Modified:
trunk/CHANGES
trunk/MySql.Data/Provider/Properties/Resources.resx
trunk/MySql.Data/Provider/Source/MySqlConnectionStringBuilder.cs
trunk/MySql.Data/Provider/Source/MysqlDefs.cs
trunk/MySql.Data/Provider/Source/NativeDriver.cs
Log:
Add "SSL Mode" option for connections that indicates whether to use SSL connections and how
to validate server certificate. Deprecated use of "encrypt" in connection strings(bug#38700)
Modified: trunk/CHANGES
===================================================================
--- trunk/CHANGES 2009-06-12 17:53:56 UTC (rev 1645)
+++ trunk/CHANGES 2009-06-12 18:23:51 UTC (rev 1646)
@@ -1,3 +1,5 @@
+- Add "SSL Mode" option for connections that indicates whether to use SSL connections and how
+ to validate server certificate. Deprecated use of "encrypt" in connection strings(bug#38700)
Version 6.0.4
- fixed regression where using stored procs with datasets (bug #44460)
- fixed compilation under VS 2005 (bug #44822)
Modified: trunk/MySql.Data/Provider/Properties/Resources.resx
===================================================================
--- trunk/MySql.Data/Provider/Properties/Resources.resx 2009-06-12 17:53:56 UTC (rev 1645)
+++ trunk/MySql.Data/Provider/Properties/Resources.resx 2009-06-12 18:23:51 UTC (rev 1646)
@@ -343,4 +343,7 @@
<data name="DataNotInSupportedFormat" xml:space="preserve">
<value>The given value was not in a supported format.</value>
</data>
+ <data name="NoServerSSLSupport" xml:space="preserve">
+ <value>The host {0} does not support SSL connections.</value>
+ </data>
<resheader name="resmimetype"><value>text/microsoft-resx</value></resheader><resheader name="version"><value>2.0</value></resheader><resheader name="reader"><value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value></resheader><resheader name="writer"><value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value></resheader></root>
Modified: trunk/MySql.Data/Provider/Source/MySqlConnectionStringBuilder.cs
===================================================================
--- trunk/MySql.Data/Provider/Source/MySqlConnectionStringBuilder.cs 2009-06-12 17:53:56 UTC (rev 1645)
+++ trunk/MySql.Data/Provider/Source/MySqlConnectionStringBuilder.cs 2009-06-12 18:23:51 UTC (rev 1646)
@@ -42,10 +42,11 @@
uint procCacheSize, connectionLifetime;
MySqlConnectionProtocol protocol;
MySqlDriverType driverType;
+ MySqlSslMode sslMode;
bool compress, connectionReset, allowBatch, logging;
bool oldSyntax, persistSI, usePerfMon, pooling;
bool allowZeroDatetime, convertZeroDatetime;
- bool useUsageAdvisor, useSSL;
+ bool useUsageAdvisor;
bool ignorePrepare, useProcedureBodies;
bool autoEnlist, respectBinaryFlags, treatBlobsAsUTF8;
string blobAsUtf8IncludePattern, blobAsUtf8ExcludePattern;
@@ -86,7 +87,7 @@
defaultValues.Add(Keyword.AllowZeroDatetime, false);
defaultValues.Add(Keyword.UsePerformanceMonitor, false);
defaultValues.Add(Keyword.ProcedureCacheSize, 25);
- defaultValues.Add(Keyword.UseSSL, false);
+ defaultValues.Add(Keyword.Encrypt, false);
defaultValues.Add(Keyword.IgnorePrepare, true);
defaultValues.Add(Keyword.UseProcedureBodies, true);
defaultValues.Add(Keyword.AutoEnlist, true);
@@ -100,6 +101,7 @@
defaultValues.Add(Keyword.InteractiveSession, false);
defaultValues.Add(Keyword.FunctionsReturnString, false);
defaultValues.Add(Keyword.UseAffectedRows, false);
+ defaultValues.Add(Keyword.SslMode, MySqlSslMode.None);
}
/// <summary>
@@ -465,19 +467,20 @@
}
}
+
#if !CF && !MONO
[Category("Authentication")]
- [Description("Should the connection use SSL. This currently has no effect.")]
+ [Description("Should the connection use SSL.")]
[DefaultValue(false)]
- [RefreshProperties(RefreshProperties.All)]
+ [Obsolete("Use Ssl Mode instead.")]
