Merge lp:~percona-toolkit-dev/percona-toolkit/version-check-doesnt-verify-server-cert-1408375 into lp:~percona-toolkit-dev/percona-toolkit/release-2.2.13
- version-check-doesnt-verify-server-cert-1408375
- Merge into release-2.2.13
Proposed by
Frank Cizmich
Status: | Merged |
---|---|
Merged at revision: | 622 |
Proposed branch: | lp:~percona-toolkit-dev/percona-toolkit/version-check-doesnt-verify-server-cert-1408375 |
Merge into: | lp:~percona-toolkit-dev/percona-toolkit/release-2.2.13 |
Diff against target: |
792 lines (+194/-60) 20 files modified
bin/pt-archiver (+10/-3) bin/pt-config-diff (+10/-3) bin/pt-deadlock-logger (+10/-3) bin/pt-diskstats (+10/-3) bin/pt-duplicate-key-checker (+10/-3) bin/pt-find (+10/-3) bin/pt-fk-error-logger (+10/-3) bin/pt-heartbeat (+10/-3) bin/pt-index-usage (+10/-3) bin/pt-kill (+10/-3) bin/pt-online-schema-change (+10/-3) bin/pt-query-digest (+10/-3) bin/pt-slave-delay (+10/-3) bin/pt-slave-restart (+10/-3) bin/pt-table-checksum (+10/-3) bin/pt-table-sync (+10/-3) bin/pt-upgrade (+10/-3) bin/pt-variable-advisor (+10/-3) lib/HTTP/Micro.pm (+2/-1) lib/VersionCheck.pm (+12/-5) |
To merge this branch: | bzr merge lp:~percona-toolkit-dev/percona-toolkit/version-check-doesnt-verify-server-cert-1408375 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Daniel Nichter | Pending | ||
Review via email: mp+246770@code.launchpad.net |
Commit message
Description of the change
problem:
- version check silently falls back to http if https fails
- a certificate check is issued but not acted upon the result
- arbitrary mysql variables can be requested
the above results in a vulnerabity to man in the middle attacks
solution:
- skip version check if ssl not available
- also skip if certificate check fails
- hardcode returned mysql variables to "version" and "version_comment" (the ones currently being requested)
note:
modified modules are: VersionCheck and HTTP::Micro
To post a comment you must log in.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file 'bin/pt-archiver' |
2 | --- bin/pt-archiver 2014-11-11 13:28:27 +0000 |
3 | +++ bin/pt-archiver 2015-01-16 19:25:07 +0000 |
4 | @@ -4421,7 +4421,8 @@ |
5 | ref($self->{fh}) eq 'IO::Socket::SSL' |
6 | or die(qq/SSL connection failed for $host\n/); |
7 | if ( $self->{fh}->can("verify_hostname") ) { |
8 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
9 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
10 | + or die(qq/SSL certificate not valid for $host\n/); |
11 | } |
12 | else { |
13 | my $fh = $self->{fh}; |
14 | @@ -4943,11 +4944,12 @@ |
15 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
16 | return unless @$instances_to_check; |
17 | |
18 | - my $protocol = 'https'; # optimistic, but... |
19 | + my $protocol = 'https'; |
20 | eval { require IO::Socket::SSL; }; |
21 | if ( $EVAL_ERROR ) { |
22 | PTDEBUG && _d($EVAL_ERROR); |
23 | - $protocol = 'http'; |
24 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
25 | + return; |
26 | } |
27 | PTDEBUG && _d('Using', $protocol); |
28 | |
29 | @@ -5384,6 +5386,11 @@ |
30 | return; |
31 | } |
32 | |
33 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
34 | + $item->{vars} = ['version_comment', 'version']; |
35 | + } |
36 | + |
37 | + |
38 | my @versions; |
39 | my %version_for; |
40 | foreach my $instance ( @$instances ) { |
41 | |
42 | === modified file 'bin/pt-config-diff' |
43 | --- bin/pt-config-diff 2014-11-11 13:28:27 +0000 |
44 | +++ bin/pt-config-diff 2015-01-16 19:25:07 +0000 |
45 | @@ -4169,7 +4169,8 @@ |
46 | ref($self->{fh}) eq 'IO::Socket::SSL' |
47 | or die(qq/SSL connection failed for $host\n/); |
48 | if ( $self->{fh}->can("verify_hostname") ) { |
