Merge lp:~percona-toolkit-dev/percona-toolkit/version-check-doesnt-verify-server-cert-1408375 into lp:~percona-toolkit-dev/percona-toolkit/release-2.2.13
- version-check-doesnt-verify-server-cert-1408375
- Merge into release-2.2.13
Proposed by
Frank Cizmich
| Status: | Merged |
|---|---|
| Merged at revision: | 622 |
| Proposed branch: | lp:~percona-toolkit-dev/percona-toolkit/version-check-doesnt-verify-server-cert-1408375 |
| Merge into: | lp:~percona-toolkit-dev/percona-toolkit/release-2.2.13 |
| Diff against target: |
792 lines (+194/-60) 20 files modified
bin/pt-archiver (+10/-3) bin/pt-config-diff (+10/-3) bin/pt-deadlock-logger (+10/-3) bin/pt-diskstats (+10/-3) bin/pt-duplicate-key-checker (+10/-3) bin/pt-find (+10/-3) bin/pt-fk-error-logger (+10/-3) bin/pt-heartbeat (+10/-3) bin/pt-index-usage (+10/-3) bin/pt-kill (+10/-3) bin/pt-online-schema-change (+10/-3) bin/pt-query-digest (+10/-3) bin/pt-slave-delay (+10/-3) bin/pt-slave-restart (+10/-3) bin/pt-table-checksum (+10/-3) bin/pt-table-sync (+10/-3) bin/pt-upgrade (+10/-3) bin/pt-variable-advisor (+10/-3) lib/HTTP/Micro.pm (+2/-1) lib/VersionCheck.pm (+12/-5) |
| To merge this branch: | bzr merge lp:~percona-toolkit-dev/percona-toolkit/version-check-doesnt-verify-server-cert-1408375 |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Daniel Nichter | Pending | ||
|
Review via email:
|
|||
Commit message
Description of the change
problem:
- version check silently falls back to http if https fails
- a certificate check is issued but not acted upon the result
- arbitrary mysql variables can be requested
the above results in a vulnerabity to man in the middle attacks
solution:
- skip version check if ssl not available
- also skip if certificate check fails
- hardcode returned mysql variables to "version" and "version_comment" (the ones currently being requested)
note:
modified modules are: VersionCheck and HTTP::Micro
To post a comment you must log in.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
| 1 | === modified file 'bin/pt-archiver' |
| 2 | --- bin/pt-archiver 2014-11-11 13:28:27 +0000 |
| 3 | +++ bin/pt-archiver 2015-01-16 19:25:07 +0000 |
| 4 | @@ -4421,7 +4421,8 @@ |
| 5 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 6 | or die(qq/SSL connection failed for $host\n/); |
| 7 | if ( $self->{fh}->can("verify_hostname") ) { |
| 8 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 9 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 10 | + or die(qq/SSL certificate not valid for $host\n/); |
| 11 | } |
| 12 | else { |
| 13 | my $fh = $self->{fh}; |
| 14 | @@ -4943,11 +4944,12 @@ |
| 15 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 16 | return unless @$instances_to_check; |
| 17 | |
| 18 | - my $protocol = 'https'; # optimistic, but... |
| 19 | + my $protocol = 'https'; |
| 20 | eval { require IO::Socket::SSL; }; |
| 21 | if ( $EVAL_ERROR ) { |
| 22 | PTDEBUG && _d($EVAL_ERROR); |
| 23 | - $protocol = 'http'; |
| 24 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 25 | + return; |
| 26 | } |
| 27 | PTDEBUG && _d('Using', $protocol); |
| 28 | |
| 29 | @@ -5384,6 +5386,11 @@ |
| 30 | return; |
| 31 | } |
| 32 | |
| 33 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 34 | + $item->{vars} = ['version_comment', 'version']; |
| 35 | + } |
| 36 | + |
| 37 | + |
| 38 | my @versions; |
| 39 | my %version_for; |
| 40 | foreach my $instance ( @$instances ) { |
| 41 | |
| 42 | === modified file 'bin/pt-config-diff' |
| 43 | --- bin/pt-config-diff 2014-11-11 13:28:27 +0000 |
| 44 | +++ bin/pt-config-diff 2015-01-16 19:25:07 +0000 |
| 45 | @@ -4169,7 +4169,8 @@ |
| 46 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 47 | or die(qq/SSL connection failed for $host\n/); |
| 48 | if ( $self->{fh}->can("verify_hostname") ) { |
