maria:bb-11.4-MDEV-31855-ssl

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

2e83ab4... by Sergei Golubchik on 2023-10-15

MDEV-32473 --disable-ssl doesn't disable it

6b90033... by Sergei Golubchik on 2023-09-22

show in mariadb cli whether server cert was verified

853bdf5... by Sergei Golubchik on 2023-09-15

auto-disable --ssl-verify-server-cert in clients, if

* --ssl-verify-server-cert was not enabled explicitly, and
* CA was not specified, and
* fingerprint was not specified, and
* protocol is TCP, and
* no password was provided

insecure passwordless logins are common in test environment, let's
not break them. practically, it hardly makes sense to have strong
MitM protection if an attacker can simply login without a password.

Covers mariadb, mariadb-admin, mariadb-binlog, mariadb-dump

abcd23a... by Sergei Golubchik on 2023-09-04

MDEV-31857 enable --ssl-verify-server-cert by default in the internal client

enable ssl + ssl_verify_server_cert in the internal client too

* fix replication tests to disable master_ssl_verify_server_cert
  because accounts are passwordless - except rpl.rpl_ssl1
* fix federated/federatedx/connect to disable SSL_VERIFY_SERVER_CERT
  because they cannot configure an ssl connection
* fix spider to disable ssl_verify_server_cert, if configuration
  says so, as spider _can_ configure an ssl connection
* memory leak in embedded test-connect

e0c3039... by Sergei Golubchik on 2023-09-03

MDEV-31855 validate ssl certificates using client password in the internal client

port the client-side implementation from C/C to the internal client.
add the test.

386df87... by Sergei Golubchik on 2023-09-08

disable SSL via named pipes in the internal client

because it doesn't work. CONC-635.

3c36ed1... by Sergei Golubchik on 2023-09-04

free mysql->connector_fd correctly in the internal client

it's not an ssl option, so shouldn't be in mysql_ssl_free(),
which frees ssl options, and only unless CLIENT_REMEMBER_OPTIONS is set.

mysql->connector_fd must be freed when mysql->net.vio is closed
and fd becomes no longer valid

2f13f7d... by Sergei Golubchik on 2023-09-03

change how self-signed certs are accepted by internal client

use SSL_VERIFY_PEER with the "always ok" callback,
instead of SSL_VERIFY_NONE with no callback.

The latter doesn't work correctly in wolfSSL, it accepts self-signed
certificates just fine (as in OpenSSL), but after that
SSL_get_verify_result() returns X509_V_OK, while it returns an error
(e.g. X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) in OpenSSL.

05a421e... by Sergei Golubchik on 2023-09-02

cleanup: X509_check_host() in the internal client

X509_check_host() and X509_check_ip_asc() exist in all
supported SSL libraries

in OpenSSL >= 1.0.2 and in the bundled WolfSSL

And X509_free() handles NULL pointers all right.

f4e174e... by Sergei Golubchik on 2023-09-02

cleanup: ssl handling in the internal rpl client

* type of mi->ssl_verify_server_cert must be my_bool, because it's
  passed by address to mysql_options(), and the latter expects my_bool
* explicitly disable ssl in MYSQL if mi->ssl is 0
* remove dead code (`#ifdef NOT_USED`)
* remove useless casts and checks replacing empty strings with NULL
  (new_VioSSLFd() does that internally)