49 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
50 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
51 | + or die(qq/SSL certificate not valid for $host\n/); |
52 | } |
53 | else { |
54 | my $fh = $self->{fh}; |
55 | @@ -4691,11 +4692,12 @@ |
56 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
57 | return unless @$instances_to_check; |
58 | |
59 | - my $protocol = 'https'; # optimistic, but... |
60 | + my $protocol = 'https'; |
61 | eval { require IO::Socket::SSL; }; |
62 | if ( $EVAL_ERROR ) { |
63 | PTDEBUG && _d($EVAL_ERROR); |
64 | - $protocol = 'http'; |
65 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
66 | + return; |
67 | } |
68 | PTDEBUG && _d('Using', $protocol); |
69 | |
70 | @@ -5132,6 +5134,11 @@ |
71 | return; |
72 | } |
73 | |
74 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
75 | + $item->{vars} = ['version_comment', 'version']; |
76 | + } |
77 | + |
78 | + |
79 | my @versions; |
80 | my %version_for; |
81 | foreach my $instance ( @$instances ) { |
82 | |
83 | === modified file 'bin/pt-deadlock-logger' |
84 | --- bin/pt-deadlock-logger 2014-11-11 13:28:27 +0000 |
85 | +++ bin/pt-deadlock-logger 2015-01-16 19:25:07 +0000 |
86 | @@ -3234,7 +3234,8 @@ |
87 | ref($self->{fh}) eq 'IO::Socket::SSL' |
88 | or die(qq/SSL connection failed for $host\n/); |
89 | if ( $self->{fh}->can("verify_hostname") ) { |
90 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
91 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
92 | + or die(qq/SSL certificate not valid for $host\n/); |
93 | } |
94 | else { |
95 | my $fh = $self->{fh}; |
96 | @@ -3756,11 +3757,12 @@ |
97 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
98 | return unless @$instances_to_check; |
99 | |
100 | - my $protocol = 'https'; # optimistic, but... |
101 | + my $protocol = 'https'; |
102 | eval { require IO::Socket::SSL; }; |
103 | if ( $EVAL_ERROR ) { |
104 | PTDEBUG && _d($EVAL_ERROR); |
105 | - $protocol = 'http'; |
106 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
107 | + return; |
108 | } |
109 | PTDEBUG && _d('Using', $protocol); |
110 | |
111 | @@ -4197,6 +4199,11 @@ |
112 | return; |
113 | } |
114 | |
115 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
116 | + $item->{vars} = ['version_comment', 'version']; |
117 | + } |
118 | + |
119 | + |
120 | my @versions; |
121 | my %version_for; |
122 | foreach my $instance ( @$instances ) { |
123 | |
124 | === modified file 'bin/pt-diskstats' |
125 | --- bin/pt-diskstats 2014-11-11 13:28:27 +0000 |
126 | +++ bin/pt-diskstats 2015-01-16 19:25:07 +0000 |
127 | @@ -3828,7 +3828,8 @@ |
128 | ref($self->{fh}) eq 'IO::Socket::SSL' |
129 | or die(qq/SSL connection failed for $host\n/); |
130 | if ( $self->{fh}->can("verify_hostname") ) { |
131 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
132 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
133 | + or die(qq/SSL certificate not valid for $host\n/); |
134 | } |
135 | else { |
136 | my $fh = $self->{fh}; |
137 | @@ -4350,11 +4351,12 @@ |
138 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
139 | return unless @$instances_to_check; |
140 | |
141 | - my $protocol = 'https'; # optimistic, but... |
142 | + my $protocol = 'https'; |
143 | eval { require IO::Socket::SSL; }; |
144 | if ( $EVAL_ERROR ) { |
145 | PTDEBUG && _d($EVAL_ERROR); |
146 | - $protocol = 'http'; |
147 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
148 | + return; |
149 | } |
150 | PTDEBUG && _d('Using', $protocol); |
151 | |
152 | @@ -4791,6 +4793,11 @@ |
153 | return; |
154 | } |
155 | |
156 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
157 | + $item->{vars} = ['version_comment', 'version']; |