| 49 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 50 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 51 | + or die(qq/SSL certificate not valid for $host\n/); |
| 52 | } |
| 53 | else { |
| 54 | my $fh = $self->{fh}; |
| 55 | @@ -4691,11 +4692,12 @@ |
| 56 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 57 | return unless @$instances_to_check; |
| 58 | |
| 59 | - my $protocol = 'https'; # optimistic, but... |
| 60 | + my $protocol = 'https'; |
| 61 | eval { require IO::Socket::SSL; }; |
| 62 | if ( $EVAL_ERROR ) { |
| 63 | PTDEBUG && _d($EVAL_ERROR); |
| 64 | - $protocol = 'http'; |
| 65 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 66 | + return; |
| 67 | } |
| 68 | PTDEBUG && _d('Using', $protocol); |
| 69 | |
| 70 | @@ -5132,6 +5134,11 @@ |
| 71 | return; |
| 72 | } |
| 73 | |
| 74 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 75 | + $item->{vars} = ['version_comment', 'version']; |
| 76 | + } |
| 77 | + |
| 78 | + |
| 79 | my @versions; |
| 80 | my %version_for; |
| 81 | foreach my $instance ( @$instances ) { |
| 82 | |
| 83 | === modified file 'bin/pt-deadlock-logger' |
| 84 | --- bin/pt-deadlock-logger 2014-11-11 13:28:27 +0000 |
| 85 | +++ bin/pt-deadlock-logger 2015-01-16 19:25:07 +0000 |
| 86 | @@ -3234,7 +3234,8 @@ |
| 87 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 88 | or die(qq/SSL connection failed for $host\n/); |
| 89 | if ( $self->{fh}->can("verify_hostname") ) { |
| 90 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 91 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 92 | + or die(qq/SSL certificate not valid for $host\n/); |
| 93 | } |
| 94 | else { |
| 95 | my $fh = $self->{fh}; |
| 96 | @@ -3756,11 +3757,12 @@ |
| 97 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 98 | return unless @$instances_to_check; |
| 99 | |
| 100 | - my $protocol = 'https'; # optimistic, but... |
| 101 | + my $protocol = 'https'; |
| 102 | eval { require IO::Socket::SSL; }; |
| 103 | if ( $EVAL_ERROR ) { |
| 104 | PTDEBUG && _d($EVAL_ERROR); |
| 105 | - $protocol = 'http'; |
| 106 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 107 | + return; |
| 108 | } |
| 109 | PTDEBUG && _d('Using', $protocol); |
| 110 | |
| 111 | @@ -4197,6 +4199,11 @@ |
| 112 | return; |
| 113 | } |
| 114 | |
| 115 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 116 | + $item->{vars} = ['version_comment', 'version']; |
| 117 | + } |
| 118 | + |
| 119 | + |
| 120 | my @versions; |
| 121 | my %version_for; |
| 122 | foreach my $instance ( @$instances ) { |
| 123 | |
| 124 | === modified file 'bin/pt-diskstats' |
| 125 | --- bin/pt-diskstats 2014-11-11 13:28:27 +0000 |
| 126 | +++ bin/pt-diskstats 2015-01-16 19:25:07 +0000 |
| 127 | @@ -3828,7 +3828,8 @@ |
| 128 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 129 | or die(qq/SSL connection failed for $host\n/); |
| 130 | if ( $self->{fh}->can("verify_hostname") ) { |
| 131 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 132 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 133 | + or die(qq/SSL certificate not valid for $host\n/); |
| 134 | } |
| 135 | else { |
| 136 | my $fh = $self->{fh}; |
| 137 | @@ -4350,11 +4351,12 @@ |
| 138 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 139 | return unless @$instances_to_check; |
| 140 | |
| 141 | - my $protocol = 'https'; # optimistic, but... |
| 142 | + my $protocol = 'https'; |
| 143 | eval { require IO::Socket::SSL; }; |
| 144 | if ( $EVAL_ERROR ) { |
| 145 | PTDEBUG && _d($EVAL_ERROR); |
| 146 | - $protocol = 'http'; |
| 147 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 148 | + return; |
| 149 | } |
| 150 | PTDEBUG && _d('Using', $protocol); |
| 151 | |
| 152 | @@ -4791,6 +4793,11 @@ |
| 153 | return; |
| 154 | } |
| 155 | |
| 156 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 157 | + $item->{vars} = ['version_comment', 'version']; |
| 158 | + } |
| 159 | + |
| 160 | + |
