Hi,
Here's a patch to fix MySQL-4.1 with OpenSSL versions starting with
0.9.8a. The problem is that post-0.9.8 versions of the SSL library
seem to move part of the cipher setup code into SSL_library_init().
Current MySQL versions don't seem to do direct calls to this routine,
hence no cipher is being registered, and as a consequence the SSL
handshake fails, as described by the bug report at
http://bugs.mysql.com/bug.php?id=14221.
The first patch, mysql-4.1.15-ssl_library_init.patch, has been made
against 4.1.15, and tested with 4.1.14, both with the t/openssl_1
test case and real production servers.
The second patch, mysql-4.1.15-ssl_library_init.patch.old, seems to
work with 4.0.26, but keep in mind that it introduces a subtle
race condition with multiple, concurrent SSL_library_init() calls.
Since I don't have 4.0 production servers, I cannot provide a better
patch for 4.0.
Leandro.
ps: For more information, please check SSL_library_init(),
ssl_create_cipher_list(); and load_ciphers() / ssl_load_ciphers() on
OpenSSL 0.9.8 and 0.9.8a, respectively.
diff -ur mysql-4.1.15.x/libmysql/libmysql.c mysql-4.1.15.y/libmysql/libmysql.c
--- mysql-4.1.15.x/libmysql/libmysql.c 2005-10-09 19:46:46.000000000 -0300
+++ mysql-4.1.15.y/libmysql/libmysql.c 2005-10-28 17:53:37.000000000 -0300
@@ -157,6 +157,14 @@
#if defined(SIGPIPE) && !defined(__WIN__) && !defined(__NETWARE__)
(void) signal(SIGPIPE, SIG_IGN);
#endif
+#ifdef HAVE_OPENSSL
+ /*
+ XXX SSL_library_init() must not be concurrently called,
+ because, at this point, the library cannot protect itself
+ from concurrent access.
+ */
+ SSL_library_init();
+#endif
#ifdef EMBEDDED_LIBRARY
if (argc > -1)
result= init_embedded_server(argc, argv, groups);
diff -ur mysql-4.1.15.x/libmysqld/libmysql.c mysql-4.1.15.y/libmysqld/libmysql.c
--- mysql-4.1.15.x/libmysqld/libmysql.c 2005-10-09 19:46:46.000000000 -0300
+++ mysql-4.1.15.y/libmysqld/libmysql.c 2005-10-28 17:53:37.000000000 -0300
@@ -157,6 +157,14 @@
#if defined(SIGPIPE) && !defined(__WIN__) && !defined(__NETWARE__)
(void) signal(SIGPIPE, SIG_IGN);
#endif
+#ifdef HAVE_OPENSSL
+ /*
+ XXX SSL_library_init() must not be concurrently called,
+ because, at this point, the library cannot protect itself
+ from concurrent access.
+ */
+ SSL_library_init();
+#endif
#ifdef EMBEDDED_LIBRARY
if (argc > -1)
result= init_embedded_server(argc, argv, groups);
diff -ur mysql-4.1.15.x/libmysql_r/libmysql.c mysql-4.1.15.y/libmysql_r/libmysql.c
--- mysql-4.1.15.x/libmysql_r/libmysql.c 2005-10-09 19:46:46.000000000 -0300
+++ mysql-4.1.15.y/libmysql_r/libmysql.c 2005-10-28 17:53:37.000000000 -0300
@@ -157,6 +157,14 @@
#if defined(SIGPIPE) && !defined(__WIN__) && !defined(__NETWARE__)
(void) signal(SIGPIPE, SIG_IGN);
#endif
+#ifdef HAVE_OPENSSL
+ /*
+ XXX SSL_library_init() must not be concurrently called,
+ because, at this point, the library cannot protect itself
+ from concurrent access.
+ */
+ SSL_library_init();
+#endif
#ifdef EMBEDDED_LIBRARY
if (argc > -1)
result= init_embedded_server(argc, argv, groups);
diff -ur mysql-4.1.15.x/sql/mysqld.cc mysql-4.1.15.y/sql/mysqld.cc
--- mysql-4.1.15.x/sql/mysqld.cc 2005-10-09 19:46:24.000000000 -0300
+++ mysql-4.1.15.y/sql/mysqld.cc 2005-10-28 18:22:47.000000000 -0300
@@ -2684,6 +2684,12 @@
#ifdef HAVE_OPENSSL
if (opt_use_ssl)
{
+ /*
+ XXX SSL_library_init() must not be concurrently called,
+ because, at this point, the library cannot protect itself
+ from concurrent access.
+ */
+ SSL_library_init();
/* having ssl_acceptor_fd != 0 signals the use of SSL */
ssl_acceptor_fd= new_VioSSLAcceptorFd(opt_ssl_key, opt_ssl_cert,
opt_ssl_ca, opt_ssl_capath,
diff -ur mysql-4.1.15.x/vio/viosslfactories.c mysql-4.1.15.y/vio/viosslfactories.c
--- mysql-4.1.15.x/vio/viosslfactories.c 2005-10-09 19:46:30.000000000 -0300
+++ mysql-4.1.15.y/vio/viosslfactories.c 2005-10-28 18:30:09.000000000 -0300
@@ -191,9 +191,6 @@
/* NetWare SSL initialization */
static void netware_ssl_init()
{
- /* initialize OpenSSL library */
- SSL_library_init();
-
/* cleanup OpenSSL library */
NXVmRegisterExitHandler(netware_ssl_cleanup, NULL);
}
Attachment: [application/x-trash] mysql-4.1.15-ssl_library_init.patch.old
| Thread |
|---|
| • patch: fix for post-0.9.8 OpenSSLs. | Leandro Santi | 1 Nov |