158 | + } |
159 | + |
160 | + |
161 | my @versions; |
162 | my %version_for; |
163 | foreach my $instance ( @$instances ) { |
164 | |
165 | === modified file 'bin/pt-duplicate-key-checker' |
166 | --- bin/pt-duplicate-key-checker 2014-11-11 13:28:27 +0000 |
167 | +++ bin/pt-duplicate-key-checker 2015-01-16 19:25:07 +0000 |
168 | @@ -3845,7 +3845,8 @@ |
169 | ref($self->{fh}) eq 'IO::Socket::SSL' |
170 | or die(qq/SSL connection failed for $host\n/); |
171 | if ( $self->{fh}->can("verify_hostname") ) { |
172 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
173 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
174 | + or die(qq/SSL certificate not valid for $host\n/); |
175 | } |
176 | else { |
177 | my $fh = $self->{fh}; |
178 | @@ -4367,11 +4368,12 @@ |
179 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
180 | return unless @$instances_to_check; |
181 | |
182 | - my $protocol = 'https'; # optimistic, but... |
183 | + my $protocol = 'https'; |
184 | eval { require IO::Socket::SSL; }; |
185 | if ( $EVAL_ERROR ) { |
186 | PTDEBUG && _d($EVAL_ERROR); |
187 | - $protocol = 'http'; |
188 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
189 | + return; |
190 | } |
191 | PTDEBUG && _d('Using', $protocol); |
192 | |
193 | @@ -4808,6 +4810,11 @@ |
194 | return; |
195 | } |
196 | |
197 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
198 | + $item->{vars} = ['version_comment', 'version']; |
199 | + } |
200 | + |
201 | + |
202 | my @versions; |
203 | my %version_for; |
204 | foreach my $instance ( @$instances ) { |
205 | |
206 | === modified file 'bin/pt-find' |
207 | --- bin/pt-find 2014-11-11 13:28:27 +0000 |
208 | +++ bin/pt-find 2015-01-16 19:25:07 +0000 |
209 | @@ -2572,7 +2572,8 @@ |
210 | ref($self->{fh}) eq 'IO::Socket::SSL' |
211 | or die(qq/SSL connection failed for $host\n/); |
212 | if ( $self->{fh}->can("verify_hostname") ) { |
213 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
214 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
215 | + or die(qq/SSL certificate not valid for $host\n/); |
216 | } |
217 | else { |
218 | my $fh = $self->{fh}; |
219 | @@ -3094,11 +3095,12 @@ |
220 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
221 | return unless @$instances_to_check; |
222 | |
223 | - my $protocol = 'https'; # optimistic, but... |
224 | + my $protocol = 'https'; |
225 | eval { require IO::Socket::SSL; }; |
226 | if ( $EVAL_ERROR ) { |
227 | PTDEBUG && _d($EVAL_ERROR); |
228 | - $protocol = 'http'; |
229 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
230 | + return; |
231 | } |
232 | PTDEBUG && _d('Using', $protocol); |
233 | |
234 | @@ -3535,6 +3537,11 @@ |
235 | return; |
236 | } |
237 | |
238 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
239 | + $item->{vars} = ['version_comment', 'version']; |
240 | + } |
241 | + |
242 | + |
243 | my @versions; |
244 | my %version_for; |
245 | foreach my $instance ( @$instances ) { |
246 | |
247 | === modified file 'bin/pt-fk-error-logger' |
248 | --- bin/pt-fk-error-logger 2014-11-11 13:28:27 +0000 |
249 | +++ bin/pt-fk-error-logger 2015-01-16 19:25:07 +0000 |
250 | @@ -2739,7 +2739,8 @@ |
251 | ref($self->{fh}) eq 'IO::Socket::SSL' |
252 | or die(qq/SSL connection failed for $host\n/); |
253 | if ( $self->{fh}->can("verify_hostname") ) { |
254 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
255 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
256 | + or die(qq/SSL certificate not valid for $host\n/); |
257 | } |
258 | else { |
259 | my $fh = $self->{fh}; |
260 | @@ -3261,11 +3262,12 @@ |
261 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
262 | return unless @$instances_to_check; |
