← Back to team overview

maria-developers team mailing list archive

MDEV-7937: Enforce SSL when --ssl client option is used

 

Hi Sergei!

I've done some work on this issue. I've read MySQL's implementation of this
and have looked at our implementation. They have done a bit of refactoring,
introducing an enforce_ssl flag, as well as changing the C interface a bit,
to allow setting this flag programatically.

I've created a patch here that changes the minimum amount possible, in
order to implement what MDEV-7937 requires. That being said, I agree with
(most of) MySQL's refactoring in this case. They've moved all the SSL
related connection code into its own separate function, before actually
calling send_client_reply_packet.

I can work towards implementing things the way MySQL does, but since I saw
that you've actually done most of the work in that area of the code, I
figured I'd ask for your input on it.

There are two more things that I'm not sure of:
1. Specifying --ssl as a command line parameter to the mysql client is not
enough to enforce ssl and the client's code in this case just ignores the
option. We need to provide at least one of the additional ones like
--ssl-key or --ssl-ca. My patch will not cause the client to report an
error in this case. Is this acceptable behaviour or not?

2. Do we want mysql's enforce_ssl feature?

Regards,
Vicențiu
commit e5dadaa289d17365198cf0571fa6093504a74536
Author: Vicențiu Ciorbaru <cvicentiu@xxxxxxxxx>
Date:   Sun May 17 19:36:54 2015 +0000

    MDEV-7937: Enforce SSL when --ssl client option is used
    
    The mysql client will now print an error if ssl is requested,
    but the server can not handle a ssl connection.

diff --git a/sql-common/client.c b/sql-common/client.c
index 006b173..068b9b3 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -2682,6 +2682,16 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
     end= buff+5;
   }
 #ifdef HAVE_OPENSSL
+  if (mysql->options.use_ssl && !(mysql->server_capabilities & CLIENT_SSL))
+  {
+      set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
+                               ER(CR_SSL_CONNECTION_ERROR),
+                               "SSL is required, but the server does not "
+                               "support it"
+                               );
+      goto error;
+  }
+
   if (mysql->client_flag & CLIENT_SSL)
   {
     /* Do the SSL layering. */

Follow ups