From: Georgi Kodinov Date: August 19 2011 1:25pm Subject: bzr push into mysql-trunk branch (Georgi.Kodinov:3277 to 3278) Bug#11747191 List-Archive: http://lists.mysql.com/commits/140725 X-Bug: 11747191 Message-Id: <201108191326.p7JDQ1TK016877@acsmt358.oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit 3278 Georgi Kodinov 2011-08-19 Bug #11747191: 31224: SUPPORT FOR SSL CERTIFICATE REVOCATION LISTS Added support for --ssl-crl and --ssl-crlpath to all client and server binaries that work with OpenSSL. You can specify none, one or both of the above. --ssl-crl takes a file path for a PEM encoded Certificate revocation lists. The relevant file is parsed and loaded into the X509 store of the SSL context. --ssl-crlpath takes a directory path. This directory must contain PEM encoded CRL (or other) files that are named by their hash value, .e.g. .r[0-9] See OpenSSL's X509_STORE_load_locations() for more details of the above. Note that if none of the --ssl-crl* options is specified no CRL checks will be performed, even if the -capath contains certificate revocation lists. Added Master_SSL_crl and Master_SSL_CRLPATH to CNANGE MASTER command. Added new columns Ssl_crl and Ssl_crlpath to mysql.slave_master_info system table. Reengineered mysql_ssl_set() in the C API into a number of mysql_options calls as follows (while keeping mysql_ssl_set()): mysql_ssl_set(mysql, key, cert, ca, capath, cipher) { mysql_options(mysql, MYSQL_OPT_SSL_KEY, key) mysql_options(mysql, MYSQL_OPT_SSL_CERT, cert) mysql_options(mysql, MYSQL_OPT_SSL_CA, ca) mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath) mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher) } Added two new mysql_options that correspond to the command line calls : MYSQL_OPT_SSL_CRL and MYSQL_OPT_SSL_CRLPATH. Made sure these play nicely with the ABI by using the extension. Added tests and a set of cryptographic keys and crls to test the new options. Extended the mtr ssl check to find the new tests. Made sure that on yaSSL these options are a no-op for the server. added: mysql-test/include/have_openssl.inc mysql-test/r/openssl.require mysql-test/r/ssl-crl-revoked-crl.result mysql-test/r/ssl_crl.result mysql-test/r/ssl_crl_clients-valid.result mysql-test/r/ssl_crl_clients.result mysql-test/r/ssl_crl_clients_valid.result mysql-test/r/ssl_crl_clrpath.result mysql-test/std_data/crl-ca-cert.pem mysql-test/std_data/crl-client-cert.pem mysql-test/std_data/crl-client-key.pem mysql-test/std_data/crl-client-revoked.crl mysql-test/std_data/crl-server-cert.pem mysql-test/std_data/crl-server-key.pem mysql-test/std_data/crldir/ mysql-test/std_data/crldir/fc725416.r0 mysql-test/t/ssl_crl-master.opt mysql-test/t/ssl_crl.test mysql-test/t/ssl_crl_clients-master.opt mysql-test/t/ssl_crl_clients.test mysql-test/t/ssl_crl_clients_valid-master.opt mysql-test/t/ssl_crl_clients_valid.test mysql-test/t/ssl_crl_clrpath-master.opt mysql-test/t/ssl_crl_clrpath.test modified: client/client_priv.h client/mysql.cc client/mysqladmin.cc client/mysqlcheck.c client/mysqldump.c client/mysqlimport.c client/mysqlshow.c client/mysqlslap.c client/mysqltest.cc include/mysql.h include/mysql.h.pp include/sql_common.h include/sslopt-case.h include/sslopt-longopts.h include/sslopt-vars.h include/violite.h mysql-test/include/check-testcase.test mysql-test/lib/mtr_cases.pm mysql-test/r/variables.result mysql-test/suite/funcs_1/r/is_columns_mysql.result scripts/mysql_system_tables.sql scripts/mysql_system_tables_fix.sql sql-common/client.c sql/lex.h sql/mysqld.cc sql/mysqld.h sql/rpl_mi.cc sql/rpl_mi.h sql/rpl_slave.cc sql/sql_lex.h sql/sql_yacc.yy sql/sys_vars.cc vio/viosslfactories.c 3277 Jorgen Loland 2011-08-19 WL#5285 addendum: Recorded result files after merging WL#5285 from opt-team to trunk modified: mysql-test/r/func_gconcat.result mysql-test/r/subquery_nomat_nosj_bka.result mysql-test/r/subquery_nomat_nosj_bka_nobnl.result mysql-test/r/subquery_none_bka.result mysql-test/r/subquery_none_bka_nobnl.result === modified file 'client/client_priv.h' --- a/client/client_priv.h 2011-07-04 00:25:46 +0000 +++ b/client/client_priv.h 2011-08-19 13:24:24 +0000 @@ -90,6 +90,7 @@ enum options_client OPT_RAW_OUTPUT, OPT_WAIT_SERVER_ID, OPT_STOP_NEVER, OPT_BINLOG_ROWS_EVENT_MAX_SIZE, OPT_BINARY_MODE, + OPT_SSL_CRL, OPT_SSL_CRLPATH, OPT_MAX_CLIENT_OPTION }; === modified file 'client/mysql.cc' --- a/client/mysql.cc 2011-07-22 08:10:35 +0000 +++ b/client/mysql.cc 2011-08-19 13:24:24 +0000 @@ -4446,8 +4446,12 @@ sql_real_connect(char *host,char *databa mysql_options(&mysql,MYSQL_OPT_LOCAL_INFILE, (char*) &opt_local_infile); #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) if (opt_use_ssl) + { mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); + mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); + } mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif === modified file 'client/mysqladmin.cc' --- a/client/mysqladmin.cc 2011-07-22 08:10:35 +0000 +++ b/client/mysqladmin.cc 2011-08-19 13:24:24 +0000 @@ -342,8 +342,12 @@ int main(int argc,char *argv[]) } #ifdef HAVE_OPENSSL if (opt_use_ssl) + { mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); + mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); + } mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif === modified file 'client/mysqlcheck.c' --- a/client/mysqlcheck.c 2011-07-22 08:10:35 +0000 +++ b/client/mysqlcheck.c 2011-08-19 13:24:24 +0000 @@ -837,8 +837,12 @@ static int dbConnect(char *host, char *u mysql_options(&mysql_connection, MYSQL_OPT_COMPRESS, NullS); #ifdef HAVE_OPENSSL if (opt_use_ssl) + { mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl); + mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); + } #endif if (opt_protocol) mysql_options(&mysql_connection,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); === modified file 'client/mysqldump.c' --- a/client/mysqldump.c 2011-07-22 08:10:35 +0000 +++ b/client/mysqldump.c 2011-08-19 13:24:24 +0000 @@ -1469,8 +1469,12 @@ static int connect_to_db(char *host, cha mysql_options(&mysql_connection,MYSQL_OPT_COMPRESS,NullS); #ifdef HAVE_OPENSSL if (opt_use_ssl) + { mysql_ssl_set(&mysql_connection, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRL, opt_ssl_crl); + mysql_options(&mysql_connection, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); + } mysql_options(&mysql_connection,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif === modified file 'client/mysqlimport.c' --- a/client/mysqlimport.c 2011-07-22 08:10:35 +0000 +++ b/client/mysqlimport.c 2011-08-19 13:24:24 +0000 @@ -428,8 +428,12 @@ static MYSQL *db_connect(char *host, cha (char*) &opt_local_file); #ifdef HAVE_OPENSSL if (opt_use_ssl) + { mysql_ssl_set(mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); + mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); + } mysql_options(mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif === modified file 'client/mysqlshow.c' --- a/client/mysqlshow.c 2011-07-22 08:10:35 +0000 +++ b/client/mysqlshow.c 2011-08-19 13:24:24 +0000 @@ -115,8 +115,12 @@ int main(int argc, char **argv) mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS); #ifdef HAVE_OPENSSL if (opt_use_ssl) + { mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); + mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); + } mysql_options(&mysql,MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (char*)&opt_ssl_verify_server_cert); #endif === modified file 'client/mysqlslap.c' --- a/client/mysqlslap.c 2011-07-04 00:25:46 +0000 +++ b/client/mysqlslap.c 2011-08-19 13:24:24 +0000 @@ -332,8 +332,12 @@ int main(int argc, char **argv) mysql_options(&mysql,MYSQL_OPT_COMPRESS,NullS); #ifdef HAVE_OPENSSL if (opt_use_ssl) + { mysql_ssl_set(&mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); + mysql_options(&mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); + } #endif if (opt_protocol) mysql_options(&mysql,MYSQL_OPT_PROTOCOL,(char*)&opt_protocol); === modified file 'client/mysqltest.cc' --- a/client/mysqltest.cc 2011-07-22 08:10:35 +0000 +++ b/client/mysqltest.cc 2011-08-19 13:24:24 +0000 @@ -5403,6 +5403,8 @@ void do_connect(struct st_command *comma #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) mysql_ssl_set(&con_slot->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); + mysql_options(&con_slot->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); #if MYSQL_VERSION_ID >= 50000 /* Turn on ssl_verify_server_cert only if host is "localhost" */ opt_ssl_verify_server_cert= !strcmp(ds_host.str, "localhost"); @@ -8443,6 +8445,8 @@ int main(int argc, char **argv) { mysql_ssl_set(&con->mysql, opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, opt_ssl_cipher); + mysql_options(&con->mysql, MYSQL_OPT_SSL_CRL, opt_ssl_crl); + mysql_options(&con->mysql, MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); #if MYSQL_VERSION_ID >= 50000 /* Turn on ssl_verify_server_cert only if host is "localhost" */ opt_ssl_verify_server_cert= opt_host && !strcmp(opt_host, "localhost"); === modified file 'include/mysql.h' --- a/include/mysql.h 2011-06-30 15:50:45 +0000 +++ b/include/mysql.h 2011-08-19 13:24:24 +0000 @@ -167,7 +167,10 @@ enum mysql_option MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH, MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH, - MYSQL_OPT_BIND + MYSQL_OPT_BIND, + MYSQL_OPT_SSL_KEY, MYSQL_OPT_SSL_CERT, + MYSQL_OPT_SSL_CA, MYSQL_OPT_SSL_CAPATH, MYSQL_OPT_SSL_CIPHER, + MYSQL_OPT_SSL_CRL, MYSQL_OPT_SSL_CRLPATH }; /** === modified file 'include/mysql.h.pp' --- a/include/mysql.h.pp 2011-05-31 13:52:09 +0000 +++ b/include/mysql.h.pp 2011-08-19 13:24:24 +0000 @@ -260,7 +260,10 @@ enum mysql_option MYSQL_OPT_GUESS_CONNECTION, MYSQL_SET_CLIENT_IP, MYSQL_SECURE_AUTH, MYSQL_REPORT_DATA_TRUNCATION, MYSQL_OPT_RECONNECT, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, MYSQL_PLUGIN_DIR, MYSQL_DEFAULT_AUTH, - MYSQL_OPT_BIND + MYSQL_OPT_BIND, + MYSQL_OPT_SSL_KEY, MYSQL_OPT_SSL_CERT, + MYSQL_OPT_SSL_CA, MYSQL_OPT_SSL_CAPATH, MYSQL_OPT_SSL_CIPHER, + MYSQL_OPT_SSL_CRL, MYSQL_OPT_SSL_CRLPATH }; struct st_mysql_options_extention; struct st_mysql_options { === modified file 'include/sql_common.h' --- a/include/sql_common.h 2011-06-30 15:46:53 +0000 +++ b/include/sql_common.h 2011-08-19 13:24:24 +0000 @@ -31,6 +31,8 @@ extern const char *not_error_sqlstate; struct st_mysql_options_extention { char *plugin_dir; char *default_auth; + char *ssl_crl; /* PEM CRL file */ + char *ssl_crlpath; /* PEM directory of CRL-s? */ }; typedef struct st_mysql_methods === modified file 'include/sslopt-case.h' --- a/include/sslopt-case.h 2011-06-30 15:46:53 +0000 +++ b/include/sslopt-case.h 2011-08-19 13:24:24 +0000 @@ -22,11 +22,18 @@ case OPT_SSL_CA: case OPT_SSL_CAPATH: case OPT_SSL_CIPHER: + case OPT_SSL_CRL: + case OPT_SSL_CRLPATH: /* Enable use of SSL if we are using any ssl option One can disable SSL later by using --skip-ssl or --ssl=0 */ opt_use_ssl= 1; + /* crl has no effect in yaSSL */ +#ifdef HAVE_YASSL + opt_ssl_crl= NULL; + opt_ssl_crlpath= NULL; +#endif break; #endif #endif /* SSLOPT_CASE_INCLUDED */ === modified file 'include/sslopt-longopts.h' --- a/include/sslopt-longopts.h 2011-06-30 15:50:45 +0000 +++ b/include/sslopt-longopts.h 2011-08-19 13:24:24 +0000 @@ -38,6 +38,13 @@ {"ssl-key", OPT_SSL_KEY, "X509 key in PEM format (implies --ssl).", &opt_ssl_key, &opt_ssl_key, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0}, + {"ssl-crl", OPT_SSL_KEY, "Certificate revocation list (implies --ssl).", + &opt_ssl_crl, &opt_ssl_crl, 0, GET_STR, REQUIRED_ARG, + 0, 0, 0, 0, 0, 0}, + {"ssl-crlpath", OPT_SSL_KEY, + "Certificate revocation list path (implies --ssl).", + &opt_ssl_crlpath, &opt_ssl_crlpath, 0, GET_STR, REQUIRED_ARG, + 0, 0, 0, 0, 0, 0}, #ifdef MYSQL_CLIENT {"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT, "Verify server's \"Common Name\" in its cert against hostname used " === modified file 'include/sslopt-vars.h' --- a/include/sslopt-vars.h 2011-06-30 15:46:53 +0000 +++ b/include/sslopt-vars.h 2011-08-19 13:24:24 +0000 @@ -22,12 +22,14 @@ #else #define SSL_STATIC static #endif -SSL_STATIC my_bool opt_use_ssl = 0; -SSL_STATIC char *opt_ssl_ca = 0; -SSL_STATIC char *opt_ssl_capath = 0; -SSL_STATIC char *opt_ssl_cert = 0; -SSL_STATIC char *opt_ssl_cipher = 0; -SSL_STATIC char *opt_ssl_key = 0; +SSL_STATIC my_bool opt_use_ssl = 0; +SSL_STATIC char *opt_ssl_ca = 0; +SSL_STATIC char *opt_ssl_capath = 0; +SSL_STATIC char *opt_ssl_cert = 0; +SSL_STATIC char *opt_ssl_cipher = 0; +SSL_STATIC char *opt_ssl_key = 0; +SSL_STATIC char *opt_ssl_crl = 0; +SSL_STATIC char *opt_ssl_crlpath = 0; #ifdef MYSQL_CLIENT SSL_STATIC my_bool opt_ssl_verify_server_cert= 0; #endif === modified file 'include/violite.h' --- a/include/violite.h 2011-06-30 15:50:45 +0000 +++ b/include/violite.h 2011-08-19 13:24:24 +0000 @@ -123,6 +123,10 @@ int vio_getnameinfo(const struct sockadd #define DES_set_key_unchecked(k,ks) des_set_key_unchecked((k),*(ks)) #define DES_ede3_cbc_encrypt(i,o,l,k1,k2,k3,iv,e) des_ede3_cbc_encrypt((i),(o),(l),*(k1),*(k2),*(k3),(iv),(e)) #endif +/* apple deprecated openssl in MacOSX Lion */ +#ifdef __APPLE__ +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +#endif #define HEADER_DES_LOCL_H dummy_something #define YASSL_MYSQL_COMPATIBLE @@ -155,11 +159,13 @@ int sslconnect(struct st_VioSSLFd*, Vio struct st_VioSSLFd *new_VioSSLConnectorFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, - const char *cipher, enum enum_ssl_init_error* error); + const char *cipher, enum enum_ssl_init_error *error, + const char *crl_file, const char *crl_path); struct st_VioSSLFd *new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, const char *ca_file,const char *ca_path, - const char *cipher, enum enum_ssl_init_error* error); + const char *cipher, enum enum_ssl_init_error *error, + const char *crl_file, const char *crl_path); void free_vio_ssl_acceptor_fd(struct st_VioSSLFd *fd); #endif /* ! EMBEDDED_LIBRARY */ #endif /* HAVE_OPENSSL */ === modified file 'mysql-test/include/check-testcase.test' --- a/mysql-test/include/check-testcase.test 2011-02-07 15:31:01 +0000 +++ b/mysql-test/include/check-testcase.test 2011-08-19 13:24:24 +0000 @@ -69,6 +69,8 @@ if ($tmp) --echo Master_Bind --echo Last_IO_Error_Timestamp --echo Last_SQL_Error_Timestamp + --echo Master_SSL_Crl + --echo Master_SSL_Crlpath } if (!$tmp) { # Note: after WL#5177, fields 13-18 shall not be filtered-out. === added file 'mysql-test/include/have_openssl.inc' --- a/mysql-test/include/have_openssl.inc 1970-01-01 00:00:00 +0000 +++ b/mysql-test/include/have_openssl.inc 2011-08-19 13:24:24 +0000 @@ -0,0 +1,4 @@ +-- require r/openssl.require +disable_query_log; +show variables like "have_openssl"; +enable_query_log; === modified file 'mysql-test/lib/mtr_cases.pm' --- a/mysql-test/lib/mtr_cases.pm 2011-07-25 15:13:06 +0000 +++ b/mysql-test/lib/mtr_cases.pm 2011-08-19 13:24:24 +0000 @@ -1147,6 +1147,7 @@ my @tags= ["federated.inc", "federated_test", 1], ["include/not_embedded.inc", "not_embedded", 1], ["include/have_ssl.inc", "need_ssl", 1], + ["include/have_ssl_communication.inc", "need_ssl", 1], ); === added file 'mysql-test/r/openssl.require' --- a/mysql-test/r/openssl.require 1970-01-01 00:00:00 +0000 +++ b/mysql-test/r/openssl.require 2011-08-19 13:24:24 +0000 @@ -0,0 +1,2 @@ +Variable_name Value +have_openssl YES === added file 'mysql-test/r/ssl-crl-revoked-crl.result' --- a/mysql-test/r/ssl-crl-revoked-crl.result 1970-01-01 00:00:00 +0000 +++ b/mysql-test/r/ssl-crl-revoked-crl.result 2011-08-19 13:24:24 +0000 @@ -0,0 +1 @@ +# try logging in with a certificate in the server's --ssl-crl : should fail === added file 'mysql-test/r/ssl_crl.result' --- a/mysql-test/r/ssl_crl.result 1970-01-01 00:00:00 +0000 +++ b/mysql-test/r/ssl_crl.result 2011-08-19 13:24:24 +0000 @@ -0,0 +1,23 @@ +# test --crl for the client : should connect +Variable_name Value +have_openssl YES +have_ssl YES +ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem +ssl_capath +ssl_cert MYSQL_TEST_DIR/std_data/crl-server-cert.pem +ssl_cipher +ssl_crl MYSQL_TEST_DIR/std_data/crl-client-revoked.crl +ssl_crlpath +ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem +# test --crlpath for the client : should connect +Variable_name Value +have_openssl YES +have_ssl YES +ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem +ssl_capath +ssl_cert MYSQL_TEST_DIR/std_data/crl-server-cert.pem +ssl_cipher +ssl_crl MYSQL_TEST_DIR/std_data/crl-client-revoked.crl +ssl_crlpath +ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem +# try logging in with a certificate in the server's --ssl-crl : should fail === added file 'mysql-test/r/ssl_crl_clients-valid.result' --- a/mysql-test/r/ssl_crl_clients-valid.result 1970-01-01 00:00:00 +0000 +++ b/mysql-test/r/ssl_crl_clients-valid.result 2011-08-19 13:24:24 +0000 @@ -0,0 +1,24 @@ +# Test clients with and without CRL lists +############ Test mysql ############## +# Test mysql connecting to a server with an empty crl +Variable_name Value +have_openssl YES +have_ssl YES +ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem +ssl_capath +ssl_cert MYSQL_TEST_DIR/std_data/crl-client-cert.pem +ssl_cipher +ssl_crl +ssl_crlpath +ssl_key MYSQL_TEST_DIR/std_data/crl-client-key.pem +# Test mysql connecting to a server with a certificate revoked by -crl +# Test mysql connecting to a server with a certificate revoked by -crlpath +############ Test mysqladmin ############## +# Test mysqladmin connecting to a server with an empty crl +mysqld is alive +# Test mysqladmin connecting to a server with a certificate revoked by -crl +mysqladmin: connect to server at 'localhost' failed +error: 'SSL connection error: Failed to set ciphers to use' +# Test mysqladmin connecting to a server with a certificate revoked by -crlpath +mysqladmin: connect to server at 'localhost' failed +error: 'SSL connection error: error:00000005:lib(0):func(0):DH lib' === added file 'mysql-test/r/ssl_crl_clients.result' --- a/mysql-test/r/ssl_crl_clients.result 1970-01-01 00:00:00 +0000 +++ b/mysql-test/r/ssl_crl_clients.result 2011-08-19 13:24:24 +0000 @@ -0,0 +1,7 @@ +# Test clients with and without CRL lists +############ Test mysql ############## +# Test mysql connecting to a server with a certificate revoked by -crl +# Test mysql connecting to a server with a certificate revoked by -crlpath +############ Test mysqladmin ############## +# Test mysqladmin connecting to a server with a certificate revoked by -crl +# Test mysqladmin connecting to a server with a certificate revoked by -crlpath === added file 'mysql-test/r/ssl_crl_clients_valid.result' --- a/mysql-test/r/ssl_crl_clients_valid.result 1970-01-01 00:00:00 +0000 +++ b/mysql-test/r/ssl_crl_clients_valid.result 2011-08-19 13:24:24 +0000 @@ -0,0 +1,16 @@ +# Test clients with and without CRL lists +############ Test mysql ############## +# Test mysql connecting to a server with an empty crl +Variable_name Value +have_openssl YES +have_ssl YES +ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem +ssl_capath +ssl_cert MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem +ssl_cipher +ssl_crl MYSQL_TEST_DIR/std_data/crl-client-revoked.crl +ssl_crlpath +ssl_key MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem +############ Test mysqladmin ############## +# Test mysqladmin connecting to a server with an empty crl +mysqld is alive === added file 'mysql-test/r/ssl_crl_clrpath.result' --- a/mysql-test/r/ssl_crl_clrpath.result 1970-01-01 00:00:00 +0000 +++ b/mysql-test/r/ssl_crl_clrpath.result 2011-08-19 13:24:24 +0000 @@ -0,0 +1,23 @@ +# test --crl for the client : should connect +Variable_name Value +have_openssl YES +have_ssl YES +ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem +ssl_capath +ssl_cert MYSQL_TEST_DIR/std_data/crl-server-cert.pem +ssl_cipher +ssl_crl +ssl_crlpath MYSQL_TEST_DIR/std_data/crldir +ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem +# test --crlpath for the client : should connect +Variable_name Value +have_openssl YES +have_ssl YES +ssl_ca MYSQL_TEST_DIR/std_data/crl-ca-cert.pem +ssl_capath +ssl_cert MYSQL_TEST_DIR/std_data/crl-server-cert.pem +ssl_cipher +ssl_crl +ssl_crlpath MYSQL_TEST_DIR/std_data/crldir +ssl_key MYSQL_TEST_DIR/std_data/crl-server-key.pem +# try logging in with a certificate in the server's --ssl-crlpath : should fail === modified file 'mysql-test/r/variables.result' --- a/mysql-test/r/variables.result 2011-07-19 15:11:15 +0000 +++ b/mysql-test/r/variables.result 2011-08-19 13:24:24 +0000 @@ -981,6 +981,8 @@ ssl_ca # ssl_capath # ssl_cert # ssl_cipher # +ssl_crl # +ssl_crlpath # ssl_key # select * from information_schema.session_variables where variable_name like 'ssl%' order by 1; VARIABLE_NAME VARIABLE_VALUE @@ -988,6 +990,8 @@ SSL_CA # SSL_CAPATH # SSL_CERT # SSL_CIPHER # +SSL_CRL # +SSL_CRLPATH # SSL_KEY # select @@log_queries_not_using_indexes; @@log_queries_not_using_indexes === added file 'mysql-test/std_data/crl-ca-cert.pem' --- a/mysql-test/std_data/crl-ca-cert.pem 1970-01-01 00:00:00 +0000 +++ b/mysql-test/std_data/crl-ca-cert.pem 2011-08-19 13:24:24 +0000 @@ -0,0 +1,63 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + a5:85:ec:60:b1:68:44:22 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=BG, ST=Plovdiv, O=Oracle, OU=MySQL, CN=MySQL CRL test CA certificate + Validity + Not Before: Jun 17 07:27:51 2011 GMT + Not After : Jun 15 07:27:51 2016 GMT + Subject: C=BG, ST=Plovdiv, O=Oracle, OU=MySQL, CN=MySQL CRL test CA certificate + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:9b:08:0b:96:19:57:fb:21:79:f4:16:c9:b8:2c: + 13:2e:e1:fe:5f:6b:18:7d:d4:c4:d7:cd:66:a6:62: + 0e:b7:28:b1:39:76:62:6e:5a:4a:80:f6:0e:8e:84: + 3e:cf:2f:91:0d:36:6d:8b:b5:f9:78:96:f0:5f:82: + a2:b2:d8:fc:b3:46:b5:30:24:b3:a8:77:60:6c:05: + c9:8f:82:fd:ad:9f:26:23:29:56:5b:02:6f:f2:00: + 31:86:60:b7:8c:56:b3:95:a8:8d:a9:bb:6b:91:fd: + 5d:f5:6a:21:45:85:63:78:0e:0f:0e:03:6d:53:73: + 0d:6c:aa:5b:f9:fc:fa:fd:f7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + C4:1D:2C:68:3F:5F:29:51:EC:C5:54:61:CE:16:13:D2:72:5D:63:E8 + X509v3 Authority Key Identifier: + keyid:C4:1D:2C:68:3F:5F:29:51:EC:C5:54:61:CE:16:13:D2:72:5D:63:E8 + DirName:/C=BG/ST=Plovdiv/O=Oracle/OU=MySQL/CN=MySQL CRL test CA certificate + serial:A5:85:EC:60:B1:68:44:22 + + X509v3 Basic Constraints: + CA:TRUE + Signature Algorithm: sha1WithRSAEncryption + 73:dd:2e:76:71:25:c2:fe:7a:c5:46:ca:f2:c7:a0:43:f0:c7: + 3c:24:8d:a6:bd:8d:f2:7c:db:03:1b:2b:8a:c8:23:ae:ef:71: + 25:33:5b:10:61:e7:7d:89:30:a8:67:25:2e:e0:06:30:77:da: + b8:87:e5:91:cd:c7:8f:c9:7b:3d:9e:86:80:44:02:6b:d1:06: + 85:5d:28:78:cc:a7:a8:35:ac:f7:77:6d:e2:c7:a3:37:bc:9f: + d3:bf:4a:ca:09:dc:d0:78:0c:59:c7:db:4b:67:f1:09:6d:a9: + 7a:50:2f:1d:2c:a6:b8:81:0e:e6:4b:ee:d9:be:ae:a5:6a:d7: + 56:c4 +-----BEGIN CERTIFICATE----- +MIIDHDCCAoWgAwIBAgIJAKWF7GCxaEQiMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV +BAYTAkJHMRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAMBgNV +BAsTBU15U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZpY2F0 +ZTAeFw0xMTA2MTcwNzI3NTFaFw0xNjA2MTUwNzI3NTFaMGgxCzAJBgNVBAYTAkJH +MRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAMBgNVBAsTBU15 +U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZpY2F0ZTCBnzAN +BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmwgLlhlX+yF59BbJuCwTLuH+X2sYfdTE +181mpmIOtyixOXZiblpKgPYOjoQ+zy+RDTZti7X5eJbwX4Kistj8s0a1MCSzqHdg +bAXJj4L9rZ8mIylWWwJv8gAxhmC3jFazlaiNqbtrkf1d9WohRYVjeA4PDgNtU3MN +bKpb+fz6/fcCAwEAAaOBzTCByjAdBgNVHQ4EFgQUxB0saD9fKVHsxVRhzhYT0nJd +Y+gwgZoGA1UdIwSBkjCBj4AUxB0saD9fKVHsxVRhzhYT0nJdY+ihbKRqMGgxCzAJ +BgNVBAYTAkJHMRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAM +BgNVBAsTBU15U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZp +Y2F0ZYIJAKWF7GCxaEQiMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA +c90udnElwv56xUbK8segQ/DHPCSNpr2N8nzbAxsrisgjru9xJTNbEGHnfYkwqGcl +LuAGMHfauIflkc3Hj8l7PZ6GgEQCa9EGhV0oeMynqDWs93dt4sejN7yf079Kygnc +0HgMWcfbS2fxCW2pelAvHSymuIEO5kvu2b6upWrXVsQ= +-----END CERTIFICATE----- === added file 'mysql-test/std_data/crl-client-cert.pem' --- a/mysql-test/std_data/crl-client-cert.pem 1970-01-01 00:00:00 +0000 +++ b/mysql-test/std_data/crl-client-cert.pem 2011-08-19 13:24:24 +0000 @@ -0,0 +1,62 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + a5:85:ec:60:b1:68:44:24 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=BG, ST=Plovdiv, O=Oracle, OU=MySQL, CN=MySQL CRL test CA certificate + Validity + Not Before: Jun 17 07:32:32 2011 GMT + Not After : Jun 16 07:32:32 2014 GMT + Subject: C=BG, ST=Plovdiv, L=Plovdiv, O=Oracle, OU=MySQL, CN=MySQL CRL test client certificate + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:bd:18:bf:c5:37:7e:f7:8a:1d:22:c0:4f:5a:70: + 51:ea:df:56:4f:29:e9:c7:a5:8a:ab:5a:48:b5:f9: + bf:cd:2a:73:f8:fa:13:20:fd:33:17:11:93:51:f0: + 4f:fa:a5:6a:bc:37:94:92:de:7d:c1:09:c6:43:c0: + f7:cd:dd:ac:06:bf:fe:0c:9f:fc:ec:5b:83:a1:1e: + 34:d8:af:50:17:4d:84:51:20:44:76:81:d1:12:76: + 06:fb:05:29:59:47:0f:9d:97:f1:41:2f:92:0d:e4: + b6:c1:fb:cf:75:95:a9:0f:cf:b3:4f:69:a3:d1:14: + e9:6b:cf:be:53:bd:4e:3f:5d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 39:37:9C:0B:9F:E4:8E:48:48:71:23:2B:CA:F0:C1:F9:0B:F2:0A:D0 + X509v3 Authority Key Identifier: + keyid:C4:1D:2C:68:3F:5F:29:51:EC:C5:54:61:CE:16:13:D2:72:5D:63:E8 + + Signature Algorithm: sha1WithRSAEncryption + 18:03:42:13:af:86:c3:eb:9c:40:4a:d8:9e:e7:25:e1:43:7b: + 2f:55:1b:e6:ec:bf:9b:56:b3:c7:cb:78:cd:d2:00:46:39:96: + d8:f8:cd:9d:0e:e7:97:51:93:f8:5b:ed:4f:5a:16:6b:56:fb: + c0:d1:58:3c:7f:e9:64:aa:11:03:ff:3b:5e:9d:6d:c8:53:a8: + 4a:30:f7:a6:ae:7c:e0:ed:16:c4:a0:07:9c:75:1a:23:58:13: + 70:9e:aa:cc:b8:1d:70:26:85:ad:e1:f3:34:83:1b:e0:72:44: + c4:28:d5:c5:6a:43:83:47:fe:8b:ab:ac:07:55:ff:2c:d9:0f: + 5f:c7 +-----BEGIN