263 | |
264 | - my $protocol = 'https'; # optimistic, but... |
265 | + my $protocol = 'https'; |
266 | eval { require IO::Socket::SSL; }; |
267 | if ( $EVAL_ERROR ) { |
268 | PTDEBUG && _d($EVAL_ERROR); |
269 | - $protocol = 'http'; |
270 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
271 | + return; |
272 | } |
273 | PTDEBUG && _d('Using', $protocol); |
274 | |
275 | @@ -3702,6 +3704,11 @@ |
276 | return; |
277 | } |
278 | |
279 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
280 | + $item->{vars} = ['version_comment', 'version']; |
281 | + } |
282 | + |
283 | + |
284 | my @versions; |
285 | my %version_for; |
286 | foreach my $instance ( @$instances ) { |
287 | |
288 | === modified file 'bin/pt-heartbeat' |
289 | --- bin/pt-heartbeat 2014-11-11 13:28:27 +0000 |
290 | +++ bin/pt-heartbeat 2015-01-16 19:25:07 +0000 |
291 | @@ -3744,7 +3744,8 @@ |
292 | ref($self->{fh}) eq 'IO::Socket::SSL' |
293 | or die(qq/SSL connection failed for $host\n/); |
294 | if ( $self->{fh}->can("verify_hostname") ) { |
295 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
296 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
297 | + or die(qq/SSL certificate not valid for $host\n/); |
298 | } |
299 | else { |
300 | my $fh = $self->{fh}; |
301 | @@ -4266,11 +4267,12 @@ |
302 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
303 | return unless @$instances_to_check; |
304 | |
305 | - my $protocol = 'https'; # optimistic, but... |
306 | + my $protocol = 'https'; |
307 | eval { require IO::Socket::SSL; }; |
308 | if ( $EVAL_ERROR ) { |
309 | PTDEBUG && _d($EVAL_ERROR); |
310 | - $protocol = 'http'; |
311 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
312 | + return; |
313 | } |
314 | PTDEBUG && _d('Using', $protocol); |
315 | |
316 | @@ -4707,6 +4709,11 @@ |
317 | return; |
318 | } |
319 | |
320 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
321 | + $item->{vars} = ['version_comment', 'version']; |
322 | + } |
323 | + |
324 | + |
325 | my @versions; |
326 | my %version_for; |
327 | foreach my $instance ( @$instances ) { |
328 | |
329 | === modified file 'bin/pt-index-usage' |
330 | --- bin/pt-index-usage 2014-11-11 13:28:27 +0000 |
331 | +++ bin/pt-index-usage 2015-01-16 19:25:07 +0000 |
332 | @@ -5249,7 +5249,8 @@ |
333 | ref($self->{fh}) eq 'IO::Socket::SSL' |
334 | or die(qq/SSL connection failed for $host\n/); |
335 | if ( $self->{fh}->can("verify_hostname") ) { |
336 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
337 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
338 | + or die(qq/SSL certificate not valid for $host\n/); |
339 | } |
340 | else { |
341 | my $fh = $self->{fh}; |
342 | @@ -5771,11 +5772,12 @@ |
343 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
344 | return unless @$instances_to_check; |
345 | |
346 | - my $protocol = 'https'; # optimistic, but... |
347 | + my $protocol = 'https'; |
348 | eval { require IO::Socket::SSL; }; |
349 | if ( $EVAL_ERROR ) { |
350 | PTDEBUG && _d($EVAL_ERROR); |
351 | - $protocol = 'http'; |
352 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
353 | + return; |
354 | } |
355 | PTDEBUG && _d('Using', $protocol); |
356 | |
357 | @@ -6212,6 +6214,11 @@ |
358 | return; |
359 | } |
360 | |
361 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
362 | + $item->{vars} = ['version_comment', 'version']; |
363 | + } |
364 | + |
365 | + |
366 | my @versions; |
367 | my %version_for; |
368 | foreach my $instance ( @$instances ) { |
369 | |
370 | === modified file 'bin/pt-kill' |
371 | --- bin/pt-kill 2014-11-11 13:28:27 +0000 |
372 | +++ bin/pt-kill 2015-01-16 19:25:07 +0000 |
373 | @@ -5551,7 +5551,8 @@ |