#endif
- internal bool UseSSL
+ internal bool Encrypt
{
- get { return useSSL; }
+ get { return SslMode != MySqlSslMode.None; }
set
{
- SetValue("UseSSL", value);
- useSSL = value;
+ SetValue("Encrypt", value);
+ sslMode = value ? MySqlSslMode.Prefered : MySqlSslMode.None;
}
}
@@ -930,6 +933,24 @@
}
}
+#if !CF
+ /// <summary>
+ /// Indicates whether to use SSL connections and how to handle server certificate errors.
+ /// </summary>
+ [DisplayName("SslMode")]
+ [Category("Security")]
+ [Description("SSL properties for connection")]
+#endif
+ public MySqlSslMode SslMode
+ {
+ get { return sslMode; }
+ set
+ {
+ SetValue("Ssl Mode", value);
+ sslMode = value;
+ }
+ }
+
#endregion
#region Conversion Routines
@@ -1002,6 +1023,13 @@
typeof (MySqlDriverType), value.ToString(), true);
}
+ private static MySqlSslMode ConvertToSslMode(object value)
+ {
+ if (value is MySqlSslMode)
+ return (MySqlSslMode)value;
+ return (MySqlSslMode)Enum.Parse(typeof(MySqlSslMode), value.ToString(), true);
+ }
+
#endregion
#region Internal Properties
@@ -1148,7 +1176,7 @@
case "IGNORE PREPARE":
return Keyword.IgnorePrepare;
case "ENCRYPT":
- return Keyword.UseSSL;
+ return Keyword.Encrypt;
case "PROCEDURE BODIES":
case "USE PROCEDURE BODIES":
return Keyword.UseProcedureBodies;
@@ -1176,6 +1204,8 @@
return Keyword.FunctionsReturnString;
case "USE AFFECTED ROWS":
return Keyword.UseAffectedRows;
+ case "SSL MODE":
+ return Keyword.SslMode;
}
throw new ArgumentException(Resources.KeywordNotSupported, key);
}
@@ -1238,8 +1268,8 @@
return UsePerformanceMonitor;
case Keyword.IgnorePrepare:
return IgnorePrepare;
- case Keyword.UseSSL:
- return UseSSL;
+ case Keyword.Encrypt:
+ return Encrypt;
case Keyword.UseProcedureBodies:
return UseProcedureBodies;
case Keyword.AutoEnlist:
@@ -1264,6 +1294,8 @@
return functionsReturnString;
case Keyword.UseAffectedRows:
return useAffectedRows;
+ case Keyword.SslMode:
+ return sslMode;
default:
return null; /* this will never happen */
}
@@ -1349,8 +1381,11 @@
procCacheSize = ConvertToUInt(value); break;
case Keyword.IgnorePrepare:
ignorePrepare = ConvertToBool(value); break;
- case Keyword.UseSSL:
- useSSL = ConvertToBool(value); break;
+ case Keyword.Encrypt:
+ if (!clearing)
+ Logger.LogWarning("Encrypt is now obsolete. Use Ssl Mode instead");
+ sslMode = ConvertToBool(value)?MySqlSslMode.Prefered:MySqlSslMode.None;
+ break;
case Keyword.UseProcedureBodies:
useProcedureBodies = ConvertToBool(value); break;
case Keyword.AutoEnlist:
@@ -1375,6 +1410,8 @@
functionsReturnString = ConvertToBool(value); break;
case Keyword.UseAffectedRows:
useAffectedRows = ConvertToBool(value); break;
+ case Keyword.SslMode:
+ sslMode = ConvertToSslMode(value); break;
}
}
@@ -1545,7 +1582,7 @@
UsePerformanceMonitor,
ProcedureCacheSize,
IgnorePrepare,
- UseSSL,
+ Encrypt,
UseProcedureBodies,
AutoEnlist,
RespectBinaryFlags,
@@ -1557,6 +1594,7 @@
AllowUserVariables,
InteractiveSession,
FunctionsReturnString,
- UseAffectedRows
+ UseAffectedRows,
+ SslMode
}
}
Modified: trunk/MySql.Data/Provider/Source/MysqlDefs.cs
===================================================================
--- trunk/MySql.Data/Provider/Source/MysqlDefs.cs 2009-06-12 17:53:56 UTC (rev 1645)
+++ trunk/MySql.Data/Provider/Source/MysqlDefs.cs 2009-06-12 18:23:51 UTC (rev 1646)
@@ -338,6 +338,34 @@
}
/// <summary>
+ /// SSL options for connection.
+ /// </summary>
+ public enum MySqlSslMode
+ {
+ /// <summary>
+ /// Do not use SSL.
+ /// </summary>
+ None,
+ /// <summary>
+ /// Use SSL, if server supports it.
