Mirrors
/
mariadb
mirror of https://github.com/MariaDB/server
3
0
Fork 0
Code Releases Activity
Browse Source

MDEV-35368 Validation of SSL certificate fails for mariadb-backup 

Just like in CONC-712, disable hostname checks for connections
over unix socket. Even for not self-signed certificates.
bb-11.4-bar-MDEV-36047
Sergei Golubchik 10 months ago
parent
25b1c3505f
commit
04bd6ed44c
4 changed files with 44 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      mysql-test/suite/mariabackup/backup_ssl_system_ca.opt
  2. 8
      mysql-test/suite/mariabackup/backup_ssl_system_ca.result
  3. 30
      mysql-test/suite/mariabackup/backup_ssl_system_ca.test
  4. 7
      sql-common/client.c

2
mysql-test/suite/mariabackup/backup_ssl_system_ca.opt
View File

@ -0,0 +1,2 @@
--ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem
--ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem

8
mysql-test/suite/mariabackup/backup_ssl_system_ca.result
View File

@ -0,0 +1,8 @@
#
# MDEV-35368 Validation of SSL certificate fails for mariadb-backup
#
GRANT ALL PRIVILEGES on *.* TO backup_user IDENTIFIED by 'x' REQUIRE SSL;
# localhost, not self-signed cert with a wrong hostname: ok
# tcp, not self-signed cert with a wrong hostname: fails
# tcp, not self-signed cert with a wrong hostname: fails even with a password (no auto-verification)
DROP USER backup_user;

30
mysql-test/suite/mariabackup/backup_ssl_system_ca.test
View File

@ -0,0 +1,30 @@
source include/not_embedded.inc;
source include/not_windows.inc;
if (`select @@version_ssl_library not like 'OpenSSL%'`) {
skip Needs OpenSSL;
}
--echo #
--echo # MDEV-35368 Validation of SSL certificate fails for mariadb-backup
--echo #
GRANT ALL PRIVILEGES on *.* TO backup_user IDENTIFIED by 'x' REQUIRE SSL;
let $targetdir=$MYSQLTEST_VARDIR/tmp/backup;
let SSL_CERT_DIR=$MYSQL_TMP_DIR;
copy_file $MYSQL_TEST_DIR/std_data/cacert.pem $MYSQL_TMP_DIR/ed1f42db.0;
echo # localhost, not self-signed cert with a wrong hostname: ok;
exec $XTRABACKUP --user=root --socket=$MASTER_MYSOCK --backup --target-dir=$targetdir;
rmdir $targetdir;
echo # tcp, not self-signed cert with a wrong hostname: fails;
error 1;
exec $XTRABACKUP --protocol=tcp --user=root --port=$MASTER_MYPORT --backup --target-dir=$targetdir;
echo # tcp, not self-signed cert with a wrong hostname: fails even with a password (no auto-verification);
error 1;
exec $XTRABACKUP --protocol=tcp --user=backup_user --password=x --port=$MASTER_MYPORT --backup --target-dir=$targetdir;
remove_file $MYSQL_TMP_DIR/ed1f42db.0;
DROP USER backup_user;

7
sql-common/client.c
View File

@ -1587,7 +1587,7 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused)))
#include <openssl/x509v3.h>
static int ssl_verify_server_cert(MYSQL *mysql, const char **errptr)
static int ssl_verify_server_cert(MYSQL *mysql, const char **errptr, int is_local)
{
SSL *ssl;
X509 *server_cert= NULL;
@ -1628,7 +1628,8 @@ static int ssl_verify_server_cert(MYSQL *mysql, const char **errptr)
mysql->tls_self_signed_error= *errptr= "SSL certificate is self-signed";
break;
case X509_V_OK:
ret_validation= X509_check_host(server_cert, mysql->host,
ret_validation= !is_local &&
X509_check_host(server_cert, mysql->host,
strlen(mysql->host), 0, 0) != 1 &&
X509_check_ip_asc(server_cert, mysql->host, 0) != 1;
*errptr= "SSL certificate validation failure";
@ -2171,7 +2172,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
/* Verify server cert */
if ((!mysql->options.extension ||
!mysql->options.extension->tls_allow_invalid_server_cert) &&
ssl_verify_server_cert(mysql, &cert_error))
ssl_verify_server_cert(mysql, &cert_error, vio_type == VIO_TYPE_SOCKET))
{
set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
ER(CR_SSL_CONNECTION_ERROR), cert_error);

Write Preview
Loading…
Cancel
Save