| 161 | my @versions; |
| 162 | my %version_for; |
| 163 | foreach my $instance ( @$instances ) { |
| 164 | |
| 165 | === modified file 'bin/pt-duplicate-key-checker' |
| 166 | --- bin/pt-duplicate-key-checker 2014-11-11 13:28:27 +0000 |
| 167 | +++ bin/pt-duplicate-key-checker 2015-01-16 19:25:07 +0000 |
| 168 | @@ -3845,7 +3845,8 @@ |
| 169 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 170 | or die(qq/SSL connection failed for $host\n/); |
| 171 | if ( $self->{fh}->can("verify_hostname") ) { |
| 172 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 173 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 174 | + or die(qq/SSL certificate not valid for $host\n/); |
| 175 | } |
| 176 | else { |
| 177 | my $fh = $self->{fh}; |
| 178 | @@ -4367,11 +4368,12 @@ |
| 179 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 180 | return unless @$instances_to_check; |
| 181 | |
| 182 | - my $protocol = 'https'; # optimistic, but... |
| 183 | + my $protocol = 'https'; |
| 184 | eval { require IO::Socket::SSL; }; |
| 185 | if ( $EVAL_ERROR ) { |
| 186 | PTDEBUG && _d($EVAL_ERROR); |
| 187 | - $protocol = 'http'; |
| 188 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 189 | + return; |
| 190 | } |
| 191 | PTDEBUG && _d('Using', $protocol); |
| 192 | |
| 193 | @@ -4808,6 +4810,11 @@ |
| 194 | return; |
| 195 | } |
| 196 | |
| 197 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 198 | + $item->{vars} = ['version_comment', 'version']; |
| 199 | + } |
| 200 | + |
| 201 | + |
| 202 | my @versions; |
| 203 | my %version_for; |
| 204 | foreach my $instance ( @$instances ) { |
| 205 | |
| 206 | === modified file 'bin/pt-find' |
| 207 | --- bin/pt-find 2014-11-11 13:28:27 +0000 |
| 208 | +++ bin/pt-find 2015-01-16 19:25:07 +0000 |
| 209 | @@ -2572,7 +2572,8 @@ |
| 210 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 211 | or die(qq/SSL connection failed for $host\n/); |
| 212 | if ( $self->{fh}->can("verify_hostname") ) { |
| 213 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 214 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 215 | + or die(qq/SSL certificate not valid for $host\n/); |
| 216 | } |
| 217 | else { |
| 218 | my $fh = $self->{fh}; |
| 219 | @@ -3094,11 +3095,12 @@ |
| 220 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 221 | return unless @$instances_to_check; |
| 222 | |
| 223 | - my $protocol = 'https'; # optimistic, but... |
| 224 | + my $protocol = 'https'; |
| 225 | eval { require IO::Socket::SSL; }; |
| 226 | if ( $EVAL_ERROR ) { |
| 227 | PTDEBUG && _d($EVAL_ERROR); |
| 228 | - $protocol = 'http'; |
| 229 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 230 | + return; |
| 231 | } |
| 232 | PTDEBUG && _d('Using', $protocol); |
| 233 | |
| 234 | @@ -3535,6 +3537,11 @@ |
| 235 | return; |
| 236 | } |
| 237 | |
| 238 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 239 | + $item->{vars} = ['version_comment', 'version']; |
| 240 | + } |
| 241 | + |
| 242 | + |
| 243 | my @versions; |
| 244 | my %version_for; |
| 245 | foreach my $instance ( @$instances ) { |
| 246 | |
| 247 | === modified file 'bin/pt-fk-error-logger' |
| 248 | --- bin/pt-fk-error-logger 2014-11-11 13:28:27 +0000 |
| 249 | +++ bin/pt-fk-error-logger 2015-01-16 19:25:07 +0000 |
| 250 | @@ -2739,7 +2739,8 @@ |
| 251 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 252 | or die(qq/SSL connection failed for $host\n/); |
| 253 | if ( $self->{fh}->can("verify_hostname") ) { |
| 254 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 255 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 256 | + or die(qq/SSL certificate not valid for $host\n/); |
| 257 | } |
| 258 | else { |
| 259 | my $fh = $self->{fh}; |
| 260 | @@ -3261,11 +3262,12 @@ |
| 261 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 262 | return unless @$instances_to_check; |
| 263 | |