+ /// </summary>
+ Prefered,
+ /// <summary>
+ /// Always use SSL. Deny connection if server does not support SSL.
+ /// Do not perform server certificate validation.
+ /// </summary>
+ Required,
+ /// <summary>
+ /// Always use SSL. Validate server SSL certificate, but different host name mismatch.
+ /// </summary>
+ VerifyCA,
+ /// <summary>
+ /// Always use SSL and perform full certificate validation.
+ /// </summary>
+ VerifyFull
+ }
+
+ /// <summary>
/// Specifies the connection types supported
/// </summary>
public enum MySqlDriverType
Modified: trunk/MySql.Data/Provider/Source/NativeDriver.cs
===================================================================
--- trunk/MySql.Data/Provider/Source/NativeDriver.cs 2009-06-12 17:53:56 UTC (rev 1645)
+++ trunk/MySql.Data/Provider/Source/NativeDriver.cs 2009-06-12 18:23:51 UTC (rev 1646)
@@ -254,12 +254,21 @@
version.isAtLeast(4, 1, 0) ? 4 : 2);
#if !CF
- if (connectionString.UseSSL && (serverCaps & ClientFlags.SSL) != 0)
+ if ((serverCaps & ClientFlags.SSL) ==0)
{
+ if ((connectionString.SslMode != MySqlSslMode.None)
+ && (connectionString.SslMode != MySqlSslMode.Prefered))
+ {
+ // Client requires SSL connections.
+ string message = String.Format(Resources.NoServerSSLSupport,
+ Settings.Server);
+ throw new MySqlException(message);
+ }
+ }
+ else if (connectionString.SslMode != MySqlSslMode.None)
+ {
stream.SendPacket(packet);
-
StartSSL();
-
packet.Clear();
packet.WriteInteger((int) connectionFlags,
version.isAtLeast(4, 1, 0) ? 4 : 2);
@@ -297,40 +306,41 @@
private void StartSSL()
{
- RemoteCertificateValidationCallback sslValidateCallback;
+ RemoteCertificateValidationCallback sslValidateCallback =
+ new RemoteCertificateValidationCallback(ServerCheckValidation);
+ SslStream ss = new SslStream(baseStream, true, sslValidateCallback, null);
+ X509CertificateCollection certs = new X509CertificateCollection();
+ ss.AuthenticateAsClient(Settings.Server, certs, SslProtocols.Default, false);
+ baseStream = ss;
+ stream = new MySqlStream(ss, encoding, false);
+ stream.SequenceByte = 2;
- sslValidateCallback = new RemoteCertificateValidationCallback(NoServerCheckValidation);
- SslStream ss = new SslStream(baseStream, true, sslValidateCallback, null);
- try
- {
- X509CertificateCollection certs = new X509CertificateCollection();
- ss.AuthenticateAsClient(String.Empty, certs, SslProtocols.Default, false);
- baseStream = ss;
- stream = new MySqlStream(ss, encoding, false);
- stream.SequenceByte = 2;
- }
- catch (Exception)
- {
- throw;
- }
}
-/* private static bool ServerCheckValidation(object sender, X509Certificate certificate,
+ private bool ServerCheckValidation(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (sslPolicyErrors == SslPolicyErrors.None)
return true;
- // Do not allow this client to communicate with unauthenticated servers.
+ if (Settings.SslMode == MySqlSslMode.Prefered ||
+ Settings.SslMode == MySqlSslMode.Required)
+ {
+ //Tolerate all certificate errors.
+ return true;
+ }
+
+ if (Settings.SslMode == MySqlSslMode.VerifyCA &&
+ sslPolicyErrors == SslPolicyErrors.RemoteCertificateNameMismatch)
+ {
+ // Tolerate name mismatch in certificate, if full validation is not requested.
+ return true;
+ }
+
return false;
}
- */
- private static bool NoServerCheckValidation(object sender, X509Certificate certificate,
- X509Chain chain, SslPolicyErrors sslPolicyErrors)
- {
- return true;
- }
+
#endregion
#endif
@@ -393,7 +403,7 @@
flags |= ClientFlags.SECURE_CONNECTION;
// if the server is capable of SSL and the user is requesting SSL
- if ((serverCaps & ClientFlags.SSL) != 0 && connectionString.UseSSL)
+ if ((serverCaps & ClientFlags.SSL) != 0 && connectionString.SslMode != MySqlSslMode.None)
flags |= ClientFlags.SSL;
connectionFlags = flags;
| Thread |
|---|
| • Connector/NET commit: r1646 - in trunk: . MySql.Data/Provider/Properties MySql.Data/Provider/Source | vvaintroub | 12 Jun |