CERTIFICATE----- +MIIC3zCCAkigAwIBAgIJAKWF7GCxaEQkMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV +BAYTAkJHMRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAMBgNV +BAsTBU15U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZpY2F0 +ZTAeFw0xMTA2MTcwNzMyMzJaFw0xNDA2MTYwNzMyMzJaMH4xCzAJBgNVBAYTAkJH +MRAwDgYDVQQIEwdQbG92ZGl2MRAwDgYDVQQHEwdQbG92ZGl2MQ8wDQYDVQQKEwZP +cmFjbGUxDjAMBgNVBAsTBU15U1FMMSowKAYDVQQDEyFNeVNRTCBDUkwgdGVzdCBj +bGllbnQgY2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL0Y +v8U3fveKHSLAT1pwUerfVk8p6celiqtaSLX5v80qc/j6EyD9MxcRk1HwT/qlarw3 +lJLefcEJxkPA983drAa//gyf/Oxbg6EeNNivUBdNhFEgRHaB0RJ2BvsFKVlHD52X +8UEvkg3ktsH7z3WVqQ/Ps09po9EU6WvPvlO9Tj9dAgMBAAGjezB5MAkGA1UdEwQC +MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl +MB0GA1UdDgQWBBQ5N5wLn+SOSEhxIyvK8MH5C/IK0DAfBgNVHSMEGDAWgBTEHSxo +P18pUezFVGHOFhPScl1j6DANBgkqhkiG9w0BAQUFAAOBgQAYA0ITr4bD65xAStie +5yXhQ3svVRvm7L+bVrPHy3jN0gBGOZbY+M2dDueXUZP4W+1PWhZrVvvA0Vg8f+lk +qhED/ztenW3IU6hKMPemrnzg7RbEoAecdRojWBNwnqrMuB1wJoWt4fM0gxvgckTE +KNXFakODR/6Lq6wHVf8s2Q9fxw== +-----END CERTIFICATE----- === added file 'mysql-test/std_data/crl-client-key.pem' --- a/mysql-test/std_data/crl-client-key.pem 1970-01-01 00:00:00 +0000 +++ b/mysql-test/std_data/crl-client-key.pem 2011-08-19 13:24:24 +0000 @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQC9GL/FN373ih0iwE9acFHq31ZPKenHpYqrWki1+b/NKnP4+hMg +/TMXEZNR8E/6pWq8N5SS3n3BCcZDwPfN3awGv/4Mn/zsW4OhHjTYr1AXTYRRIER2 +gdESdgb7BSlZRw+dl/FBL5IN5LbB+891lakPz7NPaaPRFOlrz75TvU4/XQIDAQAB +AoGAYMe37rIWk47mlpCijIEMDA++Vsn20q2RKV4N9MUcO19M99LV036DlXzzT26V +II1k8Wvo6Lpi1lewV6D9symPDwuxO3L/lSwInVSbAaCkRYq7BlpL+ShxsUpWT788 +ealwFTj3TeM1MCHpFwvO0xGBqFVk+ZadCNZjvwdQi44JCykCQQDqJgOTPPniq5Lk +J6d+KWiCPVAEnEWk5lR0jQ2NZhSm4fFmCd0v6bNYhztk7dizSOiIrXnPLXx9Z8v0 +rwKr5WrHAkEAzr5ps9d/t4V60vAJCK+Sq1b+Qj42yEnH2eIjKAUFO63jkPtpOv9h +nzYJTqajvEkHbYJ92elpzGx47FuSOjzAuwJAYpZC5xnDdSccoCf6I+q3cC70pBxQ +TpAUe0ZwsFqM039KrtX0ZZoWw22dGm/yz/ogvnucUBks03iCrbGKhGoCPQJAdlhj +U5I5Rsl+vH6w/Srbz37Vvv+0BkTNxPiA3Wi6TSZGDPkNjLshm6yn+UDEm4RGXzaC +ahoF+QHi2pG0i+e4/wJBAOmbrYbjE2LAzIBy0NvRHslPABTK4zn1L9lzU5XIjV9r +y8JiMfGNC5r7To/ERlFUlMbaPA5Zm9XNrZhDROMZLTc= +-----END RSA PRIVATE KEY----- === added file 'mysql-test/std_data/crl-client-revoked.crl' --- a/mysql-test/std_data/crl-client-revoked.crl 1970-01-01 00:00:00 +0000 +++ b/mysql-test/std_data/crl-client-revoked.crl 2011-08-19 13:24:24 +0000 @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBbDCB1gIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJCRzEQMA4GA1UE +CBMHUGxvdmRpdjEPMA0GA1UEChMGT3JhY2xlMQ4wDAYDVQQLEwVNeVNRTDEmMCQG +A1UEAxMdTXlTUUwgQ1JMIHRlc3QgQ0EgY2VydGlmaWNhdGUXDTExMDgxOTEwMDQ1 +MFoXDTE3MDIwODEwMDQ1MFowKjAoAgkApYXsYLFoRCQXDTExMDYxNzA3Mzc1OVow +DDAKBgNVHRUEAwoBBaAOMAwwCgYDVR0UBAMCAQMwDQYJKoZIhvcNAQEFBQADgYEA +BXAwYBjHUHG6MQ22/+1hvOaRtSYfj/E5bhKbBB8JlKSRFO+xIOF2i2H1AigunWpC +R10NicSS7qjsr6yDyBaywZmi0TCNGksR7b3m1m97RnhrxkVRlr/i7L+o04ZwWo/b +z9zoTX6RTj8rHgQtEdIOi/EArCvDv+wqYmkI+XMScGI= +-----END X509 CRL----- === added file 'mysql-test/std_data/crl-server-cert.pem' --- a/mysql-test/std_data/crl-server-cert.pem 1970-01-01 00:00:00 +0000 +++ b/mysql-test/std_data/crl-server-cert.pem 2011-08-19 13:24:24 +0000 @@ -0,0 +1,62 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + a5:85:ec:60:b1:68:44:23 + Signature Algorithm: sha1WithRSAEncryption + Issuer: C=BG, ST=Plovdiv, O=Oracle, OU=MySQL, CN=MySQL CRL test CA certificate + Validity + Not Before: Jun 17 07:29:11 2011 GMT + Not After : Jun 16 07:29:11 2014 GMT + Subject: C=BG, ST=Plovdiv, L=Plovdiv, O=Oracle, OU=MySQL, CN=MySQL CRL test server certificate + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (1024 bit) + Modulus (1024 bit): + 00:c4:c6:01:29:db:e6:62:40:07:bd:43:ce:37:8e: + 90:0e:3c:86:cc:6a:0c:40:8e:8e:30:27:f2:84:d3: + 59:e8:7d:e7:97:1e:0d:36:08:0b:cc:28:bb:86:b0: + 0a:64:8c:55:33:f6:ce:19:00:08:b9:93:ca:84:7e: + 9a:4e:81:91:e2:56:32:2a:de:b5:1f:82:b9:8f:33: + f4:87:f8:10:84:69:69:9a:79:58:08:9a:29:dc:09: + 79:27:90:ec:af:c8:2d:5f:2e:c1:e1:4a:f1:52:21: + 37:58:d4:f9:ef:49:ce:a9:9d:eb:dc:f4:34:30:40: + d0:d7:38:54:94:2e:d1:ac:25 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 4A:18:8F:0C:A3:CF:D7:4A:38:83:07:FC:26:E3:EB:96:32:73:FA:8C + X509v3 Authority Key Identifier: + keyid:C4:1D:2C:68:3F:5F:29:51:EC:C5:54:61:CE:16:13:D2:72:5D:63:E8 + + Signature Algorithm: sha1WithRSAEncryption + 61:74:cc:62:70:9e:1f:3e:96:ac:cd:54:4f:34:60:1c:27:51: + f4:d5:f8:2e:d7:18:11:86:4e:b5:52:8c:a1:ef:28:c9:43:d7: + 23:2a:22:15:4a:a3:e7:ff:76:fa:25:be:ed:30:05:ea:12:aa: + 3f:c8:ab:a7:22:02:ea:cf:50:d4:43:31:5f:51:de:4c:e1:fa: + 31:ba:2e:4e:d8:a4:3d:80:ad:17:83:67:0f:1b:6f:0b:74:43: + ce:36:cb:2f:17:9e:6e:ae:c6:eb:ec:93:70:69:82:42:04:b3: + a7:31:1f:65:70:ff:06:ce:9c:22:8a:dc:7d:92:bc:04:24:ca: + 20:66 +-----BEGIN CERTIFICATE----- +MIIC3zCCAkigAwIBAgIJAKWF7GCxaEQjMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV +BAYTAkJHMRAwDgYDVQQIEwdQbG92ZGl2MQ8wDQYDVQQKEwZPcmFjbGUxDjAMBgNV +BAsTBU15U1FMMSYwJAYDVQQDEx1NeVNRTCBDUkwgdGVzdCBDQSBjZXJ0aWZpY2F0 +ZTAeFw0xMTA2MTcwNzI5MTFaFw0xNDA2MTYwNzI5MTFaMH4xCzAJBgNVBAYTAkJH +MRAwDgYDVQQIEwdQbG92ZGl2MRAwDgYDVQQHEwdQbG92ZGl2MQ8wDQYDVQQKEwZP +cmFjbGUxDjAMBgNVBAsTBU15U1FMMSowKAYDVQQDEyFNeVNRTCBDUkwgdGVzdCBz +ZXJ2ZXIgY2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMTG +ASnb5mJAB71DzjeOkA48hsxqDECOjjAn8oTTWeh955ceDTYIC8wou4awCmSMVTP2 +zhkACLmTyoR+mk6BkeJWMiretR+CuY8z9If4EIRpaZp5WAiaKdwJeSeQ7K/ILV8u +weFK8VIhN1jU+e9Jzqmd69z0NDBA0Nc4VJQu0awlAgMBAAGjezB5MAkGA1UdEwQC +MAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl +MB0GA1UdDgQWBBRKGI8Mo8/XSjiDB/wm4+uWMnP6jDAfBgNVHSMEGDAWgBTEHSxo +P18pUezFVGHOFhPScl1j6DANBgkqhkiG9w0BAQUFAAOBgQBhdMxicJ4fPpaszVRP +NGAcJ1H01fgu1xgRhk61Uoyh7yjJQ9cjKiIVSqPn/3b6Jb7tMAXqEqo/yKunIgLq +z1DUQzFfUd5M4foxui5O2KQ9gK0Xg2cPG28LdEPONssvF55ursbr7JNwaYJCBLOn +MR9lcP8Gzpwiitx9krwEJMogZg== +-----END CERTIFICATE----- === added file 'mysql-test/std_data/crl-server-key.pem' --- a/mysql-test/std_data/crl-server-key.pem 1970-01-01 00:00:00 +0000 +++ b/mysql-test/std_data/crl-server-key.pem 2011-08-19 13:24:24 +0000 @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXAIBAAKBgQDExgEp2+ZiQAe9Q843jpAOPIbMagxAjo4wJ/KE01nofeeXHg02 +CAvMKLuGsApkjFUz9s4ZAAi5k8qEfppOgZHiVjIq3rUfgrmPM/SH+BCEaWmaeVgI +mincCXknkOyvyC1fLsHhSvFSITdY1PnvSc6pnevc9DQwQNDXOFSULtGsJQIDAQAB +AoGAfecnZW4jWegYS5xv/RJF0CYgJfkQv9m21s8omJ5W37B3lzSORW0eh1Hkswg+ +jhlQhwA63Lot2vfaU65h8ytqeGSxUSj0X8bVCsG+7aoQOxeowZs+CLgWPHmXbXw8 +BI9mFbfkIQ/1x5yMSTv0BNRGUtg+t5FGPsmWxSUtfTme4CECQQDxQGEoesrJ25uE +MUcrTSeVpNmzqA8e41+8YIzbyi8nmwzp5gbsgIIF6/P5iMo1T7nIal/8N+FQMft4 +Ebzb0ZFNAkEA0M2JmH/ctyDQ7RbQx5lVwiHYn9a3inusvsV47kfH24kdRZYSymI8 +of7O8SGkHFJNeYsJmM3UrsNDlbSd+sCaOQJBAKoM+i8hVp2weU9VuNex28wkVfvH +41ifZtUOrVsjidd9+D1KkejUsFHiPqfOntGzL74wFRZggSYZBStePWQotSUCQH29 +aMDnLtkw79/2v1+TnSs9CqCmwvyoIYz4iiykGVzBI1mGWGZ75ht/wMtBAPz1Kyao +be0Q9qUPfaGnlQMt/TECQGrMh32zFPFR98yNS6JDVAVib+d5SaJsV5HXXqKCYxQR +u1sv7YeF4/Y+TPKpBSasDNZHQ3zex0M9YOgI+9eEBHk= +-----END RSA PRIVATE KEY----- === added directory 'mysql-test/std_data/crldir' === added file 'mysql-test/std_data/crldir/fc725416.r0' --- a/mysql-test/std_data/crldir/fc725416.r0 1970-01-01 00:00:00 +0000 +++ b/mysql-test/std_data/crldir/fc725416.r0 2011-08-19 13:24:24 +0000 @@ -0,0 +1,10 @@ +-----BEGIN X509 CRL----- +MIIBbDCB1gIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJCRzEQMA4GA1UE +CBMHUGxvdmRpdjEPMA0GA1UEChMGT3JhY2xlMQ4wDAYDVQQLEwVNeVNRTDEmMCQG +A1UEAxMdTXlTUUwgQ1JMIHRlc3QgQ0EgY2VydGlmaWNhdGUXDTExMDgxOTEwMDQ1 +MFoXDTE3MDIwODEwMDQ1MFowKjAoAgkApYXsYLFoRCQXDTExMDYxNzA3Mzc1OVow +DDAKBgNVHRUEAwoBBaAOMAwwCgYDVR0UBAMCAQMwDQYJKoZIhvcNAQEFBQADgYEA +BXAwYBjHUHG6MQ22/+1hvOaRtSYfj/E5bhKbBB8JlKSRFO+xIOF2i2H1AigunWpC +R10NicSS7qjsr6yDyBaywZmi0TCNGksR7b3m1m97RnhrxkVRlr/i7L+o04ZwWo/b +z9zoTX6RTj8rHgQtEdIOi/EArCvDv+wqYmkI+XMScGI= +-----END X509 CRL----- === modified file 'mysql-test/suite/funcs_1/r/is_columns_mysql.result' --- a/mysql-test/suite/funcs_1/r/is_columns_mysql.result 2011-06-15 08:02:11 +0000 +++ b/mysql-test/suite/funcs_1/r/is_columns_mysql.result 2011-08-19 13:24:24 +0000 @@ -180,6 +180,8 @@ def mysql slave_master_info Ssl_ca 11 NU def mysql slave_master_info Ssl_capath 12 NULL YES text 65535 65535 NULL NULL utf8 utf8_bin text select,insert,update,references The path to the Certificate Authority (CA) certificates. def mysql slave_master_info Ssl_cert 13 NULL YES text 65535 65535 NULL NULL utf8 utf8_bin text select,insert,update,references The name of the SSL certificate file. def mysql slave_master_info Ssl_cipher 14 NULL YES text 65535 65535 NULL NULL utf8 utf8_bin text select,insert,update,references The name of