| 264 | - my $protocol = 'https'; # optimistic, but... |
| 265 | + my $protocol = 'https'; |
| 266 | eval { require IO::Socket::SSL; }; |
| 267 | if ( $EVAL_ERROR ) { |
| 268 | PTDEBUG && _d($EVAL_ERROR); |
| 269 | - $protocol = 'http'; |
| 270 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 271 | + return; |
| 272 | } |
| 273 | PTDEBUG && _d('Using', $protocol); |
| 274 | |
| 275 | @@ -3702,6 +3704,11 @@ |
| 276 | return; |
| 277 | } |
| 278 | |
| 279 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 280 | + $item->{vars} = ['version_comment', 'version']; |
| 281 | + } |
| 282 | + |
| 283 | + |
| 284 | my @versions; |
| 285 | my %version_for; |
| 286 | foreach my $instance ( @$instances ) { |
| 287 | |
| 288 | === modified file 'bin/pt-heartbeat' |
| 289 | --- bin/pt-heartbeat 2014-11-11 13:28:27 +0000 |
| 290 | +++ bin/pt-heartbeat 2015-01-16 19:25:07 +0000 |
| 291 | @@ -3744,7 +3744,8 @@ |
| 292 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 293 | or die(qq/SSL connection failed for $host\n/); |
| 294 | if ( $self->{fh}->can("verify_hostname") ) { |
| 295 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 296 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 297 | + or die(qq/SSL certificate not valid for $host\n/); |
| 298 | } |
| 299 | else { |
| 300 | my $fh = $self->{fh}; |
| 301 | @@ -4266,11 +4267,12 @@ |
| 302 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 303 | return unless @$instances_to_check; |
| 304 | |
| 305 | - my $protocol = 'https'; # optimistic, but... |
| 306 | + my $protocol = 'https'; |
| 307 | eval { require IO::Socket::SSL; }; |
| 308 | if ( $EVAL_ERROR ) { |
| 309 | PTDEBUG && _d($EVAL_ERROR); |
| 310 | - $protocol = 'http'; |
| 311 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 312 | + return; |
| 313 | } |
| 314 | PTDEBUG && _d('Using', $protocol); |
| 315 | |
| 316 | @@ -4707,6 +4709,11 @@ |
| 317 | return; |
| 318 | } |
| 319 | |
| 320 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 321 | + $item->{vars} = ['version_comment', 'version']; |
| 322 | + } |
| 323 | + |
| 324 | + |
| 325 | my @versions; |
| 326 | my %version_for; |
| 327 | foreach my $instance ( @$instances ) { |
| 328 | |
| 329 | === modified file 'bin/pt-index-usage' |
| 330 | --- bin/pt-index-usage 2014-11-11 13:28:27 +0000 |
| 331 | +++ bin/pt-index-usage 2015-01-16 19:25:07 +0000 |
| 332 | @@ -5249,7 +5249,8 @@ |
| 333 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 334 | or die(qq/SSL connection failed for $host\n/); |
| 335 | if ( $self->{fh}->can("verify_hostname") ) { |
| 336 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 337 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 338 | + or die(qq/SSL certificate not valid for $host\n/); |
| 339 | } |
| 340 | else { |
| 341 | my $fh = $self->{fh}; |
| 342 | @@ -5771,11 +5772,12 @@ |
| 343 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 344 | return unless @$instances_to_check; |
| 345 | |
| 346 | - my $protocol = 'https'; # optimistic, but... |
| 347 | + my $protocol = 'https'; |
| 348 | eval { require IO::Socket::SSL; }; |
| 349 | if ( $EVAL_ERROR ) { |
| 350 | PTDEBUG && _d($EVAL_ERROR); |
| 351 | - $protocol = 'http'; |
| 352 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 353 | + return; |
| 354 | } |
| 355 | PTDEBUG && _d('Using', $protocol); |
| 356 | |
| 357 | @@ -6212,6 +6214,11 @@ |
| 358 | return; |
| 359 | } |
| 360 | |
| 361 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 362 | + $item->{vars} = ['version_comment', 'version']; |
| 363 | + } |
| 364 | + |
| 365 | + |
| 366 | my @versions; |
| 367 | my %version_for; |
| 368 | foreach my $instance ( @$instances ) { |
| 369 | |
| 370 | === modified file 'bin/pt-kill' |
| 371 | --- bin/pt-kill 2014-11-11 13:28:27 +0000 |
| 372 | +++ bin/pt-kill 2015-01-16 19:25:07 +0000 |
| 373 | @@ -5551,7 +5551,8 @@ |