374 | ref($self->{fh}) eq 'IO::Socket::SSL' |
375 | or die(qq/SSL connection failed for $host\n/); |
376 | if ( $self->{fh}->can("verify_hostname") ) { |
377 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
378 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
379 | + or die(qq/SSL certificate not valid for $host\n/); |
380 | } |
381 | else { |
382 | my $fh = $self->{fh}; |
383 | @@ -6073,11 +6074,12 @@ |
384 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
385 | return unless @$instances_to_check; |
386 | |
387 | - my $protocol = 'https'; # optimistic, but... |
388 | + my $protocol = 'https'; |
389 | eval { require IO::Socket::SSL; }; |
390 | if ( $EVAL_ERROR ) { |
391 | PTDEBUG && _d($EVAL_ERROR); |
392 | - $protocol = 'http'; |
393 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
394 | + return; |
395 | } |
396 | PTDEBUG && _d('Using', $protocol); |
397 | |
398 | @@ -6514,6 +6516,11 @@ |
399 | return; |
400 | } |
401 | |
402 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
403 | + $item->{vars} = ['version_comment', 'version']; |
404 | + } |
405 | + |
406 | + |
407 | my @versions; |
408 | my %version_for; |
409 | foreach my $instance ( @$instances ) { |
410 | |
411 | === modified file 'bin/pt-online-schema-change' |
412 | --- bin/pt-online-schema-change 2014-11-11 13:28:27 +0000 |
413 | +++ bin/pt-online-schema-change 2015-01-16 19:25:07 +0000 |
414 | @@ -6552,7 +6552,8 @@ |
415 | ref($self->{fh}) eq 'IO::Socket::SSL' |
416 | or die(qq/SSL connection failed for $host\n/); |
417 | if ( $self->{fh}->can("verify_hostname") ) { |
418 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
419 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
420 | + or die(qq/SSL certificate not valid for $host\n/); |
421 | } |
422 | else { |
423 | my $fh = $self->{fh}; |
424 | @@ -7074,11 +7075,12 @@ |
425 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
426 | return unless @$instances_to_check; |
427 | |
428 | - my $protocol = 'https'; # optimistic, but... |
429 | + my $protocol = 'https'; |
430 | eval { require IO::Socket::SSL; }; |
431 | if ( $EVAL_ERROR ) { |
432 | PTDEBUG && _d($EVAL_ERROR); |
433 | - $protocol = 'http'; |
434 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
435 | + return; |
436 | } |
437 | PTDEBUG && _d('Using', $protocol); |
438 | |
439 | @@ -7515,6 +7517,11 @@ |
440 | return; |
441 | } |
442 | |
443 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
444 | + $item->{vars} = ['version_comment', 'version']; |
445 | + } |
446 | + |
447 | + |
448 | my @versions; |
449 | my %version_for; |
450 | foreach my $instance ( @$instances ) { |
451 | |
452 | === modified file 'bin/pt-query-digest' |
453 | --- bin/pt-query-digest 2014-11-11 13:28:27 +0000 |
454 | +++ bin/pt-query-digest 2015-01-16 19:25:07 +0000 |
455 | @@ -11833,7 +11833,8 @@ |
456 | ref($self->{fh}) eq 'IO::Socket::SSL' |
457 | or die(qq/SSL connection failed for $host\n/); |
458 | if ( $self->{fh}->can("verify_hostname") ) { |
459 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
460 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
461 | + or die(qq/SSL certificate not valid for $host\n/); |
462 | } |
463 | else { |
464 | my $fh = $self->{fh}; |
465 | @@ -12355,11 +12356,12 @@ |
466 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
467 | return unless @$instances_to_check; |
468 | |
469 | - my $protocol = 'https'; # optimistic, but... |
470 | + my $protocol = 'https'; |
471 | eval { require IO::Socket::SSL; }; |
472 | if ( $EVAL_ERROR ) { |
473 | PTDEBUG && _d($EVAL_ERROR); |
474 | - $protocol = 'http'; |
475 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
476 | + return; |
