Bug #21780 for DBD-mysql: patch to add support for ssl_verify

Fri Sep 29 13:41:14 2006 emchen [...] isc.upenn.edu - Ticket created

Subject:

patch to add support for ssl_verify_cert

Since MySQL 5.0.24 a new option has been added for SSL connections to verify that when a client connects to a server the server's hostname must match the subject of the certificate. The attached patch adds a new parameter "ssl_verify_cert" to enable/disable this check (disabled by default).

Subject:

dbdimp.c.patch

*** /tmp/T07UaiZJ Fri Sep 29 11:25:20 2006 --- dbdimp.c Fri Sep 29 11:21:33 2006 *************** *** 1615,1626 **** { char* client_key = NULL; char* client_cert = NULL; char* ca_file = NULL; char* ca_path = NULL; ! char* cipher = NULL; STRLEN lna; if ((svp = hv_fetch(hv, "mysql_ssl_client_key", 20, FALSE)) && *svp) client_key = SvPV(*svp, lna); if ((svp = hv_fetch(hv, "mysql_ssl_client_cert", 21, FALSE)) && *svp) --- 1615,1632 ---- { char* client_key = NULL; char* client_cert = NULL; char* ca_file = NULL; char* ca_path = NULL; ! char* cipher = NULL; STRLEN lna; + #if MYSQL_VERSION_ID >=50023 + my_bool my_true = 0; + if ((svp = hv_fetch(hv, "mysql_ssl_verify_server_cert", 28, FALSE)) && *svp) { + my_true = SvTRUE(*svp); + } + #endif if ((svp = hv_fetch(hv, "mysql_ssl_client_key", 20, FALSE)) && *svp) client_key = SvPV(*svp, lna); if ((svp = hv_fetch(hv, "mysql_ssl_client_cert", 21, FALSE)) && *svp) *************** *** 1638,1647 **** --- 1644,1656 ---- *svp) cipher = SvPV(*svp, lna); mysql_ssl_set(sock, client_key, client_cert, ca_file, ca_path, cipher); + #if MYSQL_VERSION_ID >=50023 + mysql_options(sock, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &my_true); + #endif client_flag |= CLIENT_SSL; } } #endif #if (MYSQL_VERSION_ID >= 32349)

Mon Oct 02 17:47:01 2006 CAPTTOFU [...] cpan.org - Correspondence added

Thank you very much! I'll look this over and hope to add it to 3.0008, which I hope to release later this week. Kind regards, Patrick On Fri Sep 29 13:41:14 2006, chen23 wrote: Show quoted text

> Since MySQL 5.0.24 a new option has been added for SSL connections to > verify that when a client connects to a server the server's hostname > must match the subject of the certificate. > > The attached patch adds a new parameter "ssl_verify_cert" to > enable/disable this check (disabled by default).

Mon Oct 02 17:47:01 2006 The RT System itself - Status changed from 'new' to 'open'

Tue Oct 10 08:23:53 2006 CAPTTOFU [...] cpan.org - Correspondence added

Added to 3.0008_1, scheduled for release week of 09.10.06

Tue Oct 10 08:32:36 2006 CAPTTOFU [...] cpan.org - Correspondence added

On Fri Sep 29 13:41:14 2006, chen23 wrote: Show quoted text

> Since MySQL 5.0.24 a new option has been added for SSL connections to > verify that when a client connects to a server the server's hostname > must match the subject of the certificate. > > The attached patch adds a new parameter "ssl_verify_cert" to > enable/disable this check (disabled by default).

What is your name so I can give you credit for this in the Changelog?

Tue Oct 10 08:54:10 2006 emchen [...] isc.upenn.edu - Correspondence added

Subject:	Re: [rt.cpan.org #21780] patch to add support for ssl_verify_cert
Date:	Tue, 10 Oct 2006 08:53:47 -0400
To:	bug-DBD-mysql [...] rt.cpan.org
From:	Eric Chen <emchen [...] isc.upenn.edu>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patrick Galbraith via RT wrote: Show quoted text

> <URL: http://rt.cpan.org/Ticket/Display.html?id=21780 > > > On Fri Sep 29 13:41:14 2006, chen23 wrote:

>> Since MySQL 5.0.24 a new option has been added for SSL connections to >> verify that when a client connects to a server the server's hostname >> must match the subject of the certificate. >> >> The attached patch adds a new parameter "ssl_verify_cert" to >> enable/disable this check (disabled by default).

> > What is your name so I can give you credit for this in the Changelog? >

"Eric Chen" is my name. Thanks. -eric -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFK5fbWYrbozPM3DARAr26AJ97rD3+SBcDhKtAQCkRAzn3D1Uu/gCg96oS hOF7f7aJgdhVOcxiUCWfYkc= =4y6z -----END PGP SIGNATURE-----

Tue Oct 10 09:27:57 2006 patg [...] mysql.com - Correspondence added

Subject:	Re: [rt.cpan.org #21780] patch to add support for ssl_verify_cert
Date:	Tue, 10 Oct 2006 09:27:28 -0400
To:	bug-DBD-mysql [...] rt.cpan.org
From:	Patrick Galbraith <patg [...] mysql.com>

Eric, Thanks! Your fix is in the dev release, but in a week or so, I'm going to make the dev release the main release. Kind regards, Patrick Eric Chen via RT wrote: Show quoted text

> Queue: DBD-mysql > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=21780 > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Patrick Galbraith via RT wrote: > >

>><URL: http://rt.cpan.org/Ticket/Display.html?id=21780 > >> >>On Fri Sep 29 13:41:14 2006, chen23 wrote: >> >>

>>>Since MySQL 5.0.24 a new option has been added for SSL connections to >>>verify that when a client connects to a server the server's hostname >>>must match the subject of the certificate. >>> >>>The attached patch adds a new parameter "ssl_verify_cert" to >>>enable/disable this check (disabled by default). >>> >>>

>>What is your name so I can give you credit for this in the Changelog? >> >> >>

>"Eric Chen" is my name. Thanks. > > -eric >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.2.1 (Darwin) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQFFK5fbWYrbozPM3DARAr26AJ97rD3+SBcDhKtAQCkRAzn3D1Uu/gCg96oS >hOF7f7aJgdhVOcxiUCWfYkc= >=4y6z >-----END PGP SIGNATURE----- > > > >

Tue Jan 02 21:06:11 2007 jimw-removetoemail [...] trainedmonkey.com - Correspondence added

This was included in 3.0008_1 (and now in 4.00).

Tue Jan 02 21:06:13 2007 jimw-removetoemail [...] trainedmonkey.com - Status changed from 'open' to 'resolved'

Bug #21780 for DBD-mysql: patch to add support for ssl_verify_cert