| 374 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 375 | or die(qq/SSL connection failed for $host\n/); |
| 376 | if ( $self->{fh}->can("verify_hostname") ) { |
| 377 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 378 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 379 | + or die(qq/SSL certificate not valid for $host\n/); |
| 380 | } |
| 381 | else { |
| 382 | my $fh = $self->{fh}; |
| 383 | @@ -6073,11 +6074,12 @@ |
| 384 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 385 | return unless @$instances_to_check; |
| 386 | |
| 387 | - my $protocol = 'https'; # optimistic, but... |
| 388 | + my $protocol = 'https'; |
| 389 | eval { require IO::Socket::SSL; }; |
| 390 | if ( $EVAL_ERROR ) { |
| 391 | PTDEBUG && _d($EVAL_ERROR); |
| 392 | - $protocol = 'http'; |
| 393 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 394 | + return; |
| 395 | } |
| 396 | PTDEBUG && _d('Using', $protocol); |
| 397 | |
| 398 | @@ -6514,6 +6516,11 @@ |
| 399 | return; |
| 400 | } |
| 401 | |
| 402 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 403 | + $item->{vars} = ['version_comment', 'version']; |
| 404 | + } |
| 405 | + |
| 406 | + |
| 407 | my @versions; |
| 408 | my %version_for; |
| 409 | foreach my $instance ( @$instances ) { |
| 410 | |
| 411 | === modified file 'bin/pt-online-schema-change' |
| 412 | --- bin/pt-online-schema-change 2014-11-11 13:28:27 +0000 |
| 413 | +++ bin/pt-online-schema-change 2015-01-16 19:25:07 +0000 |
| 414 | @@ -6552,7 +6552,8 @@ |
| 415 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 416 | or die(qq/SSL connection failed for $host\n/); |
| 417 | if ( $self->{fh}->can("verify_hostname") ) { |
| 418 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 419 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 420 | + or die(qq/SSL certificate not valid for $host\n/); |
| 421 | } |
| 422 | else { |
| 423 | my $fh = $self->{fh}; |
| 424 | @@ -7074,11 +7075,12 @@ |
| 425 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 426 | return unless @$instances_to_check; |
| 427 | |
| 428 | - my $protocol = 'https'; # optimistic, but... |
| 429 | + my $protocol = 'https'; |
| 430 | eval { require IO::Socket::SSL; }; |
| 431 | if ( $EVAL_ERROR ) { |
| 432 | PTDEBUG && _d($EVAL_ERROR); |
| 433 | - $protocol = 'http'; |
| 434 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 435 | + return; |
| 436 | } |
| 437 | PTDEBUG && _d('Using', $protocol); |
| 438 | |
| 439 | @@ -7515,6 +7517,11 @@ |
| 440 | return; |
| 441 | } |
| 442 | |
| 443 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 444 | + $item->{vars} = ['version_comment', 'version']; |
| 445 | + } |
| 446 | + |
| 447 | + |
| 448 | my @versions; |
| 449 | my %version_for; |
| 450 | foreach my $instance ( @$instances ) { |
| 451 | |
| 452 | === modified file 'bin/pt-query-digest' |
| 453 | --- bin/pt-query-digest 2014-11-11 13:28:27 +0000 |
| 454 | +++ bin/pt-query-digest 2015-01-16 19:25:07 +0000 |
| 455 | @@ -11833,7 +11833,8 @@ |
| 456 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 457 | or die(qq/SSL connection failed for $host\n/); |
| 458 | if ( $self->{fh}->can("verify_hostname") ) { |
| 459 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 460 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 461 | + or die(qq/SSL certificate not valid for $host\n/); |
| 462 | } |
| 463 | else { |
| 464 | my $fh = $self->{fh}; |
| 465 | @@ -12355,11 +12356,12 @@ |
| 466 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 467 | return unless @$instances_to_check; |
| 468 | |
| 469 | - my $protocol = 'https'; # optimistic, but... |
| 470 | + my $protocol = 'https'; |
| 471 | eval { require IO::Socket::SSL; }; |
| 472 | if ( $EVAL_ERROR ) { |
| 473 | PTDEBUG && _d($EVAL_ERROR); |
| 474 | - $protocol = 'http'; |
| 475 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 476 | + return; |