477 | } |
478 | PTDEBUG && _d('Using', $protocol); |
479 | |
480 | @@ -12796,6 +12798,11 @@ |
481 | return; |
482 | } |
483 | |
484 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
485 | + $item->{vars} = ['version_comment', 'version']; |
486 | + } |
487 | + |
488 | + |
489 | my @versions; |
490 | my %version_for; |
491 | foreach my $instance ( @$instances ) { |
492 | |
493 | === modified file 'bin/pt-slave-delay' |
494 | --- bin/pt-slave-delay 2014-11-11 13:28:27 +0000 |
495 | +++ bin/pt-slave-delay 2015-01-16 19:25:07 +0000 |
496 | @@ -3097,7 +3097,8 @@ |
497 | ref($self->{fh}) eq 'IO::Socket::SSL' |
498 | or die(qq/SSL connection failed for $host\n/); |
499 | if ( $self->{fh}->can("verify_hostname") ) { |
500 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
501 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
502 | + or die(qq/SSL certificate not valid for $host\n/); |
503 | } |
504 | else { |
505 | my $fh = $self->{fh}; |
506 | @@ -3619,11 +3620,12 @@ |
507 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
508 | return unless @$instances_to_check; |
509 | |
510 | - my $protocol = 'https'; # optimistic, but... |
511 | + my $protocol = 'https'; |
512 | eval { require IO::Socket::SSL; }; |
513 | if ( $EVAL_ERROR ) { |
514 | PTDEBUG && _d($EVAL_ERROR); |
515 | - $protocol = 'http'; |
516 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
517 | + return; |
518 | } |
519 | PTDEBUG && _d('Using', $protocol); |
520 | |
521 | @@ -4060,6 +4062,11 @@ |
522 | return; |
523 | } |
524 | |
525 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
526 | + $item->{vars} = ['version_comment', 'version']; |
527 | + } |
528 | + |
529 | + |
530 | my @versions; |
531 | my %version_for; |
532 | foreach my $instance ( @$instances ) { |
533 | |
534 | === modified file 'bin/pt-slave-restart' |
535 | --- bin/pt-slave-restart 2014-11-11 13:28:27 +0000 |
536 | +++ bin/pt-slave-restart 2015-01-16 19:25:07 +0000 |
537 | @@ -3746,7 +3746,8 @@ |
538 | ref($self->{fh}) eq 'IO::Socket::SSL' |
539 | or die(qq/SSL connection failed for $host\n/); |
540 | if ( $self->{fh}->can("verify_hostname") ) { |
541 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
542 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
543 | + or die(qq/SSL certificate not valid for $host\n/); |
544 | } |
545 | else { |
546 | my $fh = $self->{fh}; |
547 | @@ -4268,11 +4269,12 @@ |
548 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
549 | return unless @$instances_to_check; |
550 | |
551 | - my $protocol = 'https'; # optimistic, but... |
552 | + my $protocol = 'https'; |
553 | eval { require IO::Socket::SSL; }; |
554 | if ( $EVAL_ERROR ) { |
555 | PTDEBUG && _d($EVAL_ERROR); |
556 | - $protocol = 'http'; |
557 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
558 | + return; |
559 | } |
560 | PTDEBUG && _d('Using', $protocol); |
561 | |
562 | @@ -4709,6 +4711,11 @@ |
563 | return; |
564 | } |
565 | |
566 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
567 | + $item->{vars} = ['version_comment', 'version']; |
568 | + } |
569 | + |
570 | + |
571 | my @versions; |
572 | my %version_for; |
573 | foreach my $instance ( @$instances ) { |
574 | |
575 | === modified file 'bin/pt-table-checksum' |
576 | --- bin/pt-table-checksum 2014-11-11 13:28:27 +0000 |
577 | +++ bin/pt-table-checksum 2015-01-16 19:25:07 +0000 |
578 | @@ -332,7 +332,8 @@ |
579 | ref($self->{fh}) eq 'IO::Socket::SSL' |
580 | or die(qq/SSL connection failed for $host\n/); |
581 | if ( $self->{fh}->can("verify_hostname") ) { |
582 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
583 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