the cipher in use for the SSL connection. +def mysql slave_master_info Ssl_crl 22 NULL YES text 65535 65535 NULL NULL utf8 utf8_bin text select,insert,update,references The file used for the Certificate Revocation List (CRL) +def mysql slave_master_info Ssl_crlpath 23 NULL YES text 65535 65535 NULL NULL utf8 utf8_bin text select,insert,update,references The path used for Certificate Revocation List (CRL) files def mysql slave_master_info Ssl_key 15 NULL YES text 65535 65535 NULL NULL utf8 utf8_bin text select,insert,update,references The name of the SSL key file. def mysql slave_master_info Ssl_verify_server_cert 16 NULL NO tinyint NULL NULL 3 0 NULL NULL tinyint(1) select,insert,update,references Whether to verify the server certificate. def mysql slave_master_info User_name 6 NULL YES text 65535 65535 NULL NULL utf8 utf8_bin text select,insert,update,references The user name used to connect to the master. @@ -522,6 +524,8 @@ NULL mysql slave_master_info Heartbeat f 1.0000 mysql slave_master_info Ignored_server_ids text 65535 65535 utf8 utf8_bin text 1.0000 mysql slave_master_info Uuid text 65535 65535 utf8 utf8_bin text NULL mysql slave_master_info Retry_count bigint NULL NULL NULL NULL bigint(20) unsigned +1.0000 mysql slave_master_info Ssl_crl text 65535 65535 utf8 utf8_bin text +1.0000 mysql slave_master_info Ssl_crlpath text 65535 65535 utf8 utf8_bin text NULL mysql slave_relay_log_info Master_id int NULL NULL NULL NULL int(10) unsigned NULL mysql slave_relay_log_info Number_of_lines int NULL NULL NULL NULL int(10) unsigned 1.0000 mysql slave_relay_log_info Relay_log_name text 65535 65535 utf8 utf8_bin text === added file 'mysql-test/t/ssl_crl-master.opt' --- a/mysql-test/t/ssl_crl-master.opt 1970-01-01 00:00:00 +0000 +++ b/mysql-test/t/ssl_crl-master.opt 2011-08-19 13:24:24 +0000 @@ -0,0 +1,4 @@ +--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem +--ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem +--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem +--ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl === added file 'mysql-test/t/ssl_crl.test' --- a/mysql-test/t/ssl_crl.test 1970-01-01 00:00:00 +0000 +++ b/mysql-test/t/ssl_crl.test 2011-08-19 13:24:24 +0000 @@ -0,0 +1,23 @@ +# This test should work in embedded server after we fix mysqltest +-- source include/not_embedded.inc +-- source include/have_ssl_communication.inc +-- source include/have_openssl.inc + +let $crllen=`select length(trim(coalesce(@@ssl_crl, ''))) + length(trim(coalesce(@@ssl_crlpath, '')))`; +if (!$crllen) +{ + skip Needs OpenSSL; +} + +--echo # test --crl for the client : should connect +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem test --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl -e "SHOW VARIABLES like '%ssl%';" + +--echo # test --crlpath for the client : should connect +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir test -e "SHOW VARIABLES like '%ssl%';" + +--echo # try logging in with a certificate in the server's --ssl-crl : should fail +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--error 1 +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW VARIABLES like '%ssl%';" === added file 'mysql-test/t/ssl_crl_clients-master.opt' --- a/mysql-test/t/ssl_crl_clients-master.opt 1970-01-01 00:00:00 +0000 +++ b/mysql-test/t/ssl_crl_clients-master.opt 2011-08-19 13:24:24 +0000 @@ -0,0 +1,4 @@ +--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem +--ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem +--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem +--ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl === added file 'mysql-test/t/ssl_crl_clients.test' --- a/mysql-test/t/ssl_crl_clients.test 1970-01-01 00:00:00 +0000 +++ b/mysql-test/t/ssl_crl_clients.test 2011-08-19 13:24:24 +0000 @@ -0,0 +1,48 @@ +# This test should work in embedded server after we fix mysqltest +-- source include/not_embedded.inc +-- source include/have_ssl_communication.inc +-- source include/have_openssl.inc + +let $crllen=`select length(trim(coalesce(@@ssl_crl, ''))) + length(trim(coalesce(@@ssl_crlpath, '')))`; +if (!$crllen) +{ + skip Needs OpenSSL; +} + +--echo # Test clients with and without CRL lists + +let $ssl_base = --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem; +let $ssl_crl = $ssl_base --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl; +let $ssl_crlpath = $ssl_base --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir; + + +--echo ############ Test mysql ############## + +--echo # Test mysql connecting to a server with a certificate revoked by -crl +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--error 1 +--exec $MYSQL $ssl_crl test -e "SHOW VARIABLES like '%ssl%';" + +--echo # Test mysql connecting to a server with a certificate revoked by -crlpath +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--error 1 +--exec $MYSQL $ssl_crlpath test -e "SHOW VARIABLES like '%ssl%';" + + +--echo ############ Test mysqladmin ############## +let $admin_prefix = --no-defaults; +let $admin_suffix = --default-character-set=latin1 -S $MASTER_MYSOCK -P $MASTER_MYPORT -u root --password= ping; + +--echo # Test mysqladmin connecting to a server with a certificate revoked by -crl +--disable_result_log +--replace_regex /.*mysqladmin.*: connect/mysqladmin: connect/ +--error 1 +--exec $MYSQLADMIN $admin_prefix $ssl_crl $admin_suffix 2>&1 +--enable_result_log + +--disable_result_log +--echo # Test mysqladmin connecting to a server with a certificate revoked by -crlpath +--replace_regex /.*mysqladmin.*: connect/mysqladmin: connect/ +--error 1 +--exec $MYSQLADMIN $admin_prefix $ssl_crlpath $admin_suffix 2>&1 +--enable_result_log === added file 'mysql-test/t/ssl_crl_clients_valid-master.opt' --- a/mysql-test/t/ssl_crl_clients_valid-master.opt 1970-01-01 00:00:00 +0000 +++ b/mysql-test/t/ssl_crl_clients_valid-master.opt 2011-08-19 13:24:24 +0000 @@ -0,0 +1,4 @@ +--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem +--ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem +--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem +--ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl === added file 'mysql-test/t/ssl_crl_clients_valid.test' --- a/mysql-test/t/ssl_crl_clients_valid.test 1970-01-01 00:00:00 +0000 +++ b/mysql-test/t/ssl_crl_clients_valid.test 2011-08-19 13:24:24 +0000 @@ -0,0 +1,30 @@ +# This test should work in embedded server after we fix mysqltest +-- source include/not_embedded.inc +-- source include/have_ssl_communication.inc +-- source include/have_openssl.inc + +let $crllen=`select length(trim(coalesce(@@ssl_crl, ''))) + length(trim(coalesce(@@ssl_crlpath, '')))`; +if (!$crllen) +{ + skip Needs OpenSSL; +} + +--echo # Test clients with and without CRL lists + +let $ssl_base = --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem; +let $ssl_crl = $ssl_base --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl; +let $ssl_crlpath = $ssl_base --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir; + + +--echo ############ Test mysql ############## + +--echo # Test mysql connecting to a server with an empty crl +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--exec $MYSQL $ssl_crl test -e "SHOW VARIABLES like '%ssl%';" 2>&1 + +--echo ############ Test mysqladmin ############## +let $admin_prefix = --no-defaults; +let $admin_suffix = --default-character-set=latin1 -S $MASTER_MYSOCK -P $MASTER_MYPORT -u root --password= ping; + +--echo # Test mysqladmin connecting to a server with an empty crl +--exec $MYSQLADMIN $admin_prefix $ssl_crl $admin_suffix 2>&1 === added file 'mysql-test/t/ssl_crl_clrpath-master.opt' --- a/mysql-test/t/ssl_crl_clrpath-master.opt 1970-01-01 00:00:00 +0000 +++ b/mysql-test/t/ssl_crl_clrpath-master.opt 2011-08-19 13:24:24 +0000 @@ -0,0 +1,4 @@ +--ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem +--ssl-key=$MYSQL_TEST_DIR/std_data/crl-server-key.pem +--ssl-cert=$MYSQL_TEST_DIR/std_data/crl-server-cert.pem +--ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir === added file 'mysql-test/t/ssl_crl_clrpath.test' --- a/mysql-test/t/ssl_crl_clrpath.test 1970-01-01 00:00:00 +0000 +++ b/mysql-test/t/ssl_crl_clrpath.test 2011-08-19 13:24:24 +0000 @@ -0,0 +1,23 @@ +# This test should work in embedded server after we fix mysqltest +-- source include/not_embedded.inc +-- source include/have_ssl_communication.inc +-- source include/have_openssl.inc + +let $crllen=`select length(trim(coalesce(@@ssl_crl, ''))) + length(trim(coalesce(@@ssl_crlpath, '')))`; +if (!