| 477 | } |
| 478 | PTDEBUG && _d('Using', $protocol); |
| 479 | |
| 480 | @@ -12796,6 +12798,11 @@ |
| 481 | return; |
| 482 | } |
| 483 | |
| 484 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 485 | + $item->{vars} = ['version_comment', 'version']; |
| 486 | + } |
| 487 | + |
| 488 | + |
| 489 | my @versions; |
| 490 | my %version_for; |
| 491 | foreach my $instance ( @$instances ) { |
| 492 | |
| 493 | === modified file 'bin/pt-slave-delay' |
| 494 | --- bin/pt-slave-delay 2014-11-11 13:28:27 +0000 |
| 495 | +++ bin/pt-slave-delay 2015-01-16 19:25:07 +0000 |
| 496 | @@ -3097,7 +3097,8 @@ |
| 497 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 498 | or die(qq/SSL connection failed for $host\n/); |
| 499 | if ( $self->{fh}->can("verify_hostname") ) { |
| 500 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 501 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 502 | + or die(qq/SSL certificate not valid for $host\n/); |
| 503 | } |
| 504 | else { |
| 505 | my $fh = $self->{fh}; |
| 506 | @@ -3619,11 +3620,12 @@ |
| 507 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 508 | return unless @$instances_to_check; |
| 509 | |
| 510 | - my $protocol = 'https'; # optimistic, but... |
| 511 | + my $protocol = 'https'; |
| 512 | eval { require IO::Socket::SSL; }; |
| 513 | if ( $EVAL_ERROR ) { |
| 514 | PTDEBUG && _d($EVAL_ERROR); |
| 515 | - $protocol = 'http'; |
| 516 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 517 | + return; |
| 518 | } |
| 519 | PTDEBUG && _d('Using', $protocol); |
| 520 | |
| 521 | @@ -4060,6 +4062,11 @@ |
| 522 | return; |
| 523 | } |
| 524 | |
| 525 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 526 | + $item->{vars} = ['version_comment', 'version']; |
| 527 | + } |
| 528 | + |
| 529 | + |
| 530 | my @versions; |
| 531 | my %version_for; |
| 532 | foreach my $instance ( @$instances ) { |
| 533 | |
| 534 | === modified file 'bin/pt-slave-restart' |
| 535 | --- bin/pt-slave-restart 2014-11-11 13:28:27 +0000 |
| 536 | +++ bin/pt-slave-restart 2015-01-16 19:25:07 +0000 |
| 537 | @@ -3746,7 +3746,8 @@ |
| 538 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 539 | or die(qq/SSL connection failed for $host\n/); |
| 540 | if ( $self->{fh}->can("verify_hostname") ) { |
| 541 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 542 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 543 | + or die(qq/SSL certificate not valid for $host\n/); |
| 544 | } |
| 545 | else { |
| 546 | my $fh = $self->{fh}; |
| 547 | @@ -4268,11 +4269,12 @@ |
| 548 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 549 | return unless @$instances_to_check; |
| 550 | |
| 551 | - my $protocol = 'https'; # optimistic, but... |
| 552 | + my $protocol = 'https'; |
| 553 | eval { require IO::Socket::SSL; }; |
| 554 | if ( $EVAL_ERROR ) { |
| 555 | PTDEBUG && _d($EVAL_ERROR); |
| 556 | - $protocol = 'http'; |
| 557 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 558 | + return; |
| 559 | } |
| 560 | PTDEBUG && _d('Using', $protocol); |
| 561 | |
| 562 | @@ -4709,6 +4711,11 @@ |
| 563 | return; |
| 564 | } |
| 565 | |
| 566 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 567 | + $item->{vars} = ['version_comment', 'version']; |
| 568 | + } |
| 569 | + |
| 570 | + |
| 571 | my @versions; |
| 572 | my %version_for; |
| 573 | foreach my $instance ( @$instances ) { |
| 574 | |
| 575 | === modified file 'bin/pt-table-checksum' |
| 576 | --- bin/pt-table-checksum 2014-11-11 13:28:27 +0000 |
| 577 | +++ bin/pt-table-checksum 2015-01-16 19:25:07 +0000 |
| 578 | @@ -332,7 +332,8 @@ |
| 579 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 580 | or die(qq/SSL connection failed for $host\n/); |
| 581 | if ( $self->{fh}->can("verify_hostname") ) { |