584 | + or die(qq/SSL certificate not valid for $host\n/); |
585 | } |
586 | else { |
587 | my $fh = $self->{fh}; |
588 | @@ -854,11 +855,12 @@ |
589 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
590 | return unless @$instances_to_check; |
591 | |
592 | - my $protocol = 'https'; # optimistic, but... |
593 | + my $protocol = 'https'; |
594 | eval { require IO::Socket::SSL; }; |
595 | if ( $EVAL_ERROR ) { |
596 | PTDEBUG && _d($EVAL_ERROR); |
597 | - $protocol = 'http'; |
598 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
599 | + return; |
600 | } |
601 | PTDEBUG && _d('Using', $protocol); |
602 | |
603 | @@ -1295,6 +1297,11 @@ |
604 | return; |
605 | } |
606 | |
607 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
608 | + $item->{vars} = ['version_comment', 'version']; |
609 | + } |
610 | + |
611 | + |
612 | my @versions; |
613 | my %version_for; |
614 | foreach my $instance ( @$instances ) { |
615 | |
616 | === modified file 'bin/pt-table-sync' |
617 | --- bin/pt-table-sync 2014-11-11 13:28:27 +0000 |
618 | +++ bin/pt-table-sync 2015-01-16 19:25:07 +0000 |
619 | @@ -8605,7 +8605,8 @@ |
620 | ref($self->{fh}) eq 'IO::Socket::SSL' |
621 | or die(qq/SSL connection failed for $host\n/); |
622 | if ( $self->{fh}->can("verify_hostname") ) { |
623 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
624 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
625 | + or die(qq/SSL certificate not valid for $host\n/); |
626 | } |
627 | else { |
628 | my $fh = $self->{fh}; |
629 | @@ -9127,11 +9128,12 @@ |
630 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
631 | return unless @$instances_to_check; |
632 | |
633 | - my $protocol = 'https'; # optimistic, but... |
634 | + my $protocol = 'https'; |
635 | eval { require IO::Socket::SSL; }; |
636 | if ( $EVAL_ERROR ) { |
637 | PTDEBUG && _d($EVAL_ERROR); |
638 | - $protocol = 'http'; |
639 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
640 | + return; |
641 | } |
642 | PTDEBUG && _d('Using', $protocol); |
643 | |
644 | @@ -9568,6 +9570,11 @@ |
645 | return; |
646 | } |
647 | |
648 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
649 | + $item->{vars} = ['version_comment', 'version']; |
650 | + } |
651 | + |
652 | + |
653 | my @versions; |
654 | my %version_for; |
655 | foreach my $instance ( @$instances ) { |
656 | |
657 | === modified file 'bin/pt-upgrade' |
658 | --- bin/pt-upgrade 2014-11-11 13:28:27 +0000 |
659 | +++ bin/pt-upgrade 2015-01-16 19:25:07 +0000 |
660 | @@ -3545,7 +3545,8 @@ |
661 | ref($self->{fh}) eq 'IO::Socket::SSL' |
662 | or die(qq/SSL connection failed for $host\n/); |
663 | if ( $self->{fh}->can("verify_hostname") ) { |
664 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
665 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
666 | + or die(qq/SSL certificate not valid for $host\n/); |
667 | } |
668 | else { |
669 | my $fh = $self->{fh}; |
670 | @@ -4067,11 +4068,12 @@ |
671 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
672 | return unless @$instances_to_check; |
673 | |
674 | - my $protocol = 'https'; # optimistic, but... |
675 | + my $protocol = 'https'; |
676 | eval { require IO::Socket::SSL; }; |
677 | if ( $EVAL_ERROR ) { |
678 | PTDEBUG && _d($EVAL_ERROR); |
679 | - $protocol = 'http'; |
680 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
681 | + return; |
682 | } |
683 | PTDEBUG && _d('Using', $protocol); |
684 | |
685 | @@ -4508,6 +4510,11 @@ |
686 | return; |
687 | } |
688 | |
689 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
690 | + $item->{vars} = ['version_comment', 'version']; |
691 | + } |
692 | + |
693 | + |
694 | my @versions; |
695 | my %version_for; |