$crllen) +{ + skip Needs OpenSSL; +} + +--echo # test --crl for the client : should connect +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem test --ssl-crl=$MYSQL_TEST_DIR/std_data/crl-client-revoked.crl -e "SHOW VARIABLES like '%ssl%';" + +--echo # test --crlpath for the client : should connect +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-valid-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-valid-cert.pem --ssl-crlpath=$MYSQL_TEST_DIR/std_data/crldir test -e "SHOW VARIABLES like '%ssl%';" + +--echo # try logging in with a certificate in the server's --ssl-crlpath : should fail +--replace_result $MYSQL_TEST_DIR MYSQL_TEST_DIR +--error 1 +--exec $MYSQL --ssl-ca=$MYSQL_TEST_DIR/std_data/crl-ca-cert.pem --ssl-key=$MYSQL_TEST_DIR/std_data/crl-client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/crl-client-cert.pem test -e "SHOW VARIABLES like '%ssl%';" === modified file 'scripts/mysql_system_tables.sql' --- a/scripts/mysql_system_tables.sql 2011-07-18 09:49:22 +0000 +++ b/scripts/mysql_system_tables.sql 2011-08-19 13:24:24 +0000 @@ -102,7 +102,7 @@ CREATE TABLE IF NOT EXISTS ndb_binlog_in CREATE TABLE IF NOT EXISTS slave_relay_log_info (Master_id INTEGER UNSIGNED NOT NULL, Number_of_lines INTEGER UNSIGNED NOT NULL COMMENT 'Number of lines in the file or rows in the table. Used to version table definitions.', Relay_log_name TEXT CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'The name of the current relay log file.', Relay_log_pos BIGINT UNSIGNED NOT NULL COMMENT 'The relay log position of the last executed event.', Master_log_name TEXT CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'The name of the master binary log file from which the events in the relay log file were read.', Master_log_pos BIGINT UNSIGNED NOT NULL COMMENT 'The master log position of the last executed event.', Sql_delay INTEGER NOT NULL COMMENT 'The number of seconds that the slave must lag behind the master.', PRIMARY KEY(Master_id)) ENGINE=MYISAM DEFAULT CHARSET=utf8 COMMENT 'Relay Log Information'; -CREATE TABLE IF NOT EXISTS slave_master_info (Master_id INTEGER UNSIGNED NOT NULL, Number_of_lines INTEGER UNSIGNED NOT NULL COMMENT 'Number of lines in the file.', Master_log_name TEXT CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'The name of the master binary log currently being read from the master.', Master_log_pos BIGINT UNSIGNED NOT NULL COMMENT 'The master log position of the last read event.', Host TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The host name of the master.', User_name TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The user name used to connect to the master.', User_password TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The password used to connect to the master.', Port INTEGER UNSIGNED NOT NULL COMMENT 'The network port used to connect to the master.', Connect_retry INTEGER UNSIGNED NOT NULL COMMENT 'The period (in seconds) that the slave will wait before trying to reconnect to the master.', Enabled_ssl BOOLEAN NOT NULL COMMENT 'In! dicates whether the server supports SSL connections.', Ssl_ca TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The file used for the Certificate Authority (CA) certificate.', Ssl_capath TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The path to the Certificate Authority (CA) certificates.', Ssl_cert TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name of the SSL certificate file.', Ssl_cipher TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name of the cipher in use for the SSL connection.', Ssl_key TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name of the SSL key file.', Ssl_verify_server_cert BOOLEAN NOT NULL COMMENT 'Whether to verify the server certificate.', Heartbeat FLOAT NOT NULL COMMENT '', Bind TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'Displays which interface is employed when connecting to the MySQL server', Ignored_server_ids TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The number of server IDs to be ignored, followed by the a! ctual server IDs', Uuid TEXT CHARACTER SET utf8 COLLATE utf8_bin COMME NT 'The master server uuid.', Retry_count BIGINT UNSIGNED NOT NULL COMMENT 'Number of reconnect attempts, to the master, before giving up.', PRIMARY KEY(Master_id)) ENGINE=MYISAM DEFAULT CHARSET=utf8 COMMENT 'Master Information'; +CREATE TABLE IF NOT EXISTS slave_master_info (Master_id INTEGER UNSIGNED NOT NULL, Number_of_lines INTEGER UNSIGNED NOT NULL COMMENT 'Number of lines in the file.', Master_log_name TEXT CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'The name of the master binary log currently being read from the master.', Master_log_pos BIGINT UNSIGNED NOT NULL COMMENT 'The master log position of the last read event.', Host TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The host name of the master.', User_name TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The user name used to connect to the master.', User_password TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The password used to connect to the master.', Port INTEGER UNSIGNED NOT NULL COMMENT 'The network port used to connect to the master.', Connect_retry INTEGER UNSIGNED NOT NULL COMMENT 'The period (in seconds) that the slave will wait before trying to reconnect to the master.', Enabled_ssl BOOLEAN NOT NULL COMMENT 'In! dicates whether the server supports SSL connections.', Ssl_ca TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The file used for the Certificate Authority (CA) certificate.', Ssl_capath TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The path to the Certificate Authority (CA) certificates.', Ssl_cert TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name of the SSL certificate file.', Ssl_cipher TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name of the cipher in use for the SSL connection.', Ssl_key TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The name of the SSL key file.', Ssl_verify_server_cert BOOLEAN NOT NULL COMMENT 'Whether to verify the server certificate.', Heartbeat FLOAT NOT NULL COMMENT '', Bind TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'Displays which interface is employed when connecting to the MySQL server', Ignored_server_ids TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The number of server IDs to be ignored, followed by the a! ctual server IDs', Uuid TEXT CHARACTER SET utf8 COLLATE utf8_bin COMME NT 'The master server uuid.', Retry_count BIGINT UNSIGNED NOT NULL COMMENT 'Number of reconnect attempts, to the master, before giving up.', Ssl_crl TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The file used for the Certificate Revocation List (CRL)', Ssl_crlpath TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The path used for Certificate Revocation List (CRL) files', PRIMARY KEY(Master_id)) ENGINE=MYISAM DEFAULT CHARSET=utf8 COMMENT 'Master Information'; CREATE TABLE IF NOT EXISTS innodb_table_stats ( database_name VARCHAR(64) NOT NULL, === modified file 'scripts/mysql_system_tables_fix.sql' --- a/scripts/mysql_system_tables_fix.sql 2011-06-30 15:50:45 +0000 +++ b/scripts/mysql_system_tables_fix.sql 2011-08-19 13:24:24 +0000 @@ -660,3 +660,6 @@ DROP TABLE tmp_proxies_priv; # changes was correct flush privileges; + +ALTER TABLE slave_master_info ADD Ssl_crl TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The file used for the Certificate Revocation List (CRL)'; +ALTER TABLE slave_master_info ADD Ssl_crlpath TEXT CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'The path used for Certificate Revocation List (CRL) files'; === modified file 'sql-common/client.c' --- a/sql-common/client.c 2011-06-30 15:50:45 +0000 +++ b/sql-common/client.c 2011-08-19 13:24:24 +0000 @@ -1011,7 +1011,7 @@ static const char *default_options[]= "ssl-cipher", "max-allowed-packet", "protocol", "shared-memory-base-name", "multi-results", "multi-statements", "multi-queries", "secure-auth", "report-data-truncation", "plugin-dir", "default-auth", - "bind-address", + "bind-address", "ssl-crl", "ssl-crlpath", NullS }; enum option_id { @@ -1023,7 +1023,7 @@ enum option_id { OPT_ssl_cipher, OPT_max_allowed_packet, OPT_protocol, OPT_shared_memory_base_name, OPT_multi_results, OPT_multi_statements, OPT_multi_queries, OPT_secure_auth, OPT_report_data_truncation, OPT_plugin_dir, OPT_default_auth, - OPT_bind_address, + OPT_bind_address, OPT_ssl_crl, OPT_ssl_crlpath, OPT_keep_this_one_last }; @@ -1058,12 +1058,38 @@ static int add_init_command(struct st_my #define EXTENSION_SET_STRING(OPTS, X, STR) \ if ((OPTS)->extension) \ - my_free((OPTS)->extension->X); \ + my_free((OPTS)->extension->X); \ else \ (OPTS)->extension= (struct st_mysql_options_extention *) \ my_malloc(sizeof(struct st_mysql_options_extention), \ MYF(MY_WME | MY_ZEROFILL)); \ - (OPTS)->extension->X= my_strdup((STR), MYF(MY_WME)); + (OPTS)->extension->X= ((STR) != NULL) ? \ + my_strdup((STR), MYF(MY_WME)) : NULL + +#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) +#define SET_SSL_OPTION(opt_var,arg) \ + if (mysql->options.opt_var) \ + my_free(mysql->options.opt_var); \ + mysql->options.opt_var= arg ? my_strdup(arg, MYF(MY_WME)) : NULL; \ + if (mysql->options.opt_var) \ + mysql->options.use_ssl= 1 +#define EXTENSION_SET_SSL_STRING(OPTS, X, STR) \ + EXTENSION_SET_STRING(OPTS, X, STR); \ + if ((OPTS)->extension->X) \ + (OPTS)->use_ssl= 1 + + +#else +#define SET_SSL_OPTION(opt_var,arg) \ + do { \ + ; \ + } while(0) +#define EXTENSION_SET_SSL_STRING(OPTS, X, STR) \ + do { \ + ; \ + } while(0) +#endif + void mysql_read_default_options(struct st_mysql_options *options, const char *filename,const char *group) @@ -1184,12 +1210,20 @@ void mysql_read_default_options(struct s my_free(options->ssl_cipher); options->ssl_cipher= my_strdup(opt_arg, MYF(MY_WME)); break; + case OPT_ssl_crl: + EXTENSION_SET_SSL_STRING(options, ssl_crl, opt_arg); + break; + case OPT_ssl_crlpath: + EXTENSION_SET_SSL_STRING(options, ssl_crlpath, opt_arg); + break; #else case OPT_ssl_key: case OPT_ssl_cert: case OPT_ssl_ca: case OPT_ssl_capath: case OPT_ssl_cipher: + case OPT_ssl_crl: + case OPT_ssl_crlpath: break; #endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */ case OPT_character_sets_dir: @@ -1644,15 +1678,18 @@ mysql_ssl_set(MYSQL *mysql __attribute__ const char *capath __attribute__((unused)), const char *cipher __attribute__((unused))) { + my_bool result= 0; DBUG_ENTER("mysql_ssl_set"); #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) - mysql->options.ssl_key= strdup_if_not_null(key); - mysql->options.ssl_cert= strdup_if_not_null(cert); - mysql->options.ssl_ca= strdup_if_not_null(ca); - mysql->options.ssl_capath= strdup_if_not_null(capath); - mysql->options.ssl_cipher= strdup_if_not_null(cipher); -#endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */ - DBUG_RETURN(0); + result= + mysql_options(mysql, MYSQL_OPT_SSL_KEY, key) + + mysql_options(mysql, MYSQL_OPT_SSL_CERT, cert) + + mysql_options(mysql, MYSQL_OPT_SSL_CA, ca) + + mysql_options(mysql, MYSQL_OPT_SSL_CAPATH, capath) + + mysql_options(mysql, MYSQL_OPT_SSL_CIPHER, cipher) + ? 1 : 0; +#endif + DBUG_RETURN(result); } @@ -1674,6 +1711,11 @@ mysql_ssl_free(MYSQL *mysql __attribute_ my_free(mysql->options.ssl_ca); my_free(mysql->options.ssl_capath); my_free(mysql->options.ssl_cipher); + if (mysql->options.extension) + { + my_free(mysql->options.extension->ssl_crl); + my_free(mysql->options.extension->ssl_crlpath); + } if (ssl_fd) SSL_CTX_free(ssl_fd->ssl_context); my_free(mysql->connector_fd); @@ -1682,6 +1724,11 @@ mysql_ssl_free(MYSQL *mysql __attribute_ mysql->options.ssl_ca = 0; mysql->options.ssl_capath = 0; mysql->options.ssl_cipher= 0; + if (mysql->options.extension) + { + mysql->options.extension->ssl_crl = 0; + mysql->options.extension->ssl_crlpath = 0; + } mysql->options.use_ssl = FALSE; mysql->connector_fd = 0; DBUG_VOID_RETURN; @@ -2350,7 +2397,9 @@ static int send_client_reply_packet(MCPV #if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) if (mysql->options.ssl_key || mysql->options.ssl_cert || mysql->options.ssl_ca || mysql->options.ssl_capath || - mysql->options.ssl_cipher) + mysql->options.ssl_cipher || + (mysql->options.extension && mysql->options.extension->ssl_crl) || + (mysql->options.extension && mysql->options.extension->ssl_crlpath)) mysql->options.use_ssl= 1; if (mysql->options.use_ssl) mysql->client_flag|= CLIENT_SSL; @@ -2411,7 +2460,11 @@ static int send_client_reply_packet(MCPV options->ssl_ca, options->ssl_capath, options->ssl_cipher, - &ssl_init_error))) + &ssl_init_error, + options->extension ? + options->extension->ssl_crl : NULL, + options->extension ? + options->extension->ssl_crlpath : NULL))) { set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate, ER(CR_SSL_CONNECTION_ERROR), sslGetErrString(ssl_init_error)); @@ -3975,7 +4028,6 @@ mysql_fetch_lengths(MYSQL_RES *res) return res->lengths; } - int STDCALL mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg) { @@ -4066,6 +4118,17 @@ mysql_options(MYSQL *mysql,enum mysql_op case MYSQL_DEFAULT_AUTH: EXTENSION_SET_STRING(&mysql->options, default_auth, arg); break; + case MYSQL_OPT_SSL_KEY: SET_SSL_OPTION(ssl_key, arg); break; + case MYSQL_OPT_SSL_CERT: SET_SSL_OPTION(ssl_cert, arg); break; + case MYSQL_OPT_SSL_CA: SET_SSL_OPTION(ssl_ca, arg); break; + case MYSQL_OPT_SSL_CAPATH: SET_SSL_OPTION(ssl_capath, arg); break; + case MYSQL_OPT_SSL_CIPHER: SET_SSL_OPTION(ssl_cipher, arg); break; + case MYSQL_OPT_SSL_CRL: EXTENSION_SET_SSL_STRING(&mysql->options, + ssl_crl, arg); + break; + case MYSQL_OPT_SSL_CRLPATH: EXTENSION_SET_SSL_STRING(&mysql->options, + ssl_crlpath, arg); + break; default: DBUG_RETURN(1); } === modified file 'sql/lex.h' --- a/sql/lex.h 2011-06-30 15:50:45 +0000 +++ b/sql/lex.h 2011-08-19 13:24:24 +0000 @@ -331,6 +331,8 @@ static SYMBOL symbols[] = { { "MASTER_SSL_CAPATH",SYM(MASTER_SSL_CAPATH_SYM)}, { "MASTER_SSL_CERT", SYM(MASTER_SSL_CERT_SYM)}, { "MASTER_SSL_CIPHER",SYM(MASTER_SSL_CIPHER_SYM)}, + { "MASTER_SSL_CRL", SYM(MASTER_SSL_CRL_SYM)}, + { "MASTER_SSL_CRLPATH",SYM(MASTER_SSL_CRLPATH_SYM)}, { "MASTER_SSL_KEY", SYM(MASTER_SSL_KEY_SYM)}, { "MASTER_SSL_VERIFY_SERVER_CERT", SYM(MASTER_SSL_VERIFY_SERVER_CERT_SYM)}, { "MASTER_USER", SYM(MASTER_USER_SYM)}, === modified file 'sql/mysqld.cc' --- a/sql/mysqld.cc 2011-08-18 18:05:45 +0000 +++ b/sql/mysqld.cc 2011-08-19 13:24:24 +0000 @@ -913,7 +913,8 @@ HANDLE smem_event_connect_request= 0; my_bool opt_use_ssl = 0; char *opt_ssl_ca= NULL, *opt_ssl_capath= NULL, *opt_ssl_cert= NULL, - *opt_ssl_cipher= NULL, *opt_ssl_key= NULL; + *opt_ssl_cipher= NULL, *opt_ssl_key= NULL, *opt_ssl_crl= NULL, + *opt_ssl_crlpath= NULL; #ifdef HAVE_OPENSSL #include @@ -3870,7 +3871,8 @@ static void init_ssl() /* having ssl_acceptor_fd != 0 signals the use of SSL */ ssl_acceptor_fd= new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert, opt_ssl_ca, opt_ssl_capath, - opt_ssl_cipher, &error); + opt_ssl_cipher, &error, + opt_ssl_crl, opt_ssl_crlpath); DBUG_PRINT("info",("ssl_acceptor_fd: 0x%lx", (long) ssl_acceptor_fd)); if (!ssl_acceptor_fd) { === modified file 'sql/mysqld.h' --- a/sql/mysqld.h 2011-08-18 18:05:45 +0000 +++ b/sql/mysqld.h 2011-08-19 13:24:24 +0000 @@ -485,7 +485,7 @@ extern int32 thread_running; extern my_atomic_rwlock_t thread_running_lock; extern char *opt_ssl_ca, *opt_ssl_capath, *opt_ssl_cert, *opt_ssl_cipher, - *opt_ssl_key; + *opt_ssl_key, *opt_ssl_crl, *opt_ssl_crlpath; extern MYSQL_PLUGIN_IMPORT pthread_key(THD*, THR_THD); @@ -544,7 +544,9 @@ enum options_mysqld OPT_LOG_ERROR, OPT_MAX_LONG_DATA_SIZE, OPT_PLUGIN_LOAD, - OPT_PLUGIN_LOAD_ADD + OPT_PLUGIN_LOAD_ADD, + OPT_SSL_CRL, + OPT_SSL_CRLPATH }; === modified file 'sql/rpl_mi.cc' --- a/sql/rpl_mi.cc 2011-07-20 10:24:14 +0000 +++ b/sql/rpl_mi.cc 2011-08-19 13:24:24 +0000 @@ -43,8 +43,14 @@ enum { /* line for master_retry_count */ LINE_FOR_MASTER_RETRY_COUNT= 20, + /* line for ssl_crl */ + LINE_FOR_SSL_CRL= 21, + + /* line for ssl_crl */ + LINE_FOR_SSL_CRLPATH= 22, + /* Number of lines currently used when saving master info file */ - LINES_IN_MASTER_INFO= LINE_FOR_MASTER_RETRY_COUNT + LINES_IN_MASTER_INFO= LINE_FOR_SSL_CRLPATH }; /* @@ -73,7 +79,9 @@ const char *info_mi_fields []= "bind", "ignore_server_ids", "uuid", - "retry_count" + "retry_count", + "ssl_crl", + "ssl_crlpath", }; Master_info::Master_info( @@ -105,6 +113,7 @@ Master_info::Master_info( host[0] = 0; user[0] = 0; password[0] = 0; bind_addr[0] = 0; ssl_ca[0]= 0; ssl_capath[0]= 0; ssl_cert[0]= 0; ssl_cipher[0]= 0; ssl_key[0]= 0; + ssl_crl[0]= 0; ssl_crlpath[0]= 0; master_uuid[0]= 0; ignore_server_ids= new Server_ids(); } @@ -422,6 +431,13 @@ bool Master_info::read_info(Rpl_info_han DBUG_RETURN(TRUE); } + if (lines >= LINE_FOR_SSL_CRLPATH) + { + if (from->get_info(ssl_crl, sizeof(ssl_crl), 0) || + from->get_info(ssl_crlpath, sizeof(ssl_crlpath), 0)) + DBUG_RETURN(TRUE); + } + ssl= (my_bool) test(temp_ssl); ssl_verify_server_cert= (my_bool) test(temp_ssl_verify_server_cert); master_log_pos= (my_off_t) temp_master_log_pos; @@ -467,7 +483,9 @@ bool Master_info::write_info(Rpl_info_ha to->set_info(bind_addr) || to->set_info(ignore_server_ids) || to->set_info(master_uuid) || - to->set_info(retry_count)) + to->set_info(retry_count) || + to->set_info(ssl_crl) || + to->set_info(ssl_crlpath)) DBUG_RETURN(TRUE); if (to->flush_info(force)) === modified file 'sql/rpl_mi.h' --- a/sql/rpl_mi.h 2011-07-20 10:24:14 +0000 +++ b/sql/rpl_mi.h 2011-08-19 13:24:24 +0000 @@ -73,6 +73,7 @@ public: my_bool ssl; // enables use of SSL connection if true char ssl_ca[FN_REFLEN], ssl_capath[FN_REFLEN], ssl_cert[FN_REFLEN]; char ssl_cipher[FN_REFLEN], ssl_key[FN_REFLEN]; + char ssl_crl[FN_REFLEN], ssl_crlpath[FN_REFLEN]; my_bool ssl_verify_server_cert; MYSQL* mysql; === modified file 'sql/rpl_slave.cc' --- a/sql/rpl_slave.cc 2011-07-28 10:54:44 +0000 +++ b/sql/rpl_slave.cc 2011-08-19 13:24:24 +0000 @@ -2064,6 +2064,10 @@ bool show_master_info(THD* thd, Master_i sizeof(mi->bind_addr))); field_list.push_back(new Item_empty_string("Last_IO_Error_Timestamp", 20)); field_list.push_back(new Item_empty_string("Last_SQL_Error_Timestamp", 20)); + field_list.push_back(new Item_empty_string("Master_SSL_Crl", + sizeof(mi->ssl_crl))); + field_list.push_back(new Item_empty_string("Master_SSL_Crlpath", + sizeof(mi->ssl_crlpath))); if (protocol->send_result_set_metadata(&field_list, @@ -2241,6 +2245,10 @@ bool show_master_info(THD* thd, Master_i protocol->store(mi->last_error().timestamp, &my_charset_bin); // Last_SQL_Error_Timestamp protocol->store(mi->rli->last_error().timestamp, &my_charset_bin); + // Master_Ssl_Crl + protocol->store(mi->ssl_ca, &my_charset_bin); + // Master_Ssl_Crlpath + protocol->store(mi->ssl_capath, &my_charset_bin); mysql_mutex_unlock(&mi->rli->err_lock); mysql_mutex_unlock(&mi->err_lock); @@ -4715,6 +4723,10 @@ static int connect_to_master(THD* thd, M mi->ssl_ca[0]?mi->ssl_ca:0, mi->ssl_capath[0]?mi->ssl_capath:0, mi->ssl_cipher[0]?mi->ssl_cipher:0); + mysql_options(mysql, MYSQL_OPT_SSL_CRL, + mi->ssl_crl[0] ? mi->ssl_crl : 0); + mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, + mi->ssl_crlpath[0] ? mi->ssl_crlpath : 0); mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &mi->ssl_verify_server_cert); } @@ -4846,6 +4858,10 @@ MYSQL *rpl_connect_master(MYSQL *mysql) mi->ssl_ca[0]?mi->ssl_ca:0, mi->ssl_capath[0]?mi->ssl_capath:0, mi->ssl_cipher[0]?mi->ssl_cipher:0); + mysql_options(mysql, MYSQL_OPT_SSL_CRL, + mi->ssl_crl[0] ? mi->ssl_crl : 0); + mysql_options(mysql, MYSQL_OPT_SSL_CRLPATH, + mi->ssl_crlpath[0] ? mi->ssl_crlpath : 0); mysql_options(mysql, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &mi->ssl_verify_server_cert); } @@ -5916,10 +5932,14 @@ bool change_master(THD* thd, Master_info strmake(mi->ssl_cipher, lex_mi->ssl_cipher, sizeof(mi->ssl_cipher)-1); if (lex_mi->ssl_key) strmake(mi->ssl_key, lex_mi->ssl_key, sizeof(mi->ssl_key)-1); + if (lex_mi->ssl_crl) + strmake(mi->ssl_crl, lex_mi->ssl_crl, sizeof(mi->ssl_crl)-1); + if (lex_mi->ssl_crlpath) + strmake(mi->ssl_crlpath, lex_mi->ssl_crlpath, sizeof(mi->ssl_crlpath)-1); #ifndef HAVE_OPENSSL if (lex_mi->ssl || lex_mi->ssl_ca || lex_mi->ssl_capath || lex_mi->ssl_cert || lex_mi->ssl_cipher || lex_mi->ssl_key || - lex_mi->ssl_verify_server_cert ) + lex_mi->ssl_verify_server_cert || lex_mi->ssl_crl || lex_mi->ssl_crlpath) push_warning(thd, Sql_condition::WARN_LEVEL_NOTE, ER_SLAVE_IGNORED_SSL_PARAMS, ER(ER_SLAVE_IGNORED_SSL_PARAMS)); #endif === modified file 'sql/sql_lex.h' --- a/sql/sql_lex.h 2011-08-15 09:44:00 +0000 +++ b/sql/sql_lex.h 2011-08-19 13:24:24 +0000 @@ -221,6 +221,7 @@ typedef struct st_lex_master_info ssl, ssl_verify_server_cert, heartbeat_opt, repl_ignore_server_ids_opt, retry_count_opt; char *ssl_key, *ssl_cert, *ssl_ca, *ssl_capath, *ssl_cipher; + char *ssl_crl, *ssl_crlpath; char *relay_log_name; ulong relay_log_pos; DYNAMIC_ARRAY repl_ignore_server_ids; === modified file 'sql/sql_yacc.yy' --- a/sql/sql_yacc.yy 2011-08-19 10:27:23 +0000 +++ b/sql/sql_yacc.yy 2011-08-19 13:24:24 +0000 @@ -1089,6 +1089,8 @@ bool my_yyoverflow(short **a, YYSTYPE ** %token MASTER_SSL_CA_SYM %token MASTER_SSL_CERT_SYM %token MASTER_SSL_CIPHER_SYM +%token MASTER_SSL_CRL_SYM +%token MASTER_SSL_CRLPATH_SYM %token MASTER_SSL_KEY_SYM %token MASTER_SSL_SYM %token MASTER_SSL_VERIFY_SERVER_CERT_SYM @@ -1965,6 +1967,14 @@ master_def: Lex->mi.ssl_verify_server_cert= $3 ? LEX_MASTER_INFO::LEX_MI_ENABLE : LEX_MASTER_INFO::LEX_MI_DISABLE; } + | MASTER_SSL_CRL_SYM EQ TEXT_STRING_sys + { + Lex->mi.ssl_crl= $3.str; + } + | MASTER_SSL_CRLPATH_SYM EQ TEXT_STRING_sys + { + Lex->mi.ssl_crlpath= $3.str; + } | MASTER_HEARTBEAT_PERIOD_SYM EQ NUM_literal { @@ -12764,6 +12774,8 @@ keyword_sp: | MASTER_SSL_CAPATH_SYM {} | MASTER_SSL_CERT_SYM {} | MASTER_SSL_CIPHER_SYM {} + | MASTER_SSL_CRL_SYM {} + | MASTER_SSL_CRLPATH_SYM {} | MASTER_SSL_KEY_SYM {} | MAX_CONNECTIONS_PER_HOUR {} | MAX_QUERIES_PER_HOUR {} === modified file 'sql/sys_vars.cc' --- a/sql/sys_vars.cc 2011-08-19 11:39:15 +0000 +++ b/sql/sys_vars.cc 2011-08-19 13:24:24 +0000 @@ -2372,6 +2372,19 @@ static Sys_var_charptr Sys_ssl_key( READ_ONLY GLOBAL_VAR(opt_ssl_key), SSL_OPT(OPT_SSL_KEY), IN_FS_CHARSET, DEFAULT(0)); +static Sys_var_charptr Sys_ssl_crl( + "ssl_crl", + "CRL file in PEM format (check OpenSSL docs, implies --ssl)", + READ_ONLY GLOBAL_VAR(opt_ssl_crl), SSL_OPT(OPT_SSL_CRL), + IN_FS_CHARSET, DEFAULT(0)); + +static Sys_var_charptr Sys_ssl_crlpath( + "ssl_crlpath", + "CRL directory (check OpenSSL docs, implies --ssl)", + READ_ONLY GLOBAL_VAR(opt_ssl_crlpath), SSL_OPT(OPT_SSL_CRLPATH), + IN_FS_CHARSET, DEFAULT(0)); + + // why ENUM and not BOOL ? static const char *updatable_views_with_limit_names[]= {"NO", "YES", 0}; static Sys_var_enum Sys_updatable_views_with_limit( === modified file 'vio/viosslfactories.c' --- a/vio/viosslfactories.c 2011-06-30 15:46:53 +0000 +++ b/vio/viosslfactories.c 2011-08-19 13:24:24 +0000 @@ -165,19 +165,22 @@ static struct st_VioSSLFd * new_VioSSLFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, const char *cipher, SSL_METHOD *method, - enum enum_ssl_init_error *error) + enum enum_ssl_init_error *error, + const char *crl_file, const char *crl_path) { DH *dh; struct st_VioSSLFd *ssl_fd; DBUG_ENTER("new_VioSSLFd"); DBUG_PRINT("enter", ("key_file: '%s' cert_file: '%s' ca_file: '%s' ca_path: '%s' " - "cipher: '%s'", + "cipher: '%s' crl_file: '%s' crl_path: '%s' ", key_file ? key_file : "NULL", cert_file ? cert_file : "NULL", ca_file ? ca_file : "NULL", ca_path ? ca_path : "NULL", - cipher ? cipher : "NULL")); + cipher ? cipher : "NULL", + crl_file ? crl_file : "NULL", + crl_path ? crl_path : "NULL")); check_ssl_init(); @@ -225,6 +228,30 @@ new_VioSSLFd(const char *key_file, const } } + if (crl_file || crl_path) + { +#ifdef HAVE_YASSL + DBUG_PRINT("warning", ("yaSSL doesn't support CRL")); + DBUG_ASSERT(0); +#else + X509_STORE *store= SSL_CTX_get_cert_store(ssl_fd->ssl_context); + /* Load crls from the trusted ca */ + if (X509_STORE_load_locations(store, crl_file, crl_path) == 0 || + X509_STORE_set_flags(store, + X509_V_FLAG_CRL_CHECK | + X509_V_FLAG_CRL_CHECK_ALL) == 0) + { + DBUG_PRINT("warning", ("X509_STORE_load_locations for CRL failed")); + *error= SSL_INITERR_BAD_PATHS; + DBUG_PRINT("error", ("%s", sslGetErrString(*error))); + report_errors(); + SSL_CTX_free(ssl_fd->ssl_context); + my_free(ssl_fd); + DBUG_RETURN(0); + } +#endif + } + if (vio_set_cert_stuff(ssl_fd->ssl_context, cert_file, key_file, error)) { DBUG_PRINT("error", ("vio_set_cert_stuff failed")); @@ -249,7 +276,8 @@ new_VioSSLFd(const char *key_file, const struct st_VioSSLFd * new_VioSSLConnectorFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, - const char *cipher, enum enum_ssl_init_error* error) + const char *cipher, enum enum_ssl_init_error* error, + const char *crl_file, const char *crl_path) { struct st_VioSSLFd *ssl_fd; int verify= SSL_VERIFY_PEER; @@ -262,7 +290,8 @@ new_VioSSLConnectorFd(const char *key_fi verify= SSL_VERIFY_NONE; if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, - ca_path, cipher, TLSv1_client_method(), error))) + ca_path, cipher, TLSv1_client_method(), error, + crl_file, crl_path))) { return 0; } @@ -279,12 +308,14 @@ new_VioSSLConnectorFd(const char *key_fi struct st_VioSSLFd * new_VioSSLAcceptorFd(const char *key_file, const char *cert_file, const char *ca_file, const char *ca_path, - const char *cipher, enum enum_ssl_init_error* error) + const char *cipher, enum enum_ssl_init_error* error, + const char *crl_file, const char *crl_path) { struct st_VioSSLFd *ssl_fd; int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file, - ca_path, cipher, TLSv1_server_method(), error))) + ca_path, cipher, TLSv1_server_method(), error, + crl_file, crl_path))) { return 0; } No bundle (reason: useless for push emails).