| 582 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 583 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 584 | + or die(qq/SSL certificate not valid for $host\n/); |
| 585 | } |
| 586 | else { |
| 587 | my $fh = $self->{fh}; |
| 588 | @@ -854,11 +855,12 @@ |
| 589 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 590 | return unless @$instances_to_check; |
| 591 | |
| 592 | - my $protocol = 'https'; # optimistic, but... |
| 593 | + my $protocol = 'https'; |
| 594 | eval { require IO::Socket::SSL; }; |
| 595 | if ( $EVAL_ERROR ) { |
| 596 | PTDEBUG && _d($EVAL_ERROR); |
| 597 | - $protocol = 'http'; |
| 598 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 599 | + return; |
| 600 | } |
| 601 | PTDEBUG && _d('Using', $protocol); |
| 602 | |
| 603 | @@ -1295,6 +1297,11 @@ |
| 604 | return; |
| 605 | } |
| 606 | |
| 607 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 608 | + $item->{vars} = ['version_comment', 'version']; |
| 609 | + } |
| 610 | + |
| 611 | + |
| 612 | my @versions; |
| 613 | my %version_for; |
| 614 | foreach my $instance ( @$instances ) { |
| 615 | |
| 616 | === modified file 'bin/pt-table-sync' |
| 617 | --- bin/pt-table-sync 2014-11-11 13:28:27 +0000 |
| 618 | +++ bin/pt-table-sync 2015-01-16 19:25:07 +0000 |
| 619 | @@ -8605,7 +8605,8 @@ |
| 620 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 621 | or die(qq/SSL connection failed for $host\n/); |
| 622 | if ( $self->{fh}->can("verify_hostname") ) { |
| 623 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 624 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 625 | + or die(qq/SSL certificate not valid for $host\n/); |
| 626 | } |
| 627 | else { |
| 628 | my $fh = $self->{fh}; |
| 629 | @@ -9127,11 +9128,12 @@ |
| 630 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 631 | return unless @$instances_to_check; |
| 632 | |
| 633 | - my $protocol = 'https'; # optimistic, but... |
| 634 | + my $protocol = 'https'; |
| 635 | eval { require IO::Socket::SSL; }; |
| 636 | if ( $EVAL_ERROR ) { |
| 637 | PTDEBUG && _d($EVAL_ERROR); |
| 638 | - $protocol = 'http'; |
| 639 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 640 | + return; |
| 641 | } |
| 642 | PTDEBUG && _d('Using', $protocol); |
| 643 | |
| 644 | @@ -9568,6 +9570,11 @@ |
| 645 | return; |
| 646 | } |
| 647 | |
| 648 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 649 | + $item->{vars} = ['version_comment', 'version']; |
| 650 | + } |
| 651 | + |
| 652 | + |
| 653 | my @versions; |
| 654 | my %version_for; |
| 655 | foreach my $instance ( @$instances ) { |
| 656 | |
| 657 | === modified file 'bin/pt-upgrade' |
| 658 | --- bin/pt-upgrade 2014-11-11 13:28:27 +0000 |
| 659 | +++ bin/pt-upgrade 2015-01-16 19:25:07 +0000 |
| 660 | @@ -3545,7 +3545,8 @@ |
| 661 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 662 | or die(qq/SSL connection failed for $host\n/); |
| 663 | if ( $self->{fh}->can("verify_hostname") ) { |
| 664 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 665 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 666 | + or die(qq/SSL certificate not valid for $host\n/); |
| 667 | } |
| 668 | else { |
| 669 | my $fh = $self->{fh}; |
| 670 | @@ -4067,11 +4068,12 @@ |
| 671 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 672 | return unless @$instances_to_check; |
| 673 | |
| 674 | - my $protocol = 'https'; # optimistic, but... |
| 675 | + my $protocol = 'https'; |
| 676 | eval { require IO::Socket::SSL; }; |
| 677 | if ( $EVAL_ERROR ) { |
| 678 | PTDEBUG && _d($EVAL_ERROR); |
| 679 | - $protocol = 'http'; |
| 680 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 681 | + return; |
| 682 | } |
| 683 | PTDEBUG && _d('Using', $protocol); |
| 684 | |
| 685 | @@ -4508,6 +4510,11 @@ |
| 686 | return; |
| 687 | } |
| 688 | |
| 689 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 690 | + $item->{vars} = ['version_comment', 'version']; |
| 691 | + } |
| 692 | + |