696 | foreach my $instance ( @$instances ) { |
697 | |
698 | === modified file 'bin/pt-variable-advisor' |
699 | --- bin/pt-variable-advisor 2014-11-11 13:28:27 +0000 |
700 | +++ bin/pt-variable-advisor 2015-01-16 19:25:07 +0000 |
701 | @@ -4004,7 +4004,8 @@ |
702 | ref($self->{fh}) eq 'IO::Socket::SSL' |
703 | or die(qq/SSL connection failed for $host\n/); |
704 | if ( $self->{fh}->can("verify_hostname") ) { |
705 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
706 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
707 | + or die(qq/SSL certificate not valid for $host\n/); |
708 | } |
709 | else { |
710 | my $fh = $self->{fh}; |
711 | @@ -4526,11 +4527,12 @@ |
712 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
713 | return unless @$instances_to_check; |
714 | |
715 | - my $protocol = 'https'; # optimistic, but... |
716 | + my $protocol = 'https'; |
717 | eval { require IO::Socket::SSL; }; |
718 | if ( $EVAL_ERROR ) { |
719 | PTDEBUG && _d($EVAL_ERROR); |
720 | - $protocol = 'http'; |
721 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
722 | + return; |
723 | } |
724 | PTDEBUG && _d('Using', $protocol); |
725 | |
726 | @@ -4967,6 +4969,11 @@ |
727 | return; |
728 | } |
729 | |
730 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
731 | + $item->{vars} = ['version_comment', 'version']; |
732 | + } |
733 | + |
734 | + |
735 | my @versions; |
736 | my %version_for; |
737 | foreach my $instance ( @$instances ) { |
738 | |
739 | === modified file 'lib/HTTP/Micro.pm' |
740 | --- lib/HTTP/Micro.pm 2013-08-03 18:50:52 +0000 |
741 | +++ lib/HTTP/Micro.pm 2015-01-16 19:25:07 +0000 |
742 | @@ -237,7 +237,8 @@ |
743 | ref($self->{fh}) eq 'IO::Socket::SSL' |
744 | or die(qq/SSL connection failed for $host\n/); |
745 | if ( $self->{fh}->can("verify_hostname") ) { |
746 | - $self->{fh}->verify_hostname( $host, $ssl_verify_args ); |
747 | + $self->{fh}->verify_hostname( $host, $ssl_verify_args ) |
748 | + or die(qq/SSL certificate not valid for $host\n/); |
749 | } |
750 | else { |
751 | # Can't use $self->{fh}->verify_hostname because the IO::Socket::SSL |
752 | |
753 | === modified file 'lib/VersionCheck.pm' |
754 | --- lib/VersionCheck.pm 2014-02-20 03:00:02 +0000 |
755 | +++ lib/VersionCheck.pm 2015-01-16 19:25:07 +0000 |
756 | @@ -138,17 +138,17 @@ |
757 | PTDEBUG && _d(scalar @$instances_to_check, 'instances to check'); |
758 | return unless @$instances_to_check; |
759 | |
760 | - # Get the list of program to check from Percona. Try using |
761 | - # https first; fallback to http if that fails (probably because |
762 | - # IO::Socket::SSL isn't installed). |
763 | - my $protocol = 'https'; # optimistic, but... |
764 | + # Skip Version Check altogether if SSL not available |
765 | + my $protocol = 'https'; |
766 | eval { require IO::Socket::SSL; }; |
767 | if ( $EVAL_ERROR ) { |
768 | PTDEBUG && _d($EVAL_ERROR); |
769 | - $protocol = 'http'; |
770 | + PTDEBUG && _d("SSL not available, won't run version_check"); |
771 | + return; |
772 | } |
773 | PTDEBUG && _d('Using', $protocol); |
774 | |
775 | + # Get list of programs to check from Percona. |
776 | my $advice = pingback( |
777 | instances => $instances_to_check, |
778 | protocol => $protocol, |
779 | @@ -644,6 +644,13 @@ |
780 | return; |
781 | } |
782 | |
783 | + # hardcode the variables we report |
784 | + # so in case of MITM attack, we don't report sensitive data |
785 | + if ($item->{item} eq 'MySQL' && $item->{type} eq 'mysql_variable') { |
786 | + $item->{vars} = ['version_comment', 'version']; |
787 | + } |
788 | + |
789 | + |
790 | my @versions; |
791 | my %version_for; |
792 | foreach my $instance ( @$instances ) { |