) > { > return 0; > } > > > > --__130989297654746935abhmt107.oracle.com--