| 693 | + |
| 694 | my @versions; |
| 695 | my %version_for; |
| 696 | foreach my $instance ( @$instances ) { |
| 697 | |
| 698 | === modified file 'bin/pt-variable-advisor' |
| 699 | --- bin/pt-variable-advisor 2014-11-11 13:28:27 +0000 |
| 700 | +++ bin/pt-variable-advisor 2015-01-16 19:25:07 +0000 |
| 701 | @@ -4004,7 +4004,8 @@ |
| 702 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 703 | or die(qq/SSL connection failed for $host\n/); |
| 704 | if ( $self->{fh}->can("verify_hostname") ) { |
| 705 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 706 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 707 | + or die(qq/SSL certificate not valid for $host\n/); |
| 708 | } |
| 709 | else { |
| 710 | my $fh = $self->{fh}; |
| 711 | @@ -4526,11 +4527,12 @@ |
| 712 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 713 | return unless @$instances_to_check; |
| 714 | |
| 715 | - my $protocol = 'https'; # optimistic, but... |
| 716 | + my $protocol = 'https'; |
| 717 | eval { require IO::Socket::SSL; }; |
| 718 | if ( $EVAL_ERROR ) { |
| 719 | PTDEBUG && _d($EVAL_ERROR); |
| 720 | - $protocol = 'http'; |
| 721 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 722 | + return; |
| 723 | } |
| 724 | PTDEBUG && _d('Using', $protocol); |
| 725 | |
| 726 | @@ -4967,6 +4969,11 @@ |
| 727 | return; |
| 728 | } |
| 729 | |
| 730 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 731 | + $item->{vars} = ['version_comment', 'version']; |
| 732 | + } |
| 733 | + |
| 734 | + |
| 735 | my @versions; |
| 736 | my %version_for; |
| 737 | foreach my $instance ( @$instances ) { |
| 738 | |
| 739 | === modified file 'lib/HTTP/Micro.pm' |
| 740 | --- lib/HTTP/Micro.pm 2013-08-03 18:50:52 +0000 |
| 741 | +++ lib/HTTP/Micro.pm 2015-01-16 19:25:07 +0000 |
| 742 | @@ -237,7 +237,8 @@ |
| 743 | ref($self->{fh}) eq 'IO::Socket::SSL' |
| 744 | or die(qq/SSL connection failed for $host\n/); |
| 745 | if ( $self->{fh}->can("verify_hostname") ) { |
| 746 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
| 747 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
| 748 | + or die(qq/SSL certificate not valid for $host\n/); |
| 749 | } |
| 750 | else { |
| 751 | # Can't use $self->{fh}->verify_hostname because the IO::Socket::SSL |
| 752 | |
| 753 | === modified file 'lib/VersionCheck.pm' |
| 754 | --- lib/VersionCheck.pm 2014-02-20 03:00:02 +0000 |
| 755 | +++ lib/VersionCheck.pm 2015-01-16 19:25:07 +0000 |
| 756 | @@ -138,17 +138,17 @@ |
| 757 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
| 758 | return unless @$instances_to_check; |
| 759 | |
| 760 | - # Get the list of program to check from Percona. Try using |
| 761 | - # https first; fallback to http if that fails (probably because |
| 762 | - # IO::Socket::SSL isn't installed). |
| 763 | - my $protocol = 'https'; # optimistic, but... |
| 764 | + # Skip Version Check altogether if SSL not available |
| 765 | + my $protocol = 'https'; |
| 766 | eval { require IO::Socket::SSL; }; |
| 767 | if ( $EVAL_ERROR ) { |
| 768 | PTDEBUG && _d($EVAL_ERROR); |
| 769 | - $protocol = 'http'; |
| 770 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
| 771 | + return; |
| 772 | } |
| 773 | PTDEBUG && _d('Using', $protocol); |
| 774 | |
| 775 | + # Get list of programs to check from Percona. |
| 776 | my $advice = pingback( |
| 777 | instances => $instances_to_check, |
| 778 | protocol => $protocol, |
| 779 | @@ -644,6 +644,13 @@ |
| 780 | return; |
| 781 | } |
| 782 | |
| 783 | + # hardcode the variables we report |
| 784 | + # so in case of MITM attack, we don't report sensitive data |
| 785 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
| 786 | + $item->{vars} = ['version_comment', 'version']; |
| 787 | + } |
| 788 | + |
| 789 | + |
| 790 | my @versions; |
| 791 | my %version_for; |
| 792 | foreach my $instance ( @$instances ) { |
