List:Commits« Previous MessageNext Message »
From:Georgi Kodinov Date:October 20 2009 10:09am
Subject:bzr commit into mysql-4.1 branch (joro:2709) Bug#47320
View as plain text  
#At file:///home/kgeorge/mysql/work/B47320-4.1/ based on revid:timothy.smith@stripped

 2709 Georgi Kodinov	2009-10-20
      Bug #47320: OpenSSL client does not check YaSSL server certificate
      
      Removed the verify callback, as it's not needed to verify even self
      signed certificates and is a security problem.

    modified:
      vio/viosslfactories.c
=== modified file 'vio/viosslfactories.c'
--- a/vio/viosslfactories.c	2007-02-01 14:00:24 +0000
+++ b/vio/viosslfactories.c	2009-10-20 10:09:16 +0000
@@ -123,55 +123,6 @@ vio_set_cert_stuff(SSL_CTX *ctx, const c
 }
 
 
-static int
-vio_verify_callback(int ok, X509_STORE_CTX *ctx)
-{
-  char	buf[256];
-  X509*	err_cert;
-  int	err,depth;
-
-  DBUG_ENTER("vio_verify_callback");
-  DBUG_PRINT("enter", ("ok=%d, ctx=%p", ok, ctx));
-  err_cert=X509_STORE_CTX_get_current_cert(ctx);
-  err=	   X509_STORE_CTX_get_error(ctx);
-  depth=   X509_STORE_CTX_get_error_depth(ctx);
-
-  X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof(buf));
-  if (!ok)
-  {
-    DBUG_PRINT("error",("verify error: num: %d : '%s'\n",err,
-			X509_verify_cert_error_string(err)));
-    if (verify_depth >= depth)
-    {
-      ok=1;
-      verify_error=X509_V_OK;
-    }
-    else
-    {
-      verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;
-    }
-  }
-  switch (ctx->error) {
-  case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-    X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,256);
-    DBUG_PRINT("info",("issuer= %s\n",buf));
-    break;
-  case X509_V_ERR_CERT_NOT_YET_VALID:
-  case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-    DBUG_PRINT("error", ("notBefore"));
-    /*ASN1_TIME_print_fp(stderr,X509_get_notBefore(ctx->current_cert));*/
-    break;
-  case X509_V_ERR_CERT_HAS_EXPIRED:
-  case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-    DBUG_PRINT("error", ("notAfter error"));
-    /*ASN1_TIME_print_fp(stderr,X509_get_notAfter(ctx->current_cert));*/
-    break;
-  }
-  DBUG_PRINT("exit", ("%d", ok));
-  DBUG_RETURN(ok);
-}
-
-
 #ifdef __NETWARE__
 
 /* NetWare SSL cleanup */
@@ -263,7 +214,7 @@ new_VioSSLConnectorFd(const char* key_fi
     result=SSL_CTX_set_cipher_list(ptr->ssl_context, cipher);
     DBUG_PRINT("info",("SSL_set_cipher_list() returned %d",result));
   }
-  SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback);
+  SSL_CTX_set_verify(ptr->ssl_context, verify, NULL);
   if (vio_set_cert_stuff(ptr->ssl_context, cert_file, key_file) == -1)
   {
     DBUG_PRINT("error", ("vio_set_cert_stuff failed"));
@@ -360,7 +311,7 @@ new_VioSSLAcceptorFd(const char *key_fil
   SSL_CTX_sess_set_cache_size(ptr->ssl_context,128);
 
   /* DH? */
-  SSL_CTX_set_verify(ptr->ssl_context, verify, vio_verify_callback);
+  SSL_CTX_set_verify(ptr->ssl_context, verify, NULL);
   SSL_CTX_set_session_id_context(ptr->ssl_context,
 				 (const uchar*) &(ptr->session_id_context),
 				 sizeof(ptr->session_id_context));


Attachment: [text/bzr-bundle] bzr/joro@sun.com-20091020100916-75asdj4nhxlrad19.bundle
Thread
bzr commit into mysql-4.1 branch (joro:2709) Bug#47320Georgi Kodinov20 Oct
  • Re: bzr commit into mysql-4.1 branch (joro:2709) Bug#47320Sergei Golubchik27 Oct