From: Date: March 28 2007 12:23pm
Subject: bk commit into 5.0 tree (msvensson:1.2457) BUG#25309
List-Archive: http://lists.mysql.com/commits/23130
X-Bug: 25309
Message-Id: <200703281023.l2SANwoY011241@pilot.blaudden>

Below is the list of changes that have just been committed into a local
5.0 repository of msvensson. When msvensson does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-03-28 12:23:55+02:00, msvensson@stripped +3 -0
  Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23
   - Turn off verification of peer if both ca_path and ca_file is null
     i.e from only passing --ssl-key=<client_key> and --ssl-cert=<client_cert>
     to the mysql utility programs.
     The server will authenticate the client accoring to GRANT tables
     but the client won't authenticate the server 

  mysql-test/r/openssl_1.result@stripped, 2007-03-28 12:23:53+02:00, msvensson@stripped +2 -0
    Update result file

  mysql-test/t/openssl_1.test@stripped, 2007-03-28 12:23:54+02:00, msvensson@stripped +8 -1
    Test that it's possible to connect with --ssl-ca set to /dev/null

  vio/viosslfactories.c@stripped, 2007-03-28 12:23:54+02:00, msvensson@stripped +8 -0
    Turn off verification of peer if both ca_file and ca_path is NULL

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	msvensson
# Host:	pilot.blaudden
# Root:	/home/msvensson/mysql/bug25309/my50-bug25309

--- 1.17/mysql-test/r/openssl_1.result	2007-02-06 16:28:33 +01:00
+++ 1.18/mysql-test/r/openssl_1.result	2007-03-28 12:23:53 +02:00
@@ -51,3 +51,5 @@ SSL error: Unable to get private key fro
 mysqltest: Could not open connection 'default': 2026 SSL connection error
 SSL error: Unable to get certificate from ''
 mysqltest: Could not open connection 'default': 2026 SSL connection error
+Variable_name	Value
+Ssl_cipher	DHE-RSA-AES256-SHA

--- 1.17/mysql-test/t/openssl_1.test	2007-02-06 16:28:33 +01:00
+++ 1.18/mysql-test/t/openssl_1.test	2007-03-28 12:23:54 +02:00
@@ -95,4 +95,11 @@ drop table t1;
 --error 1
 --exec $MYSQL_TEST --ssl-cert= --max-connect-retries=1 < $MYSQLTEST_VARDIR/tmp/test.sql 2>&1
 
-
+#
+# Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23
+#
+# Test that we can open encrypted connection to server without
+# verification of servers certificate by setting both ca certificate
+# and ca path to NULL
+#
+--exec $MYSQL --ssl --ssl-key=$MYSQL_TEST_DIR/std_data/client-key.pem --ssl-cert=$MYSQL_TEST_DIR/std_data/client-cert.pem -e "SHOW STATUS LIKE 'ssl_Cipher'" 2>&1

--- 1.32/vio/viosslfactories.c	2007-02-06 18:52:15 +01:00
+++ 1.33/vio/viosslfactories.c	2007-03-28 12:23:54 +02:00
@@ -301,6 +301,14 @@ new_VioSSLConnectorFd(const char *key_fi
 {
   struct st_VioSSLFd *ssl_fd;
   int verify= SSL_VERIFY_PEER;
+
+  /*
+    Turn off verification of servers certificate if both
+    ca_file and ca_path is set to NULL
+  */
+  if (ca_file == 0 && ca_path == 0)
+    verify= SSL_VERIFY_NONE;
+
   if (!(ssl_fd= new_VioSSLFd(key_file, cert_file, ca_file,
                              ca_path, cipher, TLSv1_